npm - agent-threat-rules - Versions diffs - 0.4.0 → 1.0.1 - Mend

agent-threat-rules 0.4.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (173) hide show

package/dist/converters/sarif.js ADDED Viewed

@@ -0,0 +1,142 @@
+/**
+ * ATR-to-SARIF Converter
+ *
+ * Converts ATR scan results into SARIF v2.1.0 format for
+ * GitHub Security tab integration via code scanning alerts.
+ *
+ * @module agent-threat-rules/converters/sarif
+ */
+/** Map ATR severity to SARIF level */
+function severityToLevel(severity) {
+    switch (severity) {
+        case 'critical':
+        case 'high':
+            return 'error';
+        case 'medium':
+            return 'warning';
+        case 'low':
+        case 'informational':
+            return 'note';
+        default:
+            return 'note';
+    }
+}
+/** Map ATR severity to SARIF security-severity score (0-10) */
+function severityToScore(severity) {
+    switch (severity) {
+        case 'critical':
+            return '9.5';
+        case 'high':
+            return '8.0';
+        case 'medium':
+            return '5.5';
+        case 'low':
+            return '3.0';
+        case 'informational':
+            return '1.0';
+        default:
+            return '1.0';
+    }
+}
+/** Build a unique rule index across all results */
+function collectRules(results) {
+    const ruleIndex = new Map();
+    const rules = [];
+    for (const result of results) {
+        for (const match of result.matches) {
+            if (!ruleIndex.has(match.rule.id)) {
+                ruleIndex.set(match.rule.id, rules.length);
+                rules.push(match.rule);
+            }
+        }
+    }
+    return { rules, ruleIndex };
+}
+/**
+ * Convert ATR scan results to SARIF v2.1.0 format.
+ *
+ * @param results - Array of ScanResult from evaluate/scanSkill
+ * @param toolVersion - ATR version string (e.g. "1.0.0")
+ * @returns SARIF JSON object ready for serialization
+ */
+export function scanResultToSARIF(results, toolVersion) {
+    const { rules, ruleIndex } = collectRules(results);
+    const sarifRules = rules.map((rule) => ({
+        id: rule.id,
+        name: rule.id,
+        shortDescription: { text: rule.title },
+        fullDescription: { text: rule.description.slice(0, 1000) },
+        helpUri: `https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/rules/${rule.tags.category}`,
+        defaultConfiguration: {
+            level: severityToLevel(rule.severity),
+        },
+        properties: {
+            'security-severity': severityToScore(rule.severity),
+            category: rule.tags.category,
+            tags: ['security', 'ai-agent', rule.tags.category],
+        },
+    }));
+    const sarifResults = [];
+    for (const result of results) {
+        for (const match of result.matches) {
+            const idx = ruleIndex.get(match.rule.id) ?? 0;
+            const location = {};
+            if (result.input_file) {
+                // Make path relative to CWD — never expose absolute paths in SARIF
+                const cwd = process.cwd() + '/';
+                let uri;
+                if (result.input_file.startsWith(cwd)) {
+                    uri = result.input_file.slice(cwd.length);
+                }
+                else if (result.input_file.startsWith('/') || /^[A-Z]:\\/.test(result.input_file)) {
+                    // Absolute path outside CWD — strip to filename only
+                    uri = result.input_file.split('/').pop() ?? result.input_file.split('\\').pop() ?? 'unknown';
+                }
+                else {
+                    uri = result.input_file;
+                }
+                location.physicalLocation = {
+                    artifactLocation: {
+                        uri,
+                        uriBaseId: '%SRCROOT%',
+                    },
+                    region: { startLine: 1 },
+                };
+            }
+            sarifResults.push({
+                ruleId: match.rule.id,
+                ruleIndex: idx,
+                level: severityToLevel(match.rule.severity),
+                message: {
+                    text: `${match.rule.title} (confidence: ${(match.confidence * 100).toFixed(0)}%, conditions: ${match.matchedConditions.join(', ')})`,
+                },
+                ...(result.input_file ? { locations: [location] } : {}),
+                properties: {
+                    confidence: match.confidence,
+                    scan_type: result.scan_type,
+                    scan_context: match.scan_context,
+                    content_hash: result.content_hash,
+                },
+            });
+        }
+    }
+    return {
+        $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json',
+        version: '2.1.0',
+        runs: [
+            {
+                tool: {
+                    driver: {
+                        name: 'ATR (Agent Threat Rules)',
+                        version: toolVersion,
+                        semanticVersion: toolVersion,
+                        informationUri: 'https://github.com/Agent-Threat-Rule/agent-threat-rules',
+                        rules: sarifRules,
+                    },
+                },
+                results: sarifResults,
+            },
+        ],
+    };
+}
+//# sourceMappingURL=sarif.js.map

package/dist/converters/sarif.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../src/converters/sarif.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAOH,sCAAsC;AACtC,SAAS,eAAe,CAAC,QAAqB;IAC5C,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU,CAAC;QAChB,KAAK,MAAM;YACT,OAAO,OAAO,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,SAAS,CAAC;QACnB,KAAK,KAAK,CAAC;QACX,KAAK,eAAe;YAClB,OAAO,MAAM,CAAC;QAChB;YACE,OAAO,MAAM,CAAC;IAClB,CAAC;AACH,CAAC;AAED,+DAA+D;AAC/D,SAAS,eAAe,CAAC,QAAqB;IAC5C,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU;YACb,OAAO,KAAK,CAAC;QACf,KAAK,MAAM;YACT,OAAO,KAAK,CAAC;QACf,KAAK,QAAQ;YACX,OAAO,KAAK,CAAC;QACf,KAAK,KAAK;YACR,OAAO,KAAK,CAAC;QACf,KAAK,eAAe;YAClB,OAAO,KAAK,CAAC;QACf;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED,mDAAmD;AACnD,SAAS,YAAY,CACnB,OAA8B;IAE9B,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC5C,MAAM,KAAK,GAAc,EAAE,CAAC;IAE5B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;gBAClC,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;gBAC3C,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;AAC9B,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAC/B,OAA8B,EAC9B,WAAmB;IAEnB,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IAEnD,MAAM,UAAU,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACtC,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,IAAI,EAAE,IAAI,CAAC,EAAE;QACb,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE;QACtC,eAAe,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE;QAC1D,OAAO,EAAE,2EAA2E,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE;QACxG,oBAAoB,EAAE;YACpB,KAAK,EAAE,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC;SACtC;QACD,UAAU,EAAE;YACV,mBAAmB,EAAE,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC;YACnD,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ;YAC5B,IAAI,EAAE,CAAC,UAAU,EAAE,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC;SACnD;KACF,CAAC,CAAC,CAAC;IAEJ,MAAM,YAAY,GAAa,EAAE,CAAC;IAElC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnC,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAE9C,MAAM,QAAQ,GAA4B,EAAE,CAAC;YAC7C,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;gBACtB,mEAAmE;gBACnE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC;gBAChC,IAAI,GAAW,CAAC;gBAChB,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBACtC,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC5C,CAAC;qBAAM,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;oBACpF,qDAAqD;oBACrD,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,IAAI,SAAS,CAAC;gBAC/F,CAAC;qBAAM,CAAC;oBACN,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC;gBAC1B,CAAC;gBACD,QAAQ,CAAC,gBAAgB,GAAG;oBAC1B,gBAAgB,EAAE;wBAChB,GAAG;wBACH,SAAS,EAAE,WAAW;qBACvB;oBACD,MAAM,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE;iBACzB,CAAC;YACJ,CAAC;YAED,YAAY,CAAC,IAAI,CAAC;gBAChB,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,EAAE;gBACrB,SAAS,EAAE,GAAG;gBACd,KAAK,EAAE,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAC3C,OAAO,EAAE;oBACP,IAAI,EAAE,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,iBAAiB,CAAC,KAAK,CAAC,UAAU,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,kBAAkB,KAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;iBACrI;gBACD,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvD,UAAU,EAAE;oBACV,UAAU,EAAE,KAAK,CAAC,UAAU;oBAC5B,SAAS,EAAE,MAAM,CAAC,SAAS;oBAC3B,YAAY,EAAE,KAAK,CAAC,YAAY;oBAChC,YAAY,EAAE,MAAM,CAAC,YAAY;iBAClC;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO,EAAE,sGAAsG;QAC/G,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE;YACJ;gBACE,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,0BAA0B;wBAChC,OAAO,EAAE,WAAW;wBACpB,eAAe,EAAE,WAAW;wBAC5B,cAAc,EAAE,yDAAyD;wBACzE,KAAK,EAAE,UAAU;qBAClB;iBACF;gBACD,OAAO,EAAE,YAAY;aACtB;SACF;KACF,CAAC;AACJ,CAAC"}

package/dist/engine.d.ts CHANGED Viewed

@@ -11,7 +11,7 @@
  *
  * @module agent-threat-rules/engine
  */
-import type { ATRRule, ATRMatch, AgentEvent, ATRVerdict, ActionResult } from './types.js';
+import type { ATRRule, ATRMatch, AgentEvent, ATRVerdict, ActionResult, ScanResult } from './types.js';
 import type { SessionTracker } from './session-tracker.js';
 import type { ActionExecutor } from './action-executor.js';
 import type { SkillFingerprintStore } from './skill-fingerprint.js';
@@ -87,6 +87,13 @@ export declare class ATREngine {
      * Evaluate a pattern matching condition (named format with patterns array).
      */
     private evaluatePatternCondition;
+    /**
+     * Determine if a rule should suppress matches inside markdown code blocks.
+     * Rules that commonly false-positive on documentation (shell commands, file paths,
+     * code examples) are suppressed. Prompt injection rules are NEVER suppressed
+     * because attackers deliberately hide payloads in code blocks.
+     */
+    private shouldSuppressInCodeBlocks;
     /**
      * Evaluate a behavioral threshold condition.
      * When a session tracker is available and the event has a sessionId,
@@ -159,5 +166,18 @@ export declare class ATREngine {
     getRuleById(id: string): ATRRule | undefined;
     /** Get rules by category */
     getRulesByCategory(category: string): ATRRule[];
+    /**
+     * Scan SKILL.md content for threats.
+     * All rules fire with scanContext='skill':
+     *   - skill/both rules: native context, full confidence
+     *   - MCP-only rules: cross-context, confidence * 0.6
+     * Also decodes base64 blocks and scans decoded content.
+     * Code-block suppression and FP denylist applied in evaluate().
+     */
+    scanSkill(content: string): ATRMatch[];
+    /** Scan a SKILL.md file and return a unified ScanResult with content_hash. */
+    scanSkillFull(content: string, filePath?: string): ScanResult;
+    /** Evaluate an MCP agent event and return a unified ScanResult with content_hash. */
+    evaluateFull(event: AgentEvent, filePath?: string): ScanResult;
 }
 //# sourceMappingURL=engine.d.ts.map

package/dist/engine.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EAGV,UAAU,EACV,YAAY,~~EACb~~,MAAM,YAAY,CAAC;~~AAEpB~~,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAEpE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAQlE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAE9D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;~~AAsB9D~~,MAAM,WAAW,eAAe;IAC9B,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC;IAClB,sEAAsE;IACtE,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,mEAAmE;IACnE,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IACtC,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,qBAAqB,CAAC;IACzC,qFAAqF;IACrF,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,0EAA0E;IAC1E,cAAc,CAAC,EAAE,mBAAmB,CAAC;CACtC;AAED,qBAAa,SAAS;IAKR,OAAO,CAAC,QAAQ,CAAC,MAAM;IAJnC,OAAO,CAAC,KAAK,CAAiB;IAC9B,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAA4C;IAC7E,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAwB;gBAElC,MAAM,GAAE,eAAoB;IAUzD;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC;IAyBlC;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAMnC;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI;IAK5B;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,QAAQ,EAAE;~~IA6EvC~~;;;OAGG;IACH,OAAO,CAAC,YAAY;IAapB;;;OAGG;IACH,OAAO,CAAC,uBAAuB;~~IAuC~~/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;~~IA8E9B~~;;;OAGG;IACH,OAAO,CAAC,uBAAuB;~~IAmC~~/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAiC9B;;OAEG;IACH,OAAO,CAAC,wBAAwB;~~IAqEhC~~;;;;OAIG;IACH,OAAO,CAAC,2BAA2B;IAoBnC;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAgC1B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAiBrB;;;;;;;;OAQG;IACH,OAAO,CAAC,yBAAyB;IAmBjC;;;OAGG;IACH,OAAO,CAAC,6BAA6B;IAyErC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IA4BnC;;OAEG;IACH,OAAO,CAAC,YAAY;IAgCpB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAsC1B;;OAEG;IACH,OAAO,CAAC,eAAe;IAgCvB;;;OAGG;IACH,OAAO,CAAC,eAAe;~~IAkDvB~~;;;;;OAKG;IACG,mBAAmB,CACvB,KAAK,EAAE,UAAU,EACjB,QAAQ,CAAC,EAAE,cAAc,GACxB,OAAO,CAAC;QACT,OAAO,EAAE,UAAU,CAAC;QACpB,aAAa,EAAE,SAAS,YAAY,EAAE,CAAC;QACvC,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;KAC/B,CAAC;~~IAsGF~~,4BAA4B;IAC5B,YAAY,IAAI,MAAM;IAItB,2BAA2B;IAC3B,QAAQ,IAAI,SAAS,OAAO,EAAE;IAI9B,uBAAuB;IACvB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS;IAI5C,4BAA4B;IAC5B,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE;~~CAGhD~~"}
1	+ {"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EAGV,UAAU,EACV,YAAY,EACZ,UAAU,EAEX,MAAM,YAAY,CAAC;AAGpB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAEpE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAQlE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAE9D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAuE9D,MAAM,WAAW,eAAe;IAC9B,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC;IAClB,sEAAsE;IACtE,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,mEAAmE;IACnE,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IACtC,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,qBAAqB,CAAC;IACzC,qFAAqF;IACrF,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,0EAA0E;IAC1E,cAAc,CAAC,EAAE,mBAAmB,CAAC;CACtC;AAED,qBAAa,SAAS;IAKR,OAAO,CAAC,QAAQ,CAAC,MAAM;IAJnC,OAAO,CAAC,KAAK,CAAiB;IAC9B,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAA4C;IAC7E,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAwB;gBAElC,MAAM,GAAE,eAAoB;IAUzD;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC;IAyBlC;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAMnC;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI;IAK5B;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,QAAQ,EAAE;IA2FvC;;;OAGG;IACH,OAAO,CAAC,YAAY;IAapB;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAwC/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAgF9B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAoC/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAiC9B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAiFhC;;;;;OAKG;IACH,OAAO,CAAC,0BAA0B;IAwBlC;;;;OAIG;IACH,OAAO,CAAC,2BAA2B;IAoBnC;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAgC1B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAiBrB;;;;;;;;OAQG;IACH,OAAO,CAAC,yBAAyB;IAmBjC;;;OAGG;IACH,OAAO,CAAC,6BAA6B;IAyErC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IA4BnC;;OAEG;IACH,OAAO,CAAC,YAAY;IAgCpB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAsC1B;;OAEG;IACH,OAAO,CAAC,eAAe;IAgCvB;;;OAGG;IACH,OAAO,CAAC,eAAe;IAoDvB;;;;;OAKG;IACG,mBAAmB,CACvB,KAAK,EAAE,UAAU,EACjB,QAAQ,CAAC,EAAE,cAAc,GACxB,OAAO,CAAC;QACT,OAAO,EAAE,UAAU,CAAC;QACpB,aAAa,EAAE,SAAS,YAAY,EAAE,CAAC;QACvC,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;KAC/B,CAAC;IAuGF,4BAA4B;IAC5B,YAAY,IAAI,MAAM;IAItB,2BAA2B;IAC3B,QAAQ,IAAI,SAAS,OAAO,EAAE;IAI9B,uBAAuB;IACvB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS;IAI5C,4BAA4B;IAC5B,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE;IAI/C;;;;;;;OAOG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,QAAQ,EAAE;IA4BtC,8EAA8E;IAC9E,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,UAAU;IAa7D,qFAAqF;IACrF,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,UAAU;CAgB/D"}

package/dist/engine.js CHANGED Viewed

@@ -11,11 +11,57 @@
  *
  * @module agent-threat-rules/engine
  */
+import { computeContentHash } from './content-hash.js';
 import { loadRulesFromDirectory, loadRuleFile } from './loader.js';
 import { computeVerdict } from './verdict.js';
 import { SemanticModule } from './modules/semantic.js';
 import { resolveSkillId, runFingerprintLayer, shouldRunSemanticLayer, createSemanticModuleFromConfig, runSemanticLayer, } from './layer-integration.js';
 import { buildBlacklistMatch, resolveSkillId as resolveBlacklistSkillId } from './tier1-blacklist.js';
+/**
+ * Rules excluded from skill-context scanning due to high false-positive rate.
+ * Threshold: >2% FP on 250 benign SKILL.md files.
+ * Re-evaluate when adding new rules or updating detection patterns.
+ */
+const SKILL_CONTEXT_DENYLIST = new Set([
+    'ATR-2026-00111', // Shell Escape — 95.2% FP on benign skills (matches any shell/exec mention)
+    'ATR-2026-00118', // Approval Fatigue — 84.8% FP on benign skills (matches any approval/confirm pattern)
+    'ATR-2026-00051', // Resource Exhaustion — 1.6% FP (matches loop/retry patterns in normal skills)
+    'ATR-2026-00030', // Cross-Agent Attack — 0.8% FP (matches multi-agent communication patterns)
+    'ATR-2026-00002', // Indirect Prompt Injection — 0.8% FP (matches content-fetch patterns)
+    'ATR-2026-00050', // Runaway Agent Loop — 0.4% FP (matches loop patterns in automation skills)
+    'ATR-2026-00117', // Agent Identity Spoofing — 0.4% FP (matches persona/identity patterns)
+    'ATR-2026-00116', // A2A Message Injection — 0.4% FP (matches agent communication patterns)
+    'ATR-2026-00114', // OAuth Token Interception — 2.57% FP on 53K skills (matches normal auth patterns)
+]);
+/**
+ * Detect and decode base64-encoded blocks in content.
+ * Bounds: max 1 level decode, max 5 blocks, min 32 chars per block,
+ * MAX_EVAL_LENGTH per decoded block. Returns decoded text fragments.
+ */
+const BASE64_BLOCK_RE = /(?:[A-Za-z0-9+/]{32,}={0,2})/g;
+const MAX_DECODE_BLOCKS = 5;
+function decodeBase64Blocks(content) {
+    const decoded = [];
+    let match;
+    let count = 0;
+    while ((match = BASE64_BLOCK_RE.exec(content)) !== null && count < MAX_DECODE_BLOCKS) {
+        try {
+            const raw = Buffer.from(match[0], 'base64');
+            const text = raw.toString('utf-8');
+            // Only keep if decoded content looks like text (not binary garbage)
+            // Check: >80% printable ASCII or valid UTF-8 with common chars
+            const printable = text.split('').filter(c => c.charCodeAt(0) >= 32 && c.charCodeAt(0) < 127).length;
+            if (printable / text.length > 0.7 && text.length >= 10) {
+                decoded.push(text.slice(0, 100_000)); // MAX_EVAL_LENGTH bound
+                count++;
+            }
+        }
+        catch {
+            // Invalid base64, skip
+        }
+    }
+    return decoded;
+}
 /** Map agent event types to ATR source types */
 const EVENT_TYPE_TO_SOURCE = {
     llm_input: 'llm_io',
@@ -122,12 +168,17 @@ export class ATREngine {
             }
         }
         // Tier 2: Pattern matching (existing regex rules)
+        const isSkillContext = event.scanContext === 'skill';
         for (const rule of this.rules) {
             // Skip deprecated and draft rules
             if (rule.status === 'deprecated' || rule.status === 'draft')
                 continue;
+            // Skill context denylist: skip rules known to cause high FP on SKILL.md content
+            if (isSkillContext && SKILL_CONTEXT_DENYLIST.has(rule.id))
+                continue;
             // Source type filtering: skip rules that don't apply to this event type
-            if (eventSourceType && rule.agent_source.type !== eventSourceType) {
+            // When scanContext is 'skill', skip source-type filtering — all rules fire
+            if (!isSkillContext && eventSourceType && rule.agent_source.type !== eventSourceType) {
                 // Allow mcp_exchange rules to also match tool_call events
                 if (!(rule.agent_source.type === 'mcp_exchange' && eventSourceType === 'tool_call')) {
                     continue;
@@ -135,7 +186,17 @@ export class ATREngine {
             }
             const matchResult = this.evaluateRule(rule, event);
             if (matchResult) {
-                matches.push(matchResult);
+                // Cross-context: MCP-only rules firing on SKILL.md get confidence downweight
+                if (isSkillContext && rule.tags.scan_target !== 'skill' && rule.tags.scan_target !== 'both') {
+                    matches.push({
+                        ...matchResult,
+                        confidence: matchResult.confidence * 0.6,
+                        scan_context: 'cross-context',
+                    });
+                }
+                else {
+                    matches.push(matchResult);
+                }
                 allMatchedPatterns.push(...matchResult.matchedPatterns);
             }
         }
@@ -206,6 +267,7 @@ export class ATREngine {
             matchedPatterns: allMatchedPatterns,
             confidence,
             timestamp: new Date().toISOString(),
+            scan_context: 'native',
         };
     }
     /**
@@ -244,7 +306,9 @@ export class ATREngine {
                 }
                 // Fallback: compile on the fly
                 try {
-                    const regex = new RegExp(normalizeRegex(value), 'i');
+                    const normalized = normalizeRegex(value);
+                    const rFlags = normalized.includes('\\u{') || normalized.includes('\\p{') ? 'iu' : 'i';
+                    const regex = new RegExp(normalized, rFlags);
                     if (safeRegexTest(regex, fieldValue) || safeRegexTest(regex, rawFieldValue)) {
                         matchedPatterns.push(value);
                         return true;
@@ -307,6 +371,7 @@ export class ATREngine {
             matchedPatterns: allMatchedPatterns,
             confidence,
             timestamp: new Date().toISOString(),
+            scan_context: 'native',
         };
     }
     /**
@@ -336,11 +401,22 @@ export class ATREngine {
         if (!rawFieldValue)
             return false;
         const fieldValue = normalizeUnicode(rawFieldValue);
+        // Code block suppression: for rules that commonly false-positive on
+        // documentation content (shell commands, file paths in code examples),
+        // check if the match falls inside a markdown code block.
+        // Prompt injection rules (ATR-001 through ATR-005, ATR-080+) are NOT suppressed
+        // because attackers can hide injections in code blocks too.
+        const suppressInCodeBlocks = this.shouldSuppressInCodeBlocks(ruleId);
+        const codeRanges = suppressInCodeBlocks ? buildCodeBlockRanges(fieldValue) : [];
         // Get pre-compiled patterns
         const compiled = this.compiledPatterns.get(ruleId)?.get(condName);
         if (compiled) {
             for (let i = 0; i < compiled.length; i++) {
                 if (safeRegexTest(compiled[i], fieldValue) || (rawFieldValue && safeRegexTest(compiled[i], rawFieldValue))) {
+                    // If match is inside a code block and this rule supports suppression, skip it
+                    if (suppressInCodeBlocks && codeRanges.length > 0 && isInsideCodeBlock(fieldValue, compiled[i], codeRanges)) {
+                        continue;
+                    }
                     matchedPatterns.push(cond.patterns[i] ?? 'unknown');
                     return true;
                 }
@@ -389,6 +465,37 @@ export class ATREngine {
         }
         return false;
     }
+    /**
+     * Determine if a rule should suppress matches inside markdown code blocks.
+     * Rules that commonly false-positive on documentation (shell commands, file paths,
+     * code examples) are suppressed. Prompt injection rules are NEVER suppressed
+     * because attackers deliberately hide payloads in code blocks.
+     */
+    shouldSuppressInCodeBlocks(ruleId) {
+        const rule = this.rules.find(r => r.id === ruleId);
+        if (!rule)
+            return false;
+        const category = rule.tags?.category ?? '';
+        const subcategory = rule.tags?.subcategory ?? '';
+        // Categories that commonly match documentation content
+        const suppressCategories = [
+            'privilege-escalation', // ATR-111 shell metacharacter
+            'context-exfiltration', // ATR-113 credential paths
+            'skill-compromise', // supply chain patterns in docs
+        ];
+        // Never suppress skill-content rules (ATR-120+) — code blocks in SKILL.md
+        // are executable instructions, not documentation examples
+        const neverSuppressSubcategories = [
+            'skill-instruction-injection',
+            'dangerous-script',
+            'weaponized-skill',
+            'skill-overreach',
+            'skill-squatting',
+        ];
+        if (neverSuppressSubcategories.includes(subcategory))
+            return false;
+        return suppressCategories.includes(category);
+    }
     /**
      * Evaluate a behavioral threshold condition.
      * When a session tracker is available and the event has a sessionId,
@@ -680,7 +787,9 @@ export class ATREngine {
                 const cond = conditions[i];
                 if (cond['operator'] === 'regex' && typeof cond['value'] === 'string') {
                     try {
-                        ruleMap.set(String(i), [new RegExp(normalizeRegex(cond['value']), 'i')]);
+                        const pattern = normalizeRegex(cond['value']);
+                        const flags = pattern.includes('\\u{') || pattern.includes('\\p{') ? 'iu' : 'i';
+                        ruleMap.set(String(i), [new RegExp(pattern, flags)]);
                     }
                     catch {
                         // Invalid regex, skip
@@ -777,6 +886,7 @@ export class ATREngine {
                         matchedPatterns: [`similarity=${embResult.value.toFixed(3)}`],
                         confidence: embResult.value,
                         timestamp: new Date().toISOString(),
+                        scan_context: 'native',
                     };
                     matches = [...matches, syntheticMatch];
                 }
@@ -835,6 +945,68 @@ export class ATREngine {
     getRulesByCategory(category) {
         return this.rules.filter((r) => r.tags.category === category);
     }
+    /**
+     * Scan SKILL.md content for threats.
+     * All rules fire with scanContext='skill':
+     *   - skill/both rules: native context, full confidence
+     *   - MCP-only rules: cross-context, confidence * 0.6
+     * Also decodes base64 blocks and scans decoded content.
+     * Code-block suppression and FP denylist applied in evaluate().
+     */
+    scanSkill(content) {
+        const baseEvent = {
+            type: 'mcp_exchange',
+            timestamp: new Date().toISOString(),
+            sessionId: 'skill-scan',
+            fields: {},
+            scanContext: 'skill',
+        };
+        // Scan original content
+        const matches = this.evaluate({ ...baseEvent, content });
+        // Scan base64-decoded blocks for hidden payloads
+        const decodedBlocks = decodeBase64Blocks(content);
+        for (const block of decodedBlocks) {
+            const blockMatches = this.evaluate({ ...baseEvent, content: block });
+            for (const m of blockMatches) {
+                // Tag decoded matches so consumers know the source
+                matches.push({
+                    ...m,
+                    matchedPatterns: [...m.matchedPatterns, '[decoded:base64]'],
+                });
+            }
+        }
+        return matches;
+    }
+    /** Scan a SKILL.md file and return a unified ScanResult with content_hash. */
+    scanSkillFull(content, filePath) {
+        const matches = this.scanSkill(content);
+        return {
+            scan_type: 'skill',
+            content_hash: computeContentHash(content),
+            input_file: filePath,
+            timestamp: new Date().toISOString(),
+            rules_loaded: this.rules.length,
+            matches,
+            threat_count: matches.length,
+        };
+    }
+    /** Evaluate an MCP agent event and return a unified ScanResult with content_hash. */
+    evaluateFull(event, filePath) {
+        const matches = this.evaluate(event);
+        // Hash content + fields to distinguish tool-call events with same content but different args
+        const hashInput = event.fields
+            ? event.content + '\0' + JSON.stringify(event.fields)
+            : event.content;
+        return {
+            scan_type: 'mcp',
+            content_hash: computeContentHash(hashInput),
+            input_file: filePath,
+            timestamp: new Date().toISOString(),
+            rules_loaded: this.rules.length,
+            matches,
+            threat_count: matches.length,
+        };
+    }
 }
 function escapeRegex(str) {
     return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
@@ -866,4 +1038,43 @@ function safeRegexTest(regex, input) {
         return false;
     return regex.test(input);
 }
+/**
+ * Build a set of character ranges that fall inside markdown code blocks.
+ * Covers both fenced (``` ```) and inline (`code`) blocks.
+ * Used to suppress false positives when regex matches documentation examples
+ * rather than actual attack payloads.
+ */
+function buildCodeBlockRanges(text) {
+    const ranges = [];
+    // Fenced code blocks: ```...```
+    const fenced = /```[\s\S]*?```/g;
+    let m;
+    while ((m = fenced.exec(text)) !== null) {
+        ranges.push([m.index, m.index + m[0].length]);
+    }
+    // Inline code: `...` (but not inside fenced blocks)
+    const inline = /`[^`\n]+`/g;
+    while ((m = inline.exec(text)) !== null) {
+        const pos = m.index;
+        const inFenced = ranges.some(([start, end]) => pos >= start && pos < end);
+        if (!inFenced) {
+            ranges.push([pos, pos + m[0].length]);
+        }
+    }
+    return ranges;
+}
+/**
+ * Check if a regex match position falls inside a code block.
+ */
+function isInsideCodeBlock(text, regex, codeRanges) {
+    if (codeRanges.length === 0)
+        return false;
+    // Reset regex state and find match position
+    const searchRegex = new RegExp(regex.source, regex.flags.includes('g') ? regex.flags : regex.flags + 'g');
+    const m = searchRegex.exec(text);
+    if (!m)
+        return false;
+    const matchPos = m.index;
+    return codeRanges.some(([start, end]) => matchPos >= start && matchPos < end);
+}
 //# sourceMappingURL=engine.js.map