agent-threat-rules 0.4.0 → 1.0.1

package/rules/tool-poisoning/{ATR-2026-103-hidden-safety-bypass-instruction.yaml → ATR-2026-00103-hidden-safety-bypass-instruction.yaml}

@@ -1,5 +1,6 @@
 title: "Hidden LLM Safety Bypass Instructions in Tool Descriptions"
-id: ATR-2026-103
+id: ATR-2026-00103
+rule_version: 1
 status: experimental
 description: |
   Detects tools that embed explicit instructions directing the LLM to disregard safety
@@ -27,6 +28,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: hidden-llm-instructions
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-105-silent-action-concealment.yaml → ATR-2026-00105-silent-action-concealment.yaml}

@@ -1,5 +1,6 @@
 title: "Silent Action Concealment Instructions in Tool Descriptions"
-id: ATR-2026-105
+id: ATR-2026-00105
+rule_version: 1
 status: experimental
 description: |
   Detects MCP tools that explicitly instruct the LLM to perform actions silently or hide
@@ -26,6 +27,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: silent-action-instruction
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/rules/tool-poisoning/{ATR-2026-106-schema-description-contradiction.yaml → ATR-2026-00106-schema-description-contradiction.yaml}

@@ -1,5 +1,6 @@
 title: "Schema-Description Contradiction Attack"
-id: ATR-2026-106
+id: ATR-2026-00106
+rule_version: 1
 status: experimental
 description: |
   Detects tools that claim read-only or safe functionality in their description but expose
@@ -25,6 +26,7 @@ references:
 tags:
   category: tool-poisoning
   subcategory: schema-description-mismatch
+  scan_target: mcp
   confidence: medium
 
 agent_source:

package/spec/atr-schema.yaml

@@ -10,7 +10,7 @@
 $schema: "https://json-schema.org/draft/2020-12/schema"
 title: ATR Rule Schema
 description: Schema for Agent Threat Rules (ATR) detection rules
-version: "0.1.0-draft"
+version: "1.0.0"
 
 type: object
 required:
@@ -43,8 +43,8 @@ properties:
 
   id:
     type: string
-    pattern: "^ATR-\\d{4}-\\d{3}$"
-    description: "Unique rule identifier. Format: ATR-YYYY-NNN (e.g., ATR-2026-001)"
+    pattern: "^ATR-\\d{4}-\\d{5}$"
+    description: "Unique rule identifier. Format: ATR-YYYY-NNNNN (e.g., ATR-2026-00001)"
 
   status:
     type: string
@@ -69,6 +69,11 @@ properties:
     pattern: "^\\d{4}/\\d{2}/\\d{2}$"
     description: "Last modification date in YYYY/MM/DD format"
 
+  rule_version:
+    type: integer
+    minimum: 1
+    description: "Rule version number. Bump when detection logic changes. Starts at 1."
+
   # === Classification ===
 
   detection_tier:
@@ -114,6 +119,26 @@ properties:
         items:
           type: string
         description: Related CVE identifiers
+      owasp_agentic:
+        type: array
+        items:
+          type: string
+        description: "OWASP Agentic Top 10 references (e.g., ASI01, ASI02)"
+      owasp_ast:
+        type: array
+        items:
+          type: string
+        description: "OWASP Agentic Skills Top 10 references (e.g., AST01)"
+      safe_mcp:
+        type: array
+        items:
+          type: string
+        description: "SAFE-MCP technique IDs (e.g., SMCP-T001)"
+      research:
+        type: array
+        items:
+          type: string
+        description: "Research paper references or URLs"
 
   # === Tags (ATR classification) ===
 
@@ -141,6 +166,10 @@ properties:
         type: string
         enum: [high, medium, low]
         description: Expected accuracy of this rule (high = low false positive rate)
+      scan_target:
+        type: string
+        enum: [mcp, skill, both, runtime]
+        description: "Which scan path this rule belongs to. mcp=runtime events, skill=SKILL.md static scan, both=fires in both paths, runtime=behavior monitoring."
 
   # === Agent Source (analogous to Sigma's logsource) ===