agent-threat-rules 0.4.0 → 1.0.0

package/rules/tool-poisoning/{ATR-2026-012-unauthorized-tool-call.yaml → ATR-2026-00012-unauthorized-tool-call.yaml}

@@ -1,5 +1,6 @@
 title: "Unauthorized Tool Call Detection"
-id: ATR-2026-012
+id: ATR-2026-00012
+rule_version: 1
 status: experimental
 description: >
   Detects unauthorized or malicious tool call attempts including parameter injection,
@@ -31,6 +32,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: unauthorized-access
+  scan_target: mcp
   confidence: high
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-013-tool-ssrf.yaml → ATR-2026-00013-tool-ssrf.yaml}

@@ -1,5 +1,6 @@
 title: "SSRF via Agent Tool Calls"
-id: ATR-2026-013
+id: ATR-2026-00013
+rule_version: 1
 status: experimental
 description: >
   Detects Server-Side Request Forgery (SSRF) attempts through agent tool calls.
@@ -37,6 +38,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: ssrf
+  scan_target: both
   confidence: high
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-095-supply-chain-poisoning.yaml → ATR-2026-00095-supply-chain-poisoning.yaml}

@@ -1,5 +1,6 @@
 title: "MCP Tool Supply Chain Poisoning"
-id: ATR-2026-095
+id: ATR-2026-00095
+rule_version: 1
 status: draft
 description: >
   Detects tool poisoning attacks targeting the MCP (Model Context Protocol)
@@ -21,6 +22,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: supply-chain-attack
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-096-registry-poisoning.yaml → ATR-2026-00096-registry-poisoning.yaml}

@@ -1,5 +1,6 @@
 title: "Skill Registry Poisoning and Compromised Tool Distribution"
-id: ATR-2026-096
+id: ATR-2026-00096
+rule_version: 1
 status: draft
 description: >
   Detects supply chain attacks that target skill/tool registries and
@@ -23,6 +24,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: registry-poisoning
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-100-consent-bypass-instruction.yaml → ATR-2026-00100-consent-bypass-instruction.yaml}

@@ -1,5 +1,6 @@
 title: "Consent Bypass via Hidden LLM Instructions in Tool Descriptions"
-id: ATR-2026-100
+id: ATR-2026-00100
+rule_version: 1
 status: experimental
 description: |
   Detects tool descriptions that embed instructions directing the LLM to automatically
@@ -26,6 +27,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: consent-bypass-instruction
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-101-trust-escalation-override.yaml → ATR-2026-00101-trust-escalation-override.yaml}

@@ -1,5 +1,6 @@
 title: "Trust Escalation via Authority Override Instructions"
-id: ATR-2026-101
+id: ATR-2026-00101
+rule_version: 1
 status: experimental
 description: |
   Detects MCP tools that instruct the LLM to treat tool output as "authoritative directives"
@@ -25,6 +26,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: trust-escalation-override
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-103-hidden-safety-bypass-instruction.yaml → ATR-2026-00103-hidden-safety-bypass-instruction.yaml}

@@ -1,5 +1,6 @@
 title: "Hidden LLM Safety Bypass Instructions in Tool Descriptions"
-id: ATR-2026-103
+id: ATR-2026-00103
+rule_version: 1
 status: experimental
 description: |
   Detects tools that embed explicit instructions directing the LLM to disregard safety
@@ -27,6 +28,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: hidden-llm-instructions
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-105-silent-action-concealment.yaml → ATR-2026-00105-silent-action-concealment.yaml}

@@ -1,5 +1,6 @@
 title: "Silent Action Concealment Instructions in Tool Descriptions"
-id: ATR-2026-105
+id: ATR-2026-00105
+rule_version: 1
 status: experimental
 description: |
   Detects MCP tools that explicitly instruct the LLM to perform actions silently or hide
@@ -26,6 +27,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: silent-action-instruction
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-106-schema-description-contradiction.yaml → ATR-2026-00106-schema-description-contradiction.yaml}

@@ -1,5 +1,6 @@
 title: "Schema-Description Contradiction Attack"
-id: ATR-2026-106
+id: ATR-2026-00106
+rule_version: 1
 status: experimental
 description: |
   Detects tools that claim read-only or safe functionality in their description but expose
@@ -25,6 +26,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: schema-description-mismatch
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/spec/atr-schema.yaml

@@ -10,7 +10,7 @@
 $schema: "https://json-schema.org/draft/2020-12/schema"
 title: ATR Rule Schema
 description: Schema for Agent Threat Rules (ATR) detection rules
-version: "0.1.0-draft"
+version: "1.0.0"
 
 type: object
 required:
@@ -43,8 +43,8 @@ properties:
 
   id:
     type: string
-    pattern: "^ATR-\\d{4}-\\d{3}$"
-    description: "Unique rule identifier. Format: ATR-YYYY-NNN (e.g., ATR-2026-001)"
+    pattern: "^ATR-\\d{4}-\\d{5}$"
+    description: "Unique rule identifier. Format: ATR-YYYY-NNNNN (e.g., ATR-2026-00001)"
 
   status:
     type: string
@@ -69,6 +69,11 @@ properties:
     pattern: "^\\d{4}/\\d{2}/\\d{2}$"
     description: "Last modification date in YYYY/MM/DD format"
 
+  rule_version:
+    type: integer
+    minimum: 1
+    description: "Rule version number. Bump when detection logic changes. Starts at 1."
+
   # === Classification ===
 
   detection_tier:
@@ -114,6 +119,26 @@ properties:
         items:
           type: string
         description: Related CVE identifiers
+      owasp_agentic:
+        type: array
+        items:
+          type: string
+        description: "OWASP Agentic Top 10 references (e.g., ASI01, ASI02)"
+      owasp_ast:
+        type: array
+        items:
+          type: string
+        description: "OWASP Agentic Skills Top 10 references (e.g., AST01)"
+      safe_mcp:
+        type: array
+        items:
+          type: string
+        description: "SAFE-MCP technique IDs (e.g., SMCP-T001)"
+      research:
+        type: array
+        items:
+          type: string
+        description: "Research paper references or URLs"
 
   # === Tags (ATR classification) ===
 
@@ -141,6 +166,10 @@ properties:
         type: string
         enum: [high, medium, low]
         description: Expected accuracy of this rule (high = low false positive rate)
+      scan_target:
+        type: string
+        enum: [mcp, skill, both, runtime]
+        description: "Which scan path this rule belongs to. mcp=runtime events, skill=SKILL.md static scan, both=fires in both paths, runtime=behavior monitoring."
 
   # === Agent Source (analogous to Sigma's logsource) ===
 

package/dist/action-executor.d.ts

@@ -1,44 +0,0 @@
-/**
- * Action Executor - Executes ATR response actions via platform adapters.
- *
- * Deduplicates actions, sorts by priority, and delegates execution
- * to a PlatformAdapter. Handles per-action errors so one failure
- * does not block the rest.
- *
- * @module agent-threat-rules/action-executor
- */
-import type { ActionResult, ExecutionContext, PlatformAdapter } from './types.js';
-export interface ActionExecutorConfig {
-    readonly adapter: PlatformAdapter;
-    readonly dryRun?: boolean;
-    readonly onActionComplete?: (result: ActionResult) => void;
-}
-export declare class ActionExecutor {
-    private readonly adapter;
-    private readonly dryRun;
-    private readonly onActionComplete?;
-    constructor(config: ActionExecutorConfig);
-    /**
-     * Execute all actions from the verdict context.
-     *
-     * Actions are deduplicated, sorted by priority, and executed
-     * sequentially. Each action is wrapped in try/catch so a single
-     * failure does not prevent subsequent actions from running.
-     *
-     * Returns a frozen array of ActionResult.
-     */
-    execute(context: ExecutionContext): Promise<readonly ActionResult[]>;
-    /**
-     * Deduplicate actions and sort by priority (highest priority first).
-     */
-    private deduplicateAndSort;
-    /**
-     * Execute a single action, returning a result even on failure.
-     */
-    private executeOne;
-    /** Get the adapter name for diagnostics */
-    getAdapterName(): string;
-    /** Check if dry-run mode is enabled */
-    isDryRun(): boolean;
-}
-//# sourceMappingURL=action-executor.d.ts.map

package/dist/action-executor.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"action-executor.d.ts","sourceRoot":"","sources":["../src/action-executor.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAEV,YAAY,EACZ,gBAAgB,EAChB,eAAe,EAChB,MAAM,YAAY,CAAC;AA8BpB,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,OAAO,EAAE,eAAe,CAAC;IAClC,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC,MAAM,EAAE,YAAY,KAAK,IAAI,CAAC;CAC5D;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAkB;IAC1C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;IACjC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAiC;gBAEvD,MAAM,EAAE,oBAAoB;IAMxC;;;;;;;;OAQG;IACG,OAAO,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,SAAS,YAAY,EAAE,CAAC;IAgB1E;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAW1B;;OAEG;YACW,UAAU;IAmDxB,2CAA2C;IAC3C,cAAc,IAAI,MAAM;IAIxB,uCAAuC;IACvC,QAAQ,IAAI,OAAO;CAGpB"}

package/dist/action-executor.js

@@ -1,130 +0,0 @@
-/**
- * Action Executor - Executes ATR response actions via platform adapters.
- *
- * Deduplicates actions, sorts by priority, and delegates execution
- * to a PlatformAdapter. Handles per-action errors so one failure
- * does not block the rest.
- *
- * @module agent-threat-rules/action-executor
- */
-/** Priority order: lower number = higher priority (executed first) */
-const ACTION_PRIORITY = {
-    kill_agent: 0,
-    block_input: 1,
-    block_output: 2,
-    block_tool: 3,
-    quarantine_session: 4,
-    reduce_permissions: 5,
-    reset_context: 6,
-    alert: 7,
-    escalate: 8,
-    snapshot: 9,
-};
-/** Map action names to PlatformAdapter method names */
-const ACTION_METHOD_MAP = {
-    block_input: 'blockInput',
-    block_output: 'blockOutput',
-    block_tool: 'blockTool',
-    quarantine_session: 'quarantineSession',
-    reset_context: 'resetContext',
-    alert: 'alert',
-    snapshot: 'snapshot',
-    escalate: 'escalate',
-    reduce_permissions: 'reducePermissions',
-    kill_agent: 'killAgent',
-};
-export class ActionExecutor {
-    adapter;
-    dryRun;
-    onActionComplete;
-    constructor(config) {
-        this.adapter = config.adapter;
-        this.dryRun = config.dryRun ?? false;
-        this.onActionComplete = config.onActionComplete;
-    }
-    /**
-     * Execute all actions from the verdict context.
-     *
-     * Actions are deduplicated, sorted by priority, and executed
-     * sequentially. Each action is wrapped in try/catch so a single
-     * failure does not prevent subsequent actions from running.
-     *
-     * Returns a frozen array of ActionResult.
-     */
-    async execute(context) {
-        const actions = this.deduplicateAndSort(context.verdict.actions);
-        const results = [];
-        for (const action of actions) {
-            const result = await this.executeOne(action, context);
-            results.push(result);
-            if (this.onActionComplete) {
-                this.onActionComplete(result);
-            }
-        }
-        return Object.freeze(results);
-    }
-    /**
-     * Deduplicate actions and sort by priority (highest priority first).
-     */
-    deduplicateAndSort(actions) {
-        const unique = [...new Set(actions)];
-        return unique.sort((a, b) => {
-            const pa = ACTION_PRIORITY[a] ?? 99;
-            const pb = ACTION_PRIORITY[b] ?? 99;
-            return pa - pb;
-        });
-    }
-    /**
-     * Execute a single action, returning a result even on failure.
-     */
-    async executeOne(action, context) {
-        const timestamp = new Date().toISOString();
-        if (this.dryRun) {
-            return Object.freeze({
-                action,
-                success: true,
-                message: `[dry-run] Would execute: ${action}`,
-                timestamp,
-            });
-        }
-        try {
-            const methodName = ACTION_METHOD_MAP[action];
-            if (!methodName) {
-                return Object.freeze({
-                    action,
-                    success: false,
-                    message: `Unknown action: ${action}`,
-                    timestamp,
-                });
-            }
-            const method = this.adapter[methodName];
-            if (typeof method !== 'function') {
-                return Object.freeze({
-                    action,
-                    success: false,
-                    message: `Adapter "${this.adapter.name}" does not implement: ${methodName}`,
-                    timestamp,
-                });
-            }
-            return await method.call(this.adapter, context);
-        }
-        catch (err) {
-            const message = err instanceof Error ? err.message : String(err);
-            return Object.freeze({
-                action,
-                success: false,
-                message: `Action "${action}" failed: ${message}`,
-                timestamp,
-            });
-        }
-    }
-    /** Get the adapter name for diagnostics */
-    getAdapterName() {
-        return this.adapter.name;
-    }
-    /** Check if dry-run mode is enabled */
-    isDryRun() {
-        return this.dryRun;
-    }
-}
-//# sourceMappingURL=action-executor.js.map

package/dist/action-executor.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"action-executor.js","sourceRoot":"","sources":["../src/action-executor.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AASH,sEAAsE;AACtE,MAAM,eAAe,GAAwC;IAC3D,UAAU,EAAE,CAAC;IACb,WAAW,EAAE,CAAC;IACd,YAAY,EAAE,CAAC;IACf,UAAU,EAAE,CAAC;IACb,kBAAkB,EAAE,CAAC;IACrB,kBAAkB,EAAE,CAAC;IACrB,aAAa,EAAE,CAAC;IAChB,KAAK,EAAE,CAAC;IACR,QAAQ,EAAE,CAAC;IACX,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,uDAAuD;AACvD,MAAM,iBAAiB,GAAuD;IAC5E,WAAW,EAAE,YAAY;IACzB,YAAY,EAAE,aAAa;IAC3B,UAAU,EAAE,WAAW;IACvB,kBAAkB,EAAE,mBAAmB;IACvC,aAAa,EAAE,cAAc;IAC7B,KAAK,EAAE,OAAO;IACd,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,UAAU;IACpB,kBAAkB,EAAE,mBAAmB;IACvC,UAAU,EAAE,WAAW;CACxB,CAAC;AAQF,MAAM,OAAO,cAAc;IACR,OAAO,CAAkB;IACzB,MAAM,CAAU;IAChB,gBAAgB,CAAkC;IAEnE,YAAY,MAA4B;QACtC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,KAAK,CAAC;QACrC,IAAI,CAAC,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,CAAC;IAClD,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,OAAO,CAAC,OAAyB;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACjE,MAAM,OAAO,GAAmB,EAAE,CAAC;QAEnC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YACtD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAErB,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBAC1B,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;QAED,OAAO,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACK,kBAAkB,CACxB,OAA6B;QAE7B,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC;QACrC,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;YAC1B,MAAM,EAAE,GAAG,eAAe,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACpC,MAAM,EAAE,GAAG,eAAe,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACpC,OAAO,EAAE,GAAG,EAAE,CAAC;QACjB,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,UAAU,CACtB,MAAiB,EACjB,OAAyB;QAEzB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAE3C,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO,MAAM,CAAC,MAAM,CAAC;gBACnB,MAAM;gBACN,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,4BAA4B,MAAM,EAAE;gBAC7C,SAAS;aACV,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,MAAM,CAAC,MAAM,CAAC;oBACnB,MAAM;oBACN,OAAO,EAAE,KAAK;oBACd,OAAO,EAAE,mBAAmB,MAAM,EAAE;oBACpC,SAAS;iBACV,CAAC,CAAC;YACL,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAEzB,CAAC;YAEd,IAAI,OAAO,MAAM,KAAK,UAAU,EAAE,CAAC;gBACjC,OAAO,MAAM,CAAC,MAAM,CAAC;oBACnB,MAAM;oBACN,OAAO,EAAE,KAAK;oBACd,OAAO,EAAE,YAAY,IAAI,CAAC,OAAO,CAAC,IAAI,yBAAyB,UAAU,EAAE;oBAC3E,SAAS;iBACV,CAAC,CAAC;YACL,CAAC;YAED,OAAO,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO,MAAM,CAAC,MAAM,CAAC;gBACnB,MAAM;gBACN,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,WAAW,MAAM,aAAa,OAAO,EAAE;gBAChD,SAAS;aACV,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,2CAA2C;IAC3C,cAAc;QACZ,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;IAED,uCAAuC;IACvC,QAAQ;QACN,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;CACF"}

package/dist/adapters/default-adapter.d.ts

@@ -1,24 +0,0 @@
-/**
- * Default Platform Adapter - No-op implementation for CLI and testing.
- *
- * Every method logs the action and returns a success result.
- * This adapter is safe to use in any environment as it performs
- * no actual enforcement.
- *
- * @module agent-threat-rules/adapters/default-adapter
- */
-import type { ActionResult, ExecutionContext, PlatformAdapter } from '../types.js';
-export declare class DefaultAdapter implements PlatformAdapter {
-    readonly name = "default";
-    blockInput(ctx: ExecutionContext): Promise<ActionResult>;
-    blockOutput(ctx: ExecutionContext): Promise<ActionResult>;
-    blockTool(ctx: ExecutionContext): Promise<ActionResult>;
-    quarantineSession(ctx: ExecutionContext): Promise<ActionResult>;
-    resetContext(ctx: ExecutionContext): Promise<ActionResult>;
-    alert(ctx: ExecutionContext): Promise<ActionResult>;
-    snapshot(ctx: ExecutionContext): Promise<ActionResult>;
-    escalate(ctx: ExecutionContext): Promise<ActionResult>;
-    reducePermissions(ctx: ExecutionContext): Promise<ActionResult>;
-    killAgent(ctx: ExecutionContext): Promise<ActionResult>;
-}
-//# sourceMappingURL=default-adapter.d.ts.map

package/dist/adapters/default-adapter.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"default-adapter.d.ts","sourceRoot":"","sources":["../../src/adapters/default-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EAChB,eAAe,EAChB,MAAM,aAAa,CAAC;AAcrB,qBAAa,cAAe,YAAW,eAAe;IACpD,QAAQ,CAAC,IAAI,aAAa;IAEpB,UAAU,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAIxD,WAAW,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAIzD,SAAS,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAIvD,iBAAiB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAI/D,YAAY,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAI1D,KAAK,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAInD,QAAQ,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAItD,QAAQ,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAItD,iBAAiB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAI/D,SAAS,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;CAG9D"}

package/dist/adapters/default-adapter.js

@@ -1,51 +0,0 @@
-/**
- * Default Platform Adapter - No-op implementation for CLI and testing.
- *
- * Every method logs the action and returns a success result.
- * This adapter is safe to use in any environment as it performs
- * no actual enforcement.
- *
- * @module agent-threat-rules/adapters/default-adapter
- */
-function createResult(action, ctx) {
-    return Object.freeze({
-        action,
-        success: true,
-        message: `[${action}] logged (no-op) for verdict: ${ctx.verdict.outcome}`,
-        timestamp: new Date().toISOString(),
-    });
-}
-export class DefaultAdapter {
-    name = 'default';
-    async blockInput(ctx) {
-        return createResult('block_input', ctx);
-    }
-    async blockOutput(ctx) {
-        return createResult('block_output', ctx);
-    }
-    async blockTool(ctx) {
-        return createResult('block_tool', ctx);
-    }
-    async quarantineSession(ctx) {
-        return createResult('quarantine_session', ctx);
-    }
-    async resetContext(ctx) {
-        return createResult('reset_context', ctx);
-    }
-    async alert(ctx) {
-        return createResult('alert', ctx);
-    }
-    async snapshot(ctx) {
-        return createResult('snapshot', ctx);
-    }
-    async escalate(ctx) {
-        return createResult('escalate', ctx);
-    }
-    async reducePermissions(ctx) {
-        return createResult('reduce_permissions', ctx);
-    }
-    async killAgent(ctx) {
-        return createResult('kill_agent', ctx);
-    }
-}
-//# sourceMappingURL=default-adapter.js.map

package/dist/adapters/default-adapter.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"default-adapter.js","sourceRoot":"","sources":["../../src/adapters/default-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAQH,SAAS,YAAY,CACnB,MAA8B,EAC9B,GAAqB;IAErB,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,MAAM;QACN,OAAO,EAAE,IAAI;QACb,OAAO,EAAE,IAAI,MAAM,iCAAiC,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE;QACzE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,OAAO,cAAc;IAChB,IAAI,GAAG,SAAS,CAAC;IAE1B,KAAK,CAAC,UAAU,CAAC,GAAqB;QACpC,OAAO,YAAY,CAAC,aAAa,EAAE,GAAG,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAqB;QACrC,OAAO,YAAY,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;IAC3C,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAqB;QACnC,OAAO,YAAY,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAqB;QAC3C,OAAO,YAAY,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAqB;QACtC,OAAO,YAAY,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAqB;QAC/B,OAAO,YAAY,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAqB;QAClC,OAAO,YAAY,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAqB;QAClC,OAAO,YAAY,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAqB;QAC3C,OAAO,YAAY,CAAC,oBAAoB,EAAE,GAAG,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAqB;QACnC,OAAO,YAAY,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IACzC,CAAC;CACF"}

package/dist/adapters/stdio-adapter.d.ts

@@ -1,30 +0,0 @@
-/**
- * Stdio Platform Adapter - Adapter for Claude Code hook integration.
- *
- * Block actions write JSON responses to an internal buffer that can
- * be flushed to stdout. Alert and snapshot actions log to stderr
- * to avoid interfering with the JSON protocol on stdout.
- *
- * @module agent-threat-rules/adapters/stdio-adapter
- */
-import type { ActionResult, ExecutionContext, PlatformAdapter } from '../types.js';
-export declare class StdioAdapter implements PlatformAdapter {
-    readonly name = "stdio";
-    private readonly responseBuffer;
-    /**
-     * Get buffered responses and clear the buffer.
-     * Returns a frozen copy.
-     */
-    flushResponses(): readonly unknown[];
-    blockInput(ctx: ExecutionContext): Promise<ActionResult>;
-    blockOutput(ctx: ExecutionContext): Promise<ActionResult>;
-    blockTool(ctx: ExecutionContext): Promise<ActionResult>;
-    quarantineSession(ctx: ExecutionContext): Promise<ActionResult>;
-    resetContext(ctx: ExecutionContext): Promise<ActionResult>;
-    alert(ctx: ExecutionContext): Promise<ActionResult>;
-    snapshot(ctx: ExecutionContext): Promise<ActionResult>;
-    escalate(ctx: ExecutionContext): Promise<ActionResult>;
-    reducePermissions(ctx: ExecutionContext): Promise<ActionResult>;
-    killAgent(ctx: ExecutionContext): Promise<ActionResult>;
-}
-//# sourceMappingURL=stdio-adapter.d.ts.map

package/dist/adapters/stdio-adapter.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"stdio-adapter.d.ts","sourceRoot":"","sources":["../../src/adapters/stdio-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EACV,YAAY,EACZ,gBAAgB,EAChB,eAAe,EAChB,MAAM,aAAa,CAAC;AAcrB,qBAAa,YAAa,YAAW,eAAe;IAClD,QAAQ,CAAC,IAAI,WAAW;IACxB,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAiB;IAEhD;;;OAGG;IACH,cAAc,IAAI,SAAS,OAAO,EAAE;IAM9B,UAAU,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAUxD,WAAW,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAUzD,SAAS,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAWvD,iBAAiB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAU/D,YAAY,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAS1D,KAAK,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAWnD,QAAQ,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAetD,QAAQ,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAWtD,iBAAiB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;IAU/D,SAAS,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC;CAS9D"}

package/dist/adapters/stdio-adapter.js

@@ -1,128 +0,0 @@
-/**
- * Stdio Platform Adapter - Adapter for Claude Code hook integration.
- *
- * Block actions write JSON responses to an internal buffer that can
- * be flushed to stdout. Alert and snapshot actions log to stderr
- * to avoid interfering with the JSON protocol on stdout.
- *
- * @module agent-threat-rules/adapters/stdio-adapter
- */
-function makeResult(action, message) {
-    return Object.freeze({
-        action,
-        success: true,
-        message,
-        timestamp: new Date().toISOString(),
-    });
-}
-export class StdioAdapter {
-    name = 'stdio';
-    responseBuffer = [];
-    /**
-     * Get buffered responses and clear the buffer.
-     * Returns a frozen copy.
-     */
-    flushResponses() {
-        const copy = Object.freeze([...this.responseBuffer]);
-        this.responseBuffer.length = 0;
-        return copy;
-    }
-    async blockInput(ctx) {
-        const entry = {
-            action: 'block_input',
-            verdict: ctx.verdict.outcome,
-            reason: ctx.verdict.reason,
-        };
-        this.responseBuffer.push(entry);
-        return makeResult('block_input', 'Input blocked via stdio protocol');
-    }
-    async blockOutput(ctx) {
-        const entry = {
-            action: 'block_output',
-            verdict: ctx.verdict.outcome,
-            reason: ctx.verdict.reason,
-        };
-        this.responseBuffer.push(entry);
-        return makeResult('block_output', 'Output blocked via stdio protocol');
-    }
-    async blockTool(ctx) {
-        const entry = {
-            action: 'block_tool',
-            verdict: ctx.verdict.outcome,
-            reason: ctx.verdict.reason,
-            tool: ctx.event.fields?.['tool_name'] ?? 'unknown',
-        };
-        this.responseBuffer.push(entry);
-        return makeResult('block_tool', 'Tool blocked via stdio protocol');
-    }
-    async quarantineSession(ctx) {
-        const entry = {
-            action: 'quarantine_session',
-            verdict: ctx.verdict.outcome,
-            sessionId: ctx.sessionId ?? 'unknown',
-        };
-        this.responseBuffer.push(entry);
-        return makeResult('quarantine_session', 'Session quarantined via stdio protocol');
-    }
-    async resetContext(ctx) {
-        const entry = {
-            action: 'reset_context',
-            verdict: ctx.verdict.outcome,
-        };
-        this.responseBuffer.push(entry);
-        return makeResult('reset_context', 'Context reset via stdio protocol');
-    }
-    async alert(ctx) {
-        const alertMsg = {
-            type: 'alert',
-            severity: ctx.verdict.highestSeverity,
-            reason: ctx.verdict.reason,
-            matchCount: ctx.verdict.matchCount,
-        };
-        process.stderr.write(JSON.stringify(alertMsg) + '\n');
-        return makeResult('alert', 'Alert written to stderr');
-    }
-    async snapshot(ctx) {
-        const snapshotData = {
-            type: 'snapshot',
-            event: {
-                type: ctx.event.type,
-                contentPreview: ctx.event.content.slice(0, 200),
-            },
-            verdict: ctx.verdict.outcome,
-            matchCount: ctx.verdict.matchCount,
-            timestamp: new Date().toISOString(),
-        };
-        process.stderr.write(JSON.stringify(snapshotData) + '\n');
-        return makeResult('snapshot', 'Snapshot written to stderr');
-    }
-    async escalate(ctx) {
-        const escalation = {
-            type: 'escalation',
-            severity: ctx.verdict.highestSeverity,
-            reason: ctx.verdict.reason,
-            matchCount: ctx.verdict.matchCount,
-        };
-        process.stderr.write(JSON.stringify(escalation) + '\n');
-        return makeResult('escalate', 'Escalation written to stderr');
-    }
-    async reducePermissions(ctx) {
-        const entry = {
-            action: 'reduce_permissions',
-            verdict: ctx.verdict.outcome,
-            reason: ctx.verdict.reason,
-        };
-        this.responseBuffer.push(entry);
-        return makeResult('reduce_permissions', 'Permissions reduced via stdio protocol');
-    }
-    async killAgent(ctx) {
-        const entry = {
-            action: 'kill_agent',
-            verdict: ctx.verdict.outcome,
-            reason: ctx.verdict.reason,
-        };
-        this.responseBuffer.push(entry);
-        return makeResult('kill_agent', 'Agent kill requested via stdio protocol');
-    }
-}
-//# sourceMappingURL=stdio-adapter.js.map

package/dist/adapters/stdio-adapter.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"stdio-adapter.js","sourceRoot":"","sources":["../../src/adapters/stdio-adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAQH,SAAS,UAAU,CACjB,MAA8B,EAC9B,OAAe;IAEf,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,MAAM;QACN,OAAO,EAAE,IAAI;QACb,OAAO;QACP,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,OAAO,YAAY;IACd,IAAI,GAAG,OAAO,CAAC;IACP,cAAc,GAAc,EAAE,CAAC;IAEhD;;;OAGG;IACH,cAAc;QACZ,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC;QACrD,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,GAAqB;QACpC,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,aAAa;YACrB,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;SAC3B,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,aAAa,EAAE,kCAAkC,CAAC,CAAC;IACvE,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,GAAqB;QACrC,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,cAAc;YACtB,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;SAC3B,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,cAAc,EAAE,mCAAmC,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAqB;QACnC,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;YAC1B,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,WAAW,CAAC,IAAI,SAAS;SACnD,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,YAAY,EAAE,iCAAiC,CAAC,CAAC;IACrE,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAqB;QAC3C,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,oBAAoB;YAC5B,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,SAAS;SACtC,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,oBAAoB,EAAE,wCAAwC,CAAC,CAAC;IACpF,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,GAAqB;QACtC,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,eAAe;YACvB,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;SAC7B,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,eAAe,EAAE,kCAAkC,CAAC,CAAC;IACzE,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAqB;QAC/B,MAAM,QAAQ,GAAG;YACf,IAAI,EAAE,OAAO;YACb,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,eAAe;YACrC,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;YAC1B,UAAU,EAAE,GAAG,CAAC,OAAO,CAAC,UAAU;SACnC,CAAC;QACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;QACtD,OAAO,UAAU,CAAC,OAAO,EAAE,yBAAyB,CAAC,CAAC;IACxD,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAqB;QAClC,MAAM,YAAY,GAAG;YACnB,IAAI,EAAE,UAAU;YAChB,KAAK,EAAE;gBACL,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC,IAAI;gBACpB,cAAc,EAAE,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;aAChD;YACD,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,UAAU,EAAE,GAAG,CAAC,OAAO,CAAC,UAAU;YAClC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC;QACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,CAAC;QAC1D,OAAO,UAAU,CAAC,UAAU,EAAE,4BAA4B,CAAC,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,GAAqB;QAClC,MAAM,UAAU,GAAG;YACjB,IAAI,EAAE,YAAY;YAClB,QAAQ,EAAE,GAAG,CAAC,OAAO,CAAC,eAAe;YACrC,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;YAC1B,UAAU,EAAE,GAAG,CAAC,OAAO,CAAC,UAAU;SACnC,CAAC;QACF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC;QACxD,OAAO,UAAU,CAAC,UAAU,EAAE,8BAA8B,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,GAAqB;QAC3C,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,oBAAoB;YAC5B,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;SAC3B,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,oBAAoB,EAAE,wCAAwC,CAAC,CAAC;IACpF,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,GAAqB;QACnC,MAAM,KAAK,GAAG;YACZ,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO;YAC5B,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM;SAC3B,CAAC;QACF,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChC,OAAO,UAAU,CAAC,YAAY,EAAE,yCAAyC,CAAC,CAAC;IAC7E,CAAC;CACF"}