agent-threat-rules 0.4.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (291) hide show
  1. package/README.md +161 -52
  2. package/package.json +3 -1
  3. package/rules/agent-manipulation/{ATR-2026-030-cross-agent-attack.yaml → ATR-2026-00030-cross-agent-attack.yaml} +3 -1
  4. package/rules/agent-manipulation/{ATR-2026-032-goal-hijacking.yaml → ATR-2026-00032-goal-hijacking.yaml} +3 -1
  5. package/rules/agent-manipulation/{ATR-2026-074-cross-agent-privilege-escalation.yaml → ATR-2026-00074-cross-agent-privilege-escalation.yaml} +3 -1
  6. package/rules/agent-manipulation/{ATR-2026-076-inter-agent-message-spoofing.yaml → ATR-2026-00076-inter-agent-message-spoofing.yaml} +3 -1
  7. package/rules/agent-manipulation/{ATR-2026-077-human-trust-exploitation.yaml → ATR-2026-00077-human-trust-exploitation.yaml} +3 -1
  8. package/rules/agent-manipulation/{ATR-2026-108-consensus-sybil-attack.yaml → ATR-2026-00108-consensus-sybil-attack.yaml} +3 -1
  9. package/rules/agent-manipulation/{ATR-2026-116-a2a-message-validation.yaml → ATR-2026-00116-a2a-message-validation.yaml} +4 -2
  10. package/rules/agent-manipulation/{ATR-2026-117-agent-identity-spoofing.yaml → ATR-2026-00117-agent-identity-spoofing.yaml} +4 -2
  11. package/rules/agent-manipulation/{ATR-2026-118-approval-fatigue.yaml → ATR-2026-00118-approval-fatigue.yaml} +3 -1
  12. package/rules/agent-manipulation/{ATR-2026-119-social-engineering-via-agent.yaml → ATR-2026-00119-social-engineering-via-agent.yaml} +3 -1
  13. package/rules/agent-manipulation/ATR-2026-00132-casual-authority-escalation.yaml +105 -0
  14. package/rules/agent-manipulation/ATR-2026-00139-casual-authority-redirect.yaml +53 -0
  15. package/rules/context-exfiltration/{ATR-2026-020-system-prompt-leak.yaml → ATR-2026-00020-system-prompt-leak.yaml} +3 -1
  16. package/rules/context-exfiltration/{ATR-2026-021-api-key-exposure.yaml → ATR-2026-00021-api-key-exposure.yaml} +3 -1
  17. package/rules/context-exfiltration/{ATR-2026-075-agent-memory-manipulation.yaml → ATR-2026-00075-agent-memory-manipulation.yaml} +3 -1
  18. package/rules/context-exfiltration/{ATR-2026-102-disguised-analytics-exfiltration.yaml → ATR-2026-00102-disguised-analytics-exfiltration.yaml} +3 -1
  19. package/rules/context-exfiltration/{ATR-2026-113-credential-theft.yaml → ATR-2026-00113-credential-theft.yaml} +3 -1
  20. package/rules/context-exfiltration/{ATR-2026-114-oauth-token-abuse.yaml → ATR-2026-00114-oauth-token-abuse.yaml} +3 -1
  21. package/rules/context-exfiltration/{ATR-2026-115-env-var-harvesting.yaml → ATR-2026-00115-env-var-harvesting.yaml} +3 -1
  22. package/rules/context-exfiltration/ATR-2026-00136-tool-response-data-piggyback.yaml +100 -0
  23. package/rules/context-exfiltration/ATR-2026-00141-example-format-key-leak.yaml +52 -0
  24. package/rules/context-exfiltration/ATR-2026-00142-piggyback-transition-words.yaml +55 -0
  25. package/rules/context-exfiltration/ATR-2026-00145-obfuscated-key-disclosure.yaml +49 -0
  26. package/rules/context-exfiltration/ATR-2026-00146-env-var-existence-probe.yaml +49 -0
  27. package/rules/data-poisoning/{ATR-2026-070-data-poisoning.yaml → ATR-2026-00070-data-poisoning.yaml} +3 -1
  28. package/rules/excessive-autonomy/{ATR-2026-050-runaway-agent-loop.yaml → ATR-2026-00050-runaway-agent-loop.yaml} +3 -1
  29. package/rules/excessive-autonomy/{ATR-2026-051-resource-exhaustion.yaml → ATR-2026-00051-resource-exhaustion.yaml} +3 -1
  30. package/rules/excessive-autonomy/{ATR-2026-052-cascading-failure.yaml → ATR-2026-00052-cascading-failure.yaml} +3 -1
  31. package/rules/excessive-autonomy/{ATR-2026-098-unauthorized-financial-action.yaml → ATR-2026-00098-unauthorized-financial-action.yaml} +3 -1
  32. package/rules/excessive-autonomy/{ATR-2026-099-high-risk-tool-gate.yaml → ATR-2026-00099-high-risk-tool-gate.yaml} +3 -1
  33. package/rules/model-security/{ATR-2026-072-model-behavior-extraction.yaml → ATR-2026-00072-model-behavior-extraction.yaml} +3 -1
  34. package/rules/model-security/{ATR-2026-073-malicious-finetuning-data.yaml → ATR-2026-00073-malicious-finetuning-data.yaml} +3 -1
  35. package/rules/privilege-escalation/{ATR-2026-040-privilege-escalation.yaml → ATR-2026-00040-privilege-escalation.yaml} +3 -1
  36. package/rules/privilege-escalation/{ATR-2026-041-scope-creep.yaml → ATR-2026-00041-scope-creep.yaml} +3 -1
  37. package/rules/privilege-escalation/{ATR-2026-107-delayed-execution-bypass.yaml → ATR-2026-00107-delayed-execution-bypass.yaml} +3 -1
  38. package/rules/privilege-escalation/{ATR-2026-110-eval-injection.yaml → ATR-2026-00110-eval-injection.yaml} +3 -1
  39. package/rules/privilege-escalation/{ATR-2026-111-shell-escape.yaml → ATR-2026-00111-shell-escape.yaml} +5 -3
  40. package/rules/privilege-escalation/{ATR-2026-112-dynamic-import-exploitation.yaml → ATR-2026-00112-dynamic-import-exploitation.yaml} +3 -1
  41. package/rules/privilege-escalation/ATR-2026-00143-casual-privilege-escalation.yaml +53 -0
  42. package/rules/privilege-escalation/ATR-2026-00144-rationalized-safety-bypass.yaml +49 -0
  43. package/rules/prompt-injection/{ATR-2026-001-direct-prompt-injection.yaml → ATR-2026-00001-direct-prompt-injection.yaml} +3 -1
  44. package/rules/prompt-injection/{ATR-2026-002-indirect-prompt-injection.yaml → ATR-2026-00002-indirect-prompt-injection.yaml} +3 -1
  45. package/rules/prompt-injection/{ATR-2026-003-jailbreak-attempt.yaml → ATR-2026-00003-jailbreak-attempt.yaml} +3 -1
  46. package/rules/prompt-injection/{ATR-2026-004-system-prompt-override.yaml → ATR-2026-00004-system-prompt-override.yaml} +3 -1
  47. package/rules/prompt-injection/{ATR-2026-005-multi-turn-injection.yaml → ATR-2026-00005-multi-turn-injection.yaml} +3 -1
  48. package/rules/prompt-injection/{ATR-2026-080-encoding-evasion.yaml → ATR-2026-00080-encoding-evasion.yaml} +3 -1
  49. package/rules/prompt-injection/{ATR-2026-081-semantic-multi-turn.yaml → ATR-2026-00081-semantic-multi-turn.yaml} +3 -1
  50. package/rules/prompt-injection/{ATR-2026-082-fingerprint-evasion.yaml → ATR-2026-00082-fingerprint-evasion.yaml} +3 -1
  51. package/rules/prompt-injection/{ATR-2026-083-indirect-tool-injection.yaml → ATR-2026-00083-indirect-tool-injection.yaml} +3 -1
  52. package/rules/prompt-injection/{ATR-2026-084-structured-data-injection.yaml → ATR-2026-00084-structured-data-injection.yaml} +3 -1
  53. package/rules/prompt-injection/{ATR-2026-085-audit-evasion.yaml → ATR-2026-00085-audit-evasion.yaml} +3 -1
  54. package/rules/prompt-injection/{ATR-2026-086-visual-spoofing.yaml → ATR-2026-00086-visual-spoofing.yaml} +3 -1
  55. package/rules/prompt-injection/{ATR-2026-087-rule-probing.yaml → ATR-2026-00087-rule-probing.yaml} +3 -1
  56. package/rules/prompt-injection/{ATR-2026-088-adaptive-countermeasure.yaml → ATR-2026-00088-adaptive-countermeasure.yaml} +3 -1
  57. package/rules/prompt-injection/{ATR-2026-089-polymorphic-skill.yaml → ATR-2026-00089-polymorphic-skill.yaml} +3 -1
  58. package/rules/prompt-injection/{ATR-2026-090-threat-intel-exfil.yaml → ATR-2026-00090-threat-intel-exfil.yaml} +3 -1
  59. package/rules/prompt-injection/{ATR-2026-091-nested-payload.yaml → ATR-2026-00091-nested-payload.yaml} +3 -1
  60. package/rules/prompt-injection/{ATR-2026-092-consensus-poisoning.yaml → ATR-2026-00092-consensus-poisoning.yaml} +3 -1
  61. package/rules/prompt-injection/{ATR-2026-093-gradual-escalation.yaml → ATR-2026-00093-gradual-escalation.yaml} +3 -1
  62. package/rules/prompt-injection/{ATR-2026-094-audit-bypass.yaml → ATR-2026-00094-audit-bypass.yaml} +3 -1
  63. package/rules/prompt-injection/{ATR-2026-097-cjk-injection-patterns.yaml → ATR-2026-00097-cjk-injection-patterns.yaml} +3 -1
  64. package/rules/prompt-injection/{ATR-2026-104-persona-hijacking.yaml → ATR-2026-00104-persona-hijacking.yaml} +3 -1
  65. package/rules/prompt-injection/ATR-2026-00130-indirect-authority-claim.yaml +103 -0
  66. package/rules/prompt-injection/ATR-2026-00131-fictional-academic-framing.yaml +99 -0
  67. package/rules/prompt-injection/ATR-2026-00133-paraphrase-injection.yaml +117 -0
  68. package/rules/prompt-injection/ATR-2026-00137-authority-claim-injection.yaml +52 -0
  69. package/rules/prompt-injection/ATR-2026-00138-fictional-framing-bypass.yaml +51 -0
  70. package/rules/prompt-injection/ATR-2026-00140-indirect-reference-reversal.yaml +52 -0
  71. package/rules/prompt-injection/ATR-2026-00148-language-switch-injection.yaml +71 -0
  72. package/rules/skill-compromise/{ATR-2026-060-skill-impersonation.yaml → ATR-2026-00060-skill-impersonation.yaml} +3 -1
  73. package/rules/skill-compromise/{ATR-2026-061-description-behavior-mismatch.yaml → ATR-2026-00061-description-behavior-mismatch.yaml} +3 -1
  74. package/rules/skill-compromise/{ATR-2026-062-hidden-capability.yaml → ATR-2026-00062-hidden-capability.yaml} +3 -1
  75. package/rules/skill-compromise/{ATR-2026-063-skill-chain-attack.yaml → ATR-2026-00063-skill-chain-attack.yaml} +3 -1
  76. package/rules/skill-compromise/{ATR-2026-064-over-permissioned-skill.yaml → ATR-2026-00064-over-permissioned-skill.yaml} +3 -1
  77. package/rules/skill-compromise/{ATR-2026-065-skill-update-attack.yaml → ATR-2026-00065-skill-update-attack.yaml} +3 -1
  78. package/rules/skill-compromise/{ATR-2026-066-parameter-injection.yaml → ATR-2026-00066-parameter-injection.yaml} +3 -1
  79. package/rules/skill-compromise/ATR-2026-00120-skill-instruction-injection.yaml +121 -0
  80. package/rules/skill-compromise/ATR-2026-00121-skill-dangerous-script.yaml +165 -0
  81. package/rules/skill-compromise/ATR-2026-00122-skill-weaponized-instruction.yaml +114 -0
  82. package/rules/skill-compromise/ATR-2026-00123-skill-overreach-permissions.yaml +118 -0
  83. package/rules/skill-compromise/ATR-2026-00124-skill-name-squatting.yaml +98 -0
  84. package/rules/skill-compromise/ATR-2026-00125-context-poisoning-compaction.yaml +93 -0
  85. package/rules/skill-compromise/ATR-2026-00126-skill-rug-pull-setup.yaml +99 -0
  86. package/rules/skill-compromise/ATR-2026-00127-subcommand-overflow.yaml +74 -0
  87. package/rules/skill-compromise/ATR-2026-00128-html-comment-hidden-payload.yaml +79 -0
  88. package/rules/skill-compromise/ATR-2026-00129-unicode-smuggling.yaml +73 -0
  89. package/rules/skill-compromise/ATR-2026-00134-fork-claim-impersonation.yaml +93 -0
  90. package/rules/skill-compromise/ATR-2026-00135-exfil-url-in-instructions.yaml +82 -0
  91. package/rules/skill-compromise/ATR-2026-00147-fork-impersonation.yaml +48 -0
  92. package/rules/tool-poisoning/{ATR-2026-010-mcp-malicious-response.yaml → ATR-2026-00010-mcp-malicious-response.yaml} +3 -1
  93. package/rules/tool-poisoning/{ATR-2026-011-tool-output-injection.yaml → ATR-2026-00011-tool-output-injection.yaml} +3 -1
  94. package/rules/tool-poisoning/{ATR-2026-012-unauthorized-tool-call.yaml → ATR-2026-00012-unauthorized-tool-call.yaml} +3 -1
  95. package/rules/tool-poisoning/{ATR-2026-013-tool-ssrf.yaml → ATR-2026-00013-tool-ssrf.yaml} +3 -1
  96. package/rules/tool-poisoning/{ATR-2026-095-supply-chain-poisoning.yaml → ATR-2026-00095-supply-chain-poisoning.yaml} +3 -1
  97. package/rules/tool-poisoning/{ATR-2026-096-registry-poisoning.yaml → ATR-2026-00096-registry-poisoning.yaml} +3 -1
  98. package/rules/tool-poisoning/{ATR-2026-100-consent-bypass-instruction.yaml → ATR-2026-00100-consent-bypass-instruction.yaml} +3 -1
  99. package/rules/tool-poisoning/{ATR-2026-101-trust-escalation-override.yaml → ATR-2026-00101-trust-escalation-override.yaml} +3 -1
  100. package/rules/tool-poisoning/{ATR-2026-103-hidden-safety-bypass-instruction.yaml → ATR-2026-00103-hidden-safety-bypass-instruction.yaml} +3 -1
  101. package/rules/tool-poisoning/{ATR-2026-105-silent-action-concealment.yaml → ATR-2026-00105-silent-action-concealment.yaml} +3 -1
  102. package/rules/tool-poisoning/{ATR-2026-106-schema-description-contradiction.yaml → ATR-2026-00106-schema-description-contradiction.yaml} +3 -1
  103. package/spec/atr-schema.yaml +32 -3
  104. package/dist/action-executor.d.ts +0 -44
  105. package/dist/action-executor.d.ts.map +0 -1
  106. package/dist/action-executor.js +0 -130
  107. package/dist/action-executor.js.map +0 -1
  108. package/dist/adapters/default-adapter.d.ts +0 -24
  109. package/dist/adapters/default-adapter.d.ts.map +0 -1
  110. package/dist/adapters/default-adapter.js +0 -51
  111. package/dist/adapters/default-adapter.js.map +0 -1
  112. package/dist/adapters/stdio-adapter.d.ts +0 -30
  113. package/dist/adapters/stdio-adapter.d.ts.map +0 -1
  114. package/dist/adapters/stdio-adapter.js +0 -128
  115. package/dist/adapters/stdio-adapter.js.map +0 -1
  116. package/dist/badge.d.ts +0 -42
  117. package/dist/badge.d.ts.map +0 -1
  118. package/dist/badge.js +0 -158
  119. package/dist/badge.js.map +0 -1
  120. package/dist/capability-extractor.d.ts +0 -35
  121. package/dist/capability-extractor.d.ts.map +0 -1
  122. package/dist/capability-extractor.js +0 -91
  123. package/dist/capability-extractor.js.map +0 -1
  124. package/dist/cli.d.ts +0 -12
  125. package/dist/cli.d.ts.map +0 -1
  126. package/dist/cli.js +0 -892
  127. package/dist/cli.js.map +0 -1
  128. package/dist/converters/elastic.d.ts +0 -36
  129. package/dist/converters/elastic.d.ts.map +0 -1
  130. package/dist/converters/elastic.js +0 -125
  131. package/dist/converters/elastic.js.map +0 -1
  132. package/dist/converters/index.d.ts +0 -28
  133. package/dist/converters/index.d.ts.map +0 -1
  134. package/dist/converters/index.js +0 -36
  135. package/dist/converters/index.js.map +0 -1
  136. package/dist/converters/splunk.d.ts +0 -19
  137. package/dist/converters/splunk.d.ts.map +0 -1
  138. package/dist/converters/splunk.js +0 -148
  139. package/dist/converters/splunk.js.map +0 -1
  140. package/dist/coverage-analyzer.d.ts +0 -43
  141. package/dist/coverage-analyzer.d.ts.map +0 -1
  142. package/dist/coverage-analyzer.js +0 -329
  143. package/dist/coverage-analyzer.js.map +0 -1
  144. package/dist/embedding/build-corpus.d.ts +0 -15
  145. package/dist/embedding/build-corpus.d.ts.map +0 -1
  146. package/dist/embedding/build-corpus.js +0 -105
  147. package/dist/embedding/build-corpus.js.map +0 -1
  148. package/dist/embedding/model-loader.d.ts +0 -41
  149. package/dist/embedding/model-loader.d.ts.map +0 -1
  150. package/dist/embedding/model-loader.js +0 -90
  151. package/dist/embedding/model-loader.js.map +0 -1
  152. package/dist/embedding/vector-store.d.ts +0 -41
  153. package/dist/embedding/vector-store.d.ts.map +0 -1
  154. package/dist/embedding/vector-store.js +0 -70
  155. package/dist/embedding/vector-store.js.map +0 -1
  156. package/dist/engine.d.ts +0 -163
  157. package/dist/engine.d.ts.map +0 -1
  158. package/dist/engine.js +0 -869
  159. package/dist/engine.js.map +0 -1
  160. package/dist/eval/corpus.d.ts +0 -42
  161. package/dist/eval/corpus.d.ts.map +0 -1
  162. package/dist/eval/corpus.js +0 -427
  163. package/dist/eval/corpus.js.map +0 -1
  164. package/dist/eval/eval-harness.d.ts +0 -44
  165. package/dist/eval/eval-harness.d.ts.map +0 -1
  166. package/dist/eval/eval-harness.js +0 -296
  167. package/dist/eval/eval-harness.js.map +0 -1
  168. package/dist/eval/index.d.ts +0 -13
  169. package/dist/eval/index.d.ts.map +0 -1
  170. package/dist/eval/index.js +0 -9
  171. package/dist/eval/index.js.map +0 -1
  172. package/dist/eval/metrics.d.ts +0 -74
  173. package/dist/eval/metrics.d.ts.map +0 -1
  174. package/dist/eval/metrics.js +0 -108
  175. package/dist/eval/metrics.js.map +0 -1
  176. package/dist/eval/pint-corpus.d.ts +0 -34
  177. package/dist/eval/pint-corpus.d.ts.map +0 -1
  178. package/dist/eval/pint-corpus.js +0 -109
  179. package/dist/eval/pint-corpus.js.map +0 -1
  180. package/dist/eval/rule-corpus.d.ts +0 -9
  181. package/dist/eval/rule-corpus.d.ts.map +0 -1
  182. package/dist/eval/rule-corpus.js +0 -4780
  183. package/dist/eval/rule-corpus.js.map +0 -1
  184. package/dist/eval/rule-metrics.d.ts +0 -34
  185. package/dist/eval/rule-metrics.d.ts.map +0 -1
  186. package/dist/eval/rule-metrics.js +0 -92
  187. package/dist/eval/rule-metrics.js.map +0 -1
  188. package/dist/eval/run-eval.d.ts +0 -7
  189. package/dist/eval/run-eval.d.ts.map +0 -1
  190. package/dist/eval/run-eval.js +0 -11
  191. package/dist/eval/run-eval.js.map +0 -1
  192. package/dist/eval/run-pint-benchmark.d.ts +0 -18
  193. package/dist/eval/run-pint-benchmark.d.ts.map +0 -1
  194. package/dist/eval/run-pint-benchmark.js +0 -159
  195. package/dist/eval/run-pint-benchmark.js.map +0 -1
  196. package/dist/flywheel.d.ts +0 -54
  197. package/dist/flywheel.d.ts.map +0 -1
  198. package/dist/flywheel.js +0 -121
  199. package/dist/flywheel.js.map +0 -1
  200. package/dist/hook-handler.d.ts +0 -61
  201. package/dist/hook-handler.d.ts.map +0 -1
  202. package/dist/hook-handler.js +0 -178
  203. package/dist/hook-handler.js.map +0 -1
  204. package/dist/index.d.ts +0 -62
  205. package/dist/index.d.ts.map +0 -1
  206. package/dist/index.js +0 -54
  207. package/dist/index.js.map +0 -1
  208. package/dist/layer-integration.d.ts +0 -55
  209. package/dist/layer-integration.d.ts.map +0 -1
  210. package/dist/layer-integration.js +0 -185
  211. package/dist/layer-integration.js.map +0 -1
  212. package/dist/loader.d.ts +0 -21
  213. package/dist/loader.d.ts.map +0 -1
  214. package/dist/loader.js +0 -124
  215. package/dist/loader.js.map +0 -1
  216. package/dist/mcp-server.d.ts +0 -13
  217. package/dist/mcp-server.d.ts.map +0 -1
  218. package/dist/mcp-server.js +0 -220
  219. package/dist/mcp-server.js.map +0 -1
  220. package/dist/mcp-tools/coverage-gaps.d.ts +0 -13
  221. package/dist/mcp-tools/coverage-gaps.d.ts.map +0 -1
  222. package/dist/mcp-tools/coverage-gaps.js +0 -55
  223. package/dist/mcp-tools/coverage-gaps.js.map +0 -1
  224. package/dist/mcp-tools/list-rules.d.ts +0 -17
  225. package/dist/mcp-tools/list-rules.d.ts.map +0 -1
  226. package/dist/mcp-tools/list-rules.js +0 -45
  227. package/dist/mcp-tools/list-rules.js.map +0 -1
  228. package/dist/mcp-tools/scan.d.ts +0 -24
  229. package/dist/mcp-tools/scan.d.ts.map +0 -1
  230. package/dist/mcp-tools/scan.js +0 -94
  231. package/dist/mcp-tools/scan.js.map +0 -1
  232. package/dist/mcp-tools/submit-proposal.d.ts +0 -12
  233. package/dist/mcp-tools/submit-proposal.d.ts.map +0 -1
  234. package/dist/mcp-tools/submit-proposal.js +0 -103
  235. package/dist/mcp-tools/submit-proposal.js.map +0 -1
  236. package/dist/mcp-tools/threat-summary.d.ts +0 -12
  237. package/dist/mcp-tools/threat-summary.d.ts.map +0 -1
  238. package/dist/mcp-tools/threat-summary.js +0 -74
  239. package/dist/mcp-tools/threat-summary.js.map +0 -1
  240. package/dist/mcp-tools/validate.d.ts +0 -15
  241. package/dist/mcp-tools/validate.d.ts.map +0 -1
  242. package/dist/mcp-tools/validate.js +0 -45
  243. package/dist/mcp-tools/validate.js.map +0 -1
  244. package/dist/modules/embedding.d.ts +0 -71
  245. package/dist/modules/embedding.d.ts.map +0 -1
  246. package/dist/modules/embedding.js +0 -141
  247. package/dist/modules/embedding.js.map +0 -1
  248. package/dist/modules/index.d.ts +0 -144
  249. package/dist/modules/index.d.ts.map +0 -1
  250. package/dist/modules/index.js +0 -82
  251. package/dist/modules/index.js.map +0 -1
  252. package/dist/modules/semantic.d.ts +0 -106
  253. package/dist/modules/semantic.d.ts.map +0 -1
  254. package/dist/modules/semantic.js +0 -359
  255. package/dist/modules/semantic.js.map +0 -1
  256. package/dist/modules/session.d.ts +0 -70
  257. package/dist/modules/session.d.ts.map +0 -1
  258. package/dist/modules/session.js +0 -128
  259. package/dist/modules/session.js.map +0 -1
  260. package/dist/rule-scaffolder.d.ts +0 -53
  261. package/dist/rule-scaffolder.d.ts.map +0 -1
  262. package/dist/rule-scaffolder.js +0 -301
  263. package/dist/rule-scaffolder.js.map +0 -1
  264. package/dist/session-tracker.d.ts +0 -58
  265. package/dist/session-tracker.d.ts.map +0 -1
  266. package/dist/session-tracker.js +0 -176
  267. package/dist/session-tracker.js.map +0 -1
  268. package/dist/shadow-evaluator.d.ts +0 -48
  269. package/dist/shadow-evaluator.d.ts.map +0 -1
  270. package/dist/shadow-evaluator.js +0 -128
  271. package/dist/shadow-evaluator.js.map +0 -1
  272. package/dist/skill-fingerprint.d.ts +0 -85
  273. package/dist/skill-fingerprint.d.ts.map +0 -1
  274. package/dist/skill-fingerprint.js +0 -284
  275. package/dist/skill-fingerprint.js.map +0 -1
  276. package/dist/tier0-invariant.d.ts +0 -49
  277. package/dist/tier0-invariant.d.ts.map +0 -1
  278. package/dist/tier0-invariant.js +0 -184
  279. package/dist/tier0-invariant.js.map +0 -1
  280. package/dist/tier1-blacklist.d.ts +0 -48
  281. package/dist/tier1-blacklist.d.ts.map +0 -1
  282. package/dist/tier1-blacklist.js +0 -91
  283. package/dist/tier1-blacklist.js.map +0 -1
  284. package/dist/types.d.ts +0 -190
  285. package/dist/types.d.ts.map +0 -1
  286. package/dist/types.js +0 -6
  287. package/dist/types.js.map +0 -1
  288. package/dist/verdict.d.ts +0 -26
  289. package/dist/verdict.d.ts.map +0 -1
  290. package/dist/verdict.js +0 -127
  291. package/dist/verdict.js.map +0 -1
package/dist/modules/embedding.js DELETED
@@ -1,141 +0,0 @@
1
- /**
2
- * Embedding Module -- Tier 2.5 semantic similarity detection.
3
- *
4
- * Compares incoming text against pre-computed attack embeddings using
5
- * cosine similarity. Catches paraphrases, multilingual attacks, and
6
- * semantic variants that regex cannot detect.
7
- *
8
- * Uses all-MiniLM-L6-v2 (384 dimensions, ~22MB, runs locally in JS/WASM).
9
- * No API calls. Optional dependency: @xenova/transformers.
10
- *
11
- * @module agent-threat-rules/modules/embedding
12
- */
13
- import { VectorStore, loadVectorEntries, } from '../embedding/vector-store.js';
14
- // ---------------------------------------------------------------------------
15
- // Module
16
- // ---------------------------------------------------------------------------
17
- export class EmbeddingModule {
18
- config;
19
- name = 'embedding';
20
- description = 'Vector similarity detection against known attack embeddings';
21
- version = '0.1.0';
22
- functions = [
23
- {
24
- name: 'similarity_search',
25
- description: 'Find nearest known attacks by embedding similarity',
26
- args: [
27
- {
28
- name: 'field',
29
- type: 'string',
30
- required: false,
31
- description: 'Event field to embed (default: content)',
32
- },
33
- {
34
- name: 'threshold',
35
- type: 'number',
36
- required: false,
37
- description: 'Similarity threshold override',
38
- },
39
- ],
40
- },
41
- ];
42
- store;
43
- model;
44
- threshold;
45
- topK;
46
- initialized = false;
47
- constructor(config = {}) {
48
- this.config = config;
49
- this.threshold = config.similarityThreshold ?? 0.65;
50
- this.topK = config.topK ?? 3;
51
- this.model = config.model ?? null;
52
- this.store = new VectorStore(config.attackVectors);
53
- }
54
- async initialize() {
55
- if (this.initialized)
56
- return;
57
- // Load attack vectors from data
58
- if (this.config.attackVectorsData) {
59
- const entries = loadVectorEntries(this.config.attackVectorsData);
60
- this.store = this.store.withEntries(entries);
61
- }
62
- // Load attack vectors from file
63
- if (this.config.attackVectorsPath) {
64
- try {
65
- const { readFileSync } = await import('node:fs');
66
- const data = JSON.parse(readFileSync(this.config.attackVectorsPath, 'utf-8'));
67
- const entries = loadVectorEntries(data);
68
- this.store = this.store.withEntries(entries);
69
- }
70
- catch {
71
- // File not found = no pre-computed vectors, continue without them
72
- }
73
- }
74
- // Load model if not provided
75
- if (!this.model) {
76
- try {
77
- const { TransformersJSModel } = await import('../embedding/model-loader.js');
78
- this.model = new TransformersJSModel();
79
- await this.model.initialize();
80
- }
81
- catch (err) {
82
- // Model not available = module degrades gracefully
83
- const msg = err instanceof Error ? err.message : String(err);
84
- console.warn(`[embedding] Model not available: ${msg}. Module disabled.`);
85
- this.model = null;
86
- }
87
- }
88
- this.initialized = true;
89
- }
90
- async evaluate(event, condition) {
91
- if (!this.model || this.store.size() === 0) {
92
- return { matched: false, value: 0, description: 'Embedding module not initialized' };
93
- }
94
- // Extract text to embed
95
- const field = condition.args?.field ?? 'content';
96
- const text = field === 'content'
97
- ? event.content
98
- : event.fields?.[field] ?? event.content;
99
- if (!text || text.length < 5) {
100
- return { matched: false, value: 0, description: 'Input too short for embedding' };
101
- }
102
- // Truncate to avoid excessive token usage
103
- const truncated = text.slice(0, 512);
104
- try {
105
- // Encode input
106
- const queryVec = await this.model.encode(truncated);
107
- // Search for similar attacks
108
- const threshold = condition.args?.threshold ?? this.threshold;
109
- const results = this.store.search(queryVec, this.topK, threshold);
110
- if (results.length === 0) {
111
- return { matched: false, value: 0, description: 'No similar attacks found' };
112
- }
113
- const top = results[0];
114
- return {
115
- matched: true,
116
- value: top.similarity,
117
- description: `Similar to known attack: "${top.entry.label}" (${top.entry.category}, similarity: ${top.similarity.toFixed(3)})`,
118
- };
119
- }
120
- catch (err) {
121
- const msg = err instanceof Error ? err.message : String(err);
122
- return { matched: false, value: 0, description: `Embedding error: ${msg}` };
123
- }
124
- }
125
- /** Get search results with full details (for debugging/testing) */
126
- async searchDetailed(text, threshold) {
127
- if (!this.model || this.store.size() === 0)
128
- return [];
129
- const queryVec = await this.model.encode(text.slice(0, 512));
130
- return this.store.search(queryVec, this.topK, threshold ?? this.threshold);
131
- }
132
- async destroy() {
133
- this.model = null;
134
- this.initialized = false;
135
- }
136
- /** Check if module is operational */
137
- isAvailable() {
138
- return this.initialized && this.model !== null && this.store.size() > 0;
139
- }
140
- }
141
- //# sourceMappingURL=embedding.js.map
package/dist/modules/embedding.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"embedding.js","sourceRoot":"","sources":["../../src/modules/embedding.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,EACL,WAAW,EACX,iBAAiB,GAGlB,MAAM,8BAA8B,CAAC;AA4BtC,8EAA8E;AAC9E,SAAS;AACT,8EAA8E;AAE9E,MAAM,OAAO,eAAe;IAgCG;IA/BpB,IAAI,GAAG,WAAW,CAAC;IACnB,WAAW,GAAG,6DAA6D,CAAC;IAC5E,OAAO,GAAG,OAAO,CAAC;IAElB,SAAS,GAAG;QACnB;YACE,IAAI,EAAE,mBAAmB;YACzB,WAAW,EAAE,oDAAoD;YACjE,IAAI,EAAE;gBACJ;oBACE,IAAI,EAAE,OAAO;oBACb,IAAI,EAAE,QAAiB;oBACvB,QAAQ,EAAE,KAAK;oBACf,WAAW,EAAE,yCAAyC;iBACvD;gBACD;oBACE,IAAI,EAAE,WAAW;oBACjB,IAAI,EAAE,QAAiB;oBACvB,QAAQ,EAAE,KAAK;oBACf,WAAW,EAAE,+BAA+B;iBAC7C;aACF;SACF;KACF,CAAC;IAEM,KAAK,CAAc;IACnB,KAAK,CAAwB;IACpB,SAAS,CAAS;IAClB,IAAI,CAAS;IACtB,WAAW,GAAG,KAAK,CAAC;IAE5B,YAA6B,SAAgC,EAAE;QAAlC,WAAM,GAAN,MAAM,CAA4B;QAC7D,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,mBAAmB,IAAI,IAAI,CAAC;QACpD,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,CAAC,CAAC;QAC7B,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC;QAClC,IAAI,CAAC,KAAK,GAAG,IAAI,WAAW,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IACrD,CAAC;IAED,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,WAAW;YAAE,OAAO;QAE7B,gCAAgC;QAChC,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;YAClC,MAAM,OAAO,GAAG,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YACjE,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QAC/C,CAAC;QAED,gCAAgC;QAChC,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,CAAC;YAClC,IAAI,CAAC;gBACH,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;gBACjD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC,CAAC;gBAC9E,MAAM,OAAO,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;gBACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YAC/C,CAAC;YAAC,MAAM,CAAC;gBACP,kEAAkE;YACpE,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,8BAA8B,CAAC,CAAC;gBAC7E,IAAI,CAAC,KAAK,GAAG,IAAI,mBAAmB,EAAE,CAAC;gBACvC,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;YAChC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,mDAAmD;gBACnD,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAC7D,OAAO,CAAC,IAAI,CAAC,oCAAoC,GAAG,oBAAoB,CAAC,CAAC;gBAC1E,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;YACpB,CAAC;QACH,CAAC;QAED,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,KAAiB,EAAE,SAA0B;QAC1D,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;YAC3C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,kCAAkC,EAAE,CAAC;QACvF,CAAC;QAED,wBAAwB;QACxB,MAAM,KAAK,GAAI,SAAS,CAAC,IAAI,EAAE,KAAgB,IAAI,SAAS,CAAC;QAC7D,MAAM,IAAI,GACR,KAAK,KAAK,SAAS;YACjB,CAAC,CAAC,KAAK,CAAC,OAAO;YACf,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC;QAE7C,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,+BAA+B,EAAE,CAAC;QACpF,CAAC;QAED,0CAA0C;QAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAErC,IAAI,CAAC;YACH,eAAe;YACf,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAEpD,6BAA6B;YAC7B,MAAM,SAAS,GAAI,SAAS,CAAC,IAAI,EAAE,SAAoB,IAAI,IAAI,CAAC,SAAS,CAAC;YAC1E,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;YAElE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACzB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,0BAA0B,EAAE,CAAC;YAC/E,CAAC;YAED,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;YACxB,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,GAAG,CAAC,UAAU;gBACrB,WAAW,EAAE,6BAA6B,GAAG,CAAC,KAAK,CAAC,KAAK,MAAM,GAAG,CAAC,KAAK,CAAC,QAAQ,iBAAiB,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG;aAC/H,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,oBAAoB,GAAG,EAAE,EAAE,CAAC;QAC9E,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,KAAK,CAAC,cAAc,CAAC,IAAY,EAAE,SAAkB;QACnD,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QACtD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QAC7D,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC;IAC7E,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QAClB,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC;IAC3B,CAAC;IAED,qCAAqC;IACrC,WAAW;QACT,OAAO,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,KAAK,KAAK,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1E,CAAC;CACF"}
package/dist/modules/index.d.ts DELETED
@@ -1,144 +0,0 @@
1
- /**
2
- * ATR Module System
3
- *
4
- * Extensible detection modules beyond regex pattern matching.
5
- * Inspired by YARA modules, adapted for AI agent threat detection.
6
- *
7
- * Built-in modules:
8
- * - session: Cross-event behavioral analysis using SessionTracker
9
- * - semantic: AI-driven semantic threat analysis using LLM-as-judge (v0.2)
10
- *
11
- * Reserved namespaces (planned):
12
- * - embedding: Vector similarity detection (v0.3)
13
- * - protocol: MCP/transport-level inspection (v0.3)
14
- * - entropy: Information-theoretic anomaly detection (v0.4)
15
- * - tokenizer: Token-level analysis for smuggling detection (v0.4)
16
- *
17
- * @module agent-threat-rules/modules
18
- */
19
- import type { AgentEvent } from '../types.js';
20
- /**
21
- * Condition defined by a module (used in rule YAML).
22
- *
23
- * Example in YAML:
24
- * ```yaml
25
- * detection:
26
- * conditions:
27
- * high_frequency:
28
- * module: session
29
- * function: call_frequency
30
- * args:
31
- * tool_name: "execute_code"
32
- * window: "5m"
33
- * operator: gt
34
- * threshold: 10
35
- * condition: "high_frequency"
36
- * ```
37
- */
38
- export interface ModuleCondition {
39
- /** Module name (e.g., "session", "embedding") */
40
- module: string;
41
- /** Function within the module to call */
42
- function: string;
43
- /** Arguments passed to the module function */
44
- args: Record<string, unknown>;
45
- /** Comparison operator for the result */
46
- operator: 'gt' | 'lt' | 'eq' | 'gte' | 'lte';
47
- /** Threshold value to compare against */
48
- threshold: number;
49
- }
50
- /**
51
- * Result returned by a module evaluation.
52
- */
53
- export interface ModuleResult {
54
- /** Whether the condition was met */
55
- matched: boolean;
56
- /** Numeric value produced by the module (for threshold comparison) */
57
- value: number;
58
- /** Human-readable description of the result */
59
- description: string;
60
- }
61
- /**
62
- * Interface that all ATR detection modules must implement.
63
- *
64
- * Modules extend ATR's detection beyond regex by providing
65
- * custom evaluation logic (behavioral analysis, embedding
66
- * similarity, protocol inspection, etc.).
67
- */
68
- export interface ATRModule {
69
- /** Unique module name (used in rule YAML) */
70
- readonly name: string;
71
- /** Human-readable description */
72
- readonly description: string;
73
- /** Module version */
74
- readonly version: string;
75
- /**
76
- * List of functions this module provides.
77
- * Each function can be referenced in rule conditions.
78
- */
79
- readonly functions: ReadonlyArray<{
80
- name: string;
81
- description: string;
82
- args: ReadonlyArray<{
83
- name: string;
84
- type: 'string' | 'number' | 'boolean';
85
- required: boolean;
86
- description: string;
87
- }>;
88
- }>;
89
- /**
90
- * Initialize the module. Called once when the engine starts.
91
- * Use for setup, connection pooling, model loading, etc.
92
- */
93
- initialize(): Promise<void>;
94
- /**
95
- * Evaluate a module condition against an agent event.
96
- *
97
- * @param event - The agent event being evaluated
98
- * @param condition - The module condition from the rule
99
- * @returns Module evaluation result
100
- */
101
- evaluate(event: AgentEvent, condition: ModuleCondition): Promise<ModuleResult>;
102
- /**
103
- * Clean up module resources. Called when the engine shuts down.
104
- */
105
- destroy(): Promise<void>;
106
- }
107
- /**
108
- * Registry for ATR detection modules.
109
- */
110
- export declare class ModuleRegistry {
111
- private readonly modules;
112
- /** Reserved module namespaces (cannot be registered by third parties) */
113
- private static readonly RESERVED;
114
- /**
115
- * Register a detection module.
116
- * @throws if module name is already registered or reserved
117
- */
118
- register(module: ATRModule): void;
119
- /**
120
- * Check if a module name is reserved by the ATR core team.
121
- */
122
- isReserved(name: string): boolean;
123
- /**
124
- * Get a registered module by name.
125
- */
126
- get(name: string): ATRModule | undefined;
127
- /**
128
- * List all registered modules.
129
- */
130
- list(): ReadonlyArray<{
131
- name: string;
132
- version: string;
133
- description: string;
134
- }>;
135
- /**
136
- * Initialize all registered modules.
137
- */
138
- initializeAll(): Promise<void>;
139
- /**
140
- * Destroy all registered modules.
141
- */
142
- destroyAll(): Promise<void>;
143
- }
144
- //# sourceMappingURL=index.d.ts.map
package/dist/modules/index.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/modules/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,eAAe;IAC9B,iDAAiD;IACjD,MAAM,EAAE,MAAM,CAAC;IACf,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,8CAA8C;IAC9C,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,yCAAyC;IACzC,QAAQ,EAAE,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,KAAK,GAAG,KAAK,CAAC;IAC7C,yCAAyC;IACzC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,oCAAoC;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,sEAAsE;IACtE,KAAK,EAAE,MAAM,CAAC;IACd,+CAA+C;IAC/C,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,SAAS;IACxB,6CAA6C;IAC7C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,iCAAiC;IACjC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B,qBAAqB;IACrB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IAEzB;;;OAGG;IACH,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC;QAChC,IAAI,EAAE,MAAM,CAAC;QACb,WAAW,EAAE,MAAM,CAAC;QACpB,IAAI,EAAE,aAAa,CAAC;YAClB,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,EAAE,QAAQ,GAAG,QAAQ,GAAG,SAAS,CAAC;YACtC,QAAQ,EAAE,OAAO,CAAC;YAClB,WAAW,EAAE,MAAM,CAAC;SACrB,CAAC,CAAC;KACJ,CAAC,CAAC;IAEH;;;OAGG;IACH,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAE5B;;;;;;OAMG;IACH,QAAQ,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,eAAe,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IAE/E;;OAEG;IACH,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC1B;AAED;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAgC;IAExD,yEAAyE;IACzE,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAO7B;IAEH;;;OAGG;IACH,QAAQ,CAAC,MAAM,EAAE,SAAS,GAAG,IAAI;IAOjC;;OAEG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAIjC;;OAEG;IACH,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS;IAIxC;;OAEG;IACH,IAAI,IAAI,aAAa,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE,CAAC;IAQ7E;;OAEG;IACG,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAMpC;;OAEG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;CAKlC"}
package/dist/modules/index.js DELETED
@@ -1,82 +0,0 @@
1
- /**
2
- * ATR Module System
3
- *
4
- * Extensible detection modules beyond regex pattern matching.
5
- * Inspired by YARA modules, adapted for AI agent threat detection.
6
- *
7
- * Built-in modules:
8
- * - session: Cross-event behavioral analysis using SessionTracker
9
- * - semantic: AI-driven semantic threat analysis using LLM-as-judge (v0.2)
10
- *
11
- * Reserved namespaces (planned):
12
- * - embedding: Vector similarity detection (v0.3)
13
- * - protocol: MCP/transport-level inspection (v0.3)
14
- * - entropy: Information-theoretic anomaly detection (v0.4)
15
- * - tokenizer: Token-level analysis for smuggling detection (v0.4)
16
- *
17
- * @module agent-threat-rules/modules
18
- */
19
- /**
20
- * Registry for ATR detection modules.
21
- */
22
- export class ModuleRegistry {
23
- modules = new Map();
24
- /** Reserved module namespaces (cannot be registered by third parties) */
25
- static RESERVED = new Set([
26
- 'session',
27
- 'semantic',
28
- 'embedding',
29
- 'protocol',
30
- 'entropy',
31
- 'tokenizer',
32
- ]);
33
- /**
34
- * Register a detection module.
35
- * @throws if module name is already registered or reserved
36
- */
37
- register(module) {
38
- if (this.modules.has(module.name)) {
39
- throw new Error(`Module "${module.name}" is already registered`);
40
- }
41
- this.modules.set(module.name, module);
42
- }
43
- /**
44
- * Check if a module name is reserved by the ATR core team.
45
- */
46
- isReserved(name) {
47
- return ModuleRegistry.RESERVED.has(name);
48
- }
49
- /**
50
- * Get a registered module by name.
51
- */
52
- get(name) {
53
- return this.modules.get(name);
54
- }
55
- /**
56
- * List all registered modules.
57
- */
58
- list() {
59
- return Array.from(this.modules.values()).map(m => ({
60
- name: m.name,
61
- version: m.version,
62
- description: m.description,
63
- }));
64
- }
65
- /**
66
- * Initialize all registered modules.
67
- */
68
- async initializeAll() {
69
- for (const module of this.modules.values()) {
70
- await module.initialize();
71
- }
72
- }
73
- /**
74
- * Destroy all registered modules.
75
- */
76
- async destroyAll() {
77
- for (const module of this.modules.values()) {
78
- await module.destroy();
79
- }
80
- }
81
- }
82
- //# sourceMappingURL=index.js.map
package/dist/modules/index.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/modules/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAoGH;;GAEG;AACH,MAAM,OAAO,cAAc;IACR,OAAO,GAAG,IAAI,GAAG,EAAqB,CAAC;IAExD,yEAAyE;IACjE,MAAM,CAAU,QAAQ,GAAG,IAAI,GAAG,CAAC;QACzC,SAAS;QACT,UAAU;QACV,WAAW;QACX,UAAU;QACV,SAAS;QACT,WAAW;KACZ,CAAC,CAAC;IAEH;;;OAGG;IACH,QAAQ,CAAC,MAAiB;QACxB,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,WAAW,MAAM,CAAC,IAAI,yBAAyB,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,IAAY;QACrB,OAAO,cAAc,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,IAAY;QACd,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,IAAI;QACF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACjD,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,WAAW,EAAE,CAAC,CAAC,WAAW;SAC3B,CAAC,CAAC,CAAC;IACN,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa;QACjB,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YAC3C,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;QAC5B,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU;QACd,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;YAC3C,MAAM,MAAM,CAAC,OAAO,EAAE,CAAC;QACzB,CAAC;IACH,CAAC"}
package/dist/modules/semantic.d.ts DELETED
@@ -1,106 +0,0 @@
1
- /**
2
- * ATR Semantic Module (Layer 3)
3
- *
4
- * AI-driven semantic analysis for detecting threats that bypass
5
- * regex patterns (Layer 1) and behavioral fingerprinting (Layer 2).
6
- *
7
- * Uses LLM-as-judge to evaluate whether an agent event represents
8
- * a genuine threat, even when the attacker uses:
9
- * - Semantic paraphrasing to avoid keyword matching
10
- * - Multi-language injection (non-English payloads)
11
- * - Context-aware social engineering
12
- * - Novel attack patterns not yet in the rule set
13
- *
14
- * Provider-agnostic: works with any OpenAI-compatible API.
15
- *
16
- * @module agent-threat-rules/modules/semantic
17
- */
18
- import type { AgentEvent } from '../types.js';
19
- import type { ATRModule, ModuleCondition, ModuleResult } from './index.js';
20
- export interface SemanticModuleConfig {
21
- /** OpenAI-compatible API endpoint */
22
- apiUrl: string;
23
- /** API key */
24
- apiKey: string;
25
- /** Model to use (default: gpt-4o-mini for cost efficiency) */
26
- model?: string;
27
- /** Max tokens for analysis (default: 512) */
28
- maxTokens?: number;
29
- /** Temperature (default: 0.1 for consistency) */
30
- temperature?: number;
31
- /** Timeout in ms (default: 10000) */
32
- timeout?: number;
33
- /** Cache TTL in ms for identical content (default: 300000 = 5min) */
34
- cacheTtlMs?: number;
35
- /** Max cache entries (default: 1000) */
36
- maxCacheSize?: number;
37
- }
38
- /**
39
- * Semantic detection module using LLM-as-judge.
40
- *
41
- * Usage in ATR YAML:
42
- * ```yaml
43
- * detection:
44
- * conditions:
45
- * semantic_check:
46
- * module: semantic
47
- * function: analyze_threat
48
- * args:
49
- * field: user_input
50
- * operator: gte
51
- * threshold: 0.7
52
- * condition: "semantic_check"
53
- * ```
54
- */
55
- export declare class SemanticModule implements ATRModule {
56
- readonly name = "semantic";
57
- readonly description = "AI-driven semantic threat analysis (Layer 3)";
58
- readonly version = "0.1.0";
59
- readonly functions: readonly [{
60
- readonly name: "analyze_threat";
61
- readonly description: "Analyze text for semantic threat indicators using LLM";
62
- readonly args: readonly [{
63
- readonly name: "field";
64
- readonly type: "string";
65
- readonly required: false;
66
- readonly description: "Event field to analyze (default: content)";
67
- }];
68
- }, {
69
- readonly name: "is_injection";
70
- readonly description: "Binary check: is this a prompt injection attempt?";
71
- readonly args: readonly [{
72
- readonly name: "field";
73
- readonly type: "string";
74
- readonly required: false;
75
- readonly description: "Event field to analyze (default: content)";
76
- }];
77
- }, {
78
- readonly name: "classify_attack";
79
- readonly description: "Classify the type of attack (returns category confidence)";
80
- readonly args: readonly [{
81
- readonly name: "field";
82
- readonly type: "string";
83
- readonly required: false;
84
- readonly description: "Event field to analyze (default: content)";
85
- }, {
86
- readonly name: "target_category";
87
- readonly type: "string";
88
- readonly required: true;
89
- readonly description: "ATR category to check against";
90
- }];
91
- }];
92
- private readonly config;
93
- private readonly cache;
94
- constructor(config: SemanticModuleConfig);
95
- initialize(): Promise<void>;
96
- evaluate(event: AgentEvent, condition: ModuleCondition): Promise<ModuleResult>;
97
- destroy(): Promise<void>;
98
- private analyzeWithCache;
99
- private callLLM;
100
- private callFPCheck;
101
- private parseAnalysis;
102
- private resolveEndpoint;
103
- private hashContent;
104
- private compareThreshold;
105
- }
106
- //# sourceMappingURL=semantic.d.ts.map
package/dist/modules/semantic.d.ts.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"semantic.d.ts","sourceRoot":"","sources":["../../src/modules/semantic.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAC9C,OAAO,KAAK,EAAE,SAAS,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE3E,MAAM,WAAW,oBAAoB;IACnC,qCAAqC;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,cAAc;IACd,MAAM,EAAE,MAAM,CAAC;IACf,8DAA8D;IAC9D,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,6CAA6C;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iDAAiD;IACjD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,qCAAqC;IACrC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qEAAqE;IACrE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,wCAAwC;IACxC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AA6DD;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,cAAe,YAAW,SAAS;IAC9C,QAAQ,CAAC,IAAI,cAAc;IAC3B,QAAQ,CAAC,WAAW,kDAAkD;IACtE,QAAQ,CAAC,OAAO,WAAW;IAE3B,QAAQ,CAAC,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2CP;IAEX,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiC;IACxD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAiC;gBAE3C,MAAM,EAAE,oBAAoB;IAalC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAK3B,QAAQ,CAAC,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,eAAe,GAAG,OAAO,CAAC,YAAY,CAAC;IA8C9E,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;YAMhB,gBAAgB;YA4ChB,OAAO;YAsDP,WAAW;IAkDzB,OAAO,CAAC,aAAa;IA0BrB,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,WAAW;IAUnB,OAAO,CAAC,gBAAgB;CAUzB"}