agent-threat-rules 2.1.5 → 3.0.5

package/spec/schema/profile.schema.json

@@ -0,0 +1,196 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://spec.agentthreatrule.org/profile/v1.0/schema.json",
+  "title": "ATR Profile v1.0",
+  "description": "Machine-readable schema for ATR profile (rule-set composition). Normative spec at spec/atr-profile-v1.0.md. License: CC BY 4.0.",
+  "type": "object",
+  "required": ["profile", "inclusions"],
+  "additionalProperties": false,
+  "properties": {
+    "profile": {
+      "type": "object",
+      "required": [
+        "schema_version",
+        "id",
+        "title",
+        "version",
+        "description",
+        "author",
+        "date",
+        "license",
+        "status",
+        "conformance_bound"
+      ],
+      "additionalProperties": false,
+      "properties": {
+        "schema_version": {
+          "type": "string",
+          "const": "1.0"
+        },
+        "id": {
+          "type": "string",
+          "pattern": "^[a-z0-9][a-z0-9-]{2,63}$",
+          "description": "Globally unique profile identifier (kebab-case)."
+        },
+        "title": {
+          "type": "string",
+          "minLength": 3
+        },
+        "version": {
+          "type": "string",
+          "pattern": "^\\d+\\.\\d+\\.\\d+(?:-[0-9A-Za-z.-]+)?$",
+          "description": "SemVer 2.0 profile version."
+        },
+        "description": {
+          "type": "string",
+          "minLength": 20
+        },
+        "author": {
+          "type": "string"
+        },
+        "date": {
+          "type": "string",
+          "format": "date"
+        },
+        "license": {
+          "type": "string",
+          "description": "SPDX license identifier or full license URL.",
+          "examples": ["CC-BY-4.0", "MIT", "Apache-2.0"]
+        },
+        "status": {
+          "type": "string",
+          "enum": ["draft", "stable", "deprecated"]
+        },
+        "conformance_bound": {
+          "type": "object",
+          "required": [
+            "spec_version_min",
+            "minimum_rule_coverage",
+            "minimum_engine_passing"
+          ],
+          "additionalProperties": false,
+          "properties": {
+            "spec_version_min": {
+              "type": "string",
+              "pattern": "^\\d+\\.\\d+$"
+            },
+            "spec_version_max": {
+              "type": ["string", "null"],
+              "pattern": "^\\d+\\.\\d+$"
+            },
+            "minimum_rule_coverage": {
+              "type": "number",
+              "minimum": 0.0,
+              "maximum": 1.0
+            },
+            "minimum_engine_passing": {
+              "type": "number",
+              "minimum": 0.0,
+              "maximum": 1.0
+            }
+          }
+        }
+      }
+    },
+    "inclusions": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "$ref": "#/$defs/selector"
+      }
+    },
+    "exclusions": {
+      "type": "array",
+      "items": {
+        "$ref": "#/$defs/selector"
+      }
+    },
+    "resolved_rules_summary": {
+      "type": "object",
+      "description": "Optional informational summary populated at profile-resolution time.",
+      "additionalProperties": true,
+      "properties": {
+        "total": {"type": "integer", "minimum": 0},
+        "by_category": {
+          "type": "object",
+          "patternProperties": {
+            "^[a-z][a-z0-9-]+$": {"type": "integer", "minimum": 0}
+          }
+        }
+      }
+    }
+  },
+  "$defs": {
+    "selector": {
+      "type": "object",
+      "oneOf": [
+        {
+          "required": ["rule_id"],
+          "properties": {
+            "rule_id": {
+              "type": "string",
+              "pattern": "^ATR-(?:[A-Z]{2}-)?[0-9]{4}-[0-9]{5}$"
+            }
+          },
+          "additionalProperties": false
+        },
+        {
+          "required": ["rule_id_pattern"],
+          "properties": {
+            "rule_id_pattern": {
+              "type": "string",
+              "description": "Glob pattern matching ATR rule IDs."
+            }
+          },
+          "additionalProperties": false
+        },
+        {
+          "required": ["category"],
+          "properties": {
+            "category": {
+              "type": "string",
+              "description": "Top-level category from spec/category-registry/v1.0.yaml or a reserved namespace prefix."
+            }
+          },
+          "additionalProperties": false
+        },
+        {
+          "required": ["tag_match"],
+          "properties": {
+            "tag_match": {
+              "type": "object",
+              "additionalProperties": {
+                "oneOf": [
+                  {"type": "string"},
+                  {"type": "array", "items": {"type": "string"}}
+                ]
+              }
+            }
+          },
+          "additionalProperties": false
+        },
+        {
+          "required": ["profile"],
+          "properties": {
+            "profile": {
+              "type": "string",
+              "pattern": "^[a-z0-9][a-z0-9-]{2,63}@\\d+\\.\\d+\\.\\d+$",
+              "description": "Profile inclusion in form <profile-id>@<version> for composition."
+            }
+          },
+          "additionalProperties": false
+        },
+        {
+          "required": ["rule_status"],
+          "properties": {
+            "rule_status": {
+              "type": "string",
+              "enum": ["draft", "experimental", "stable", "deprecated"]
+            }
+          },
+          "additionalProperties": false
+        }
+      ]
+    }
+  }
+}

package/spec/schema/rule.schema.json

@@ -0,0 +1,224 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://spec.agentthreatrule.org/rule/v1.0/schema.json",
+  "title": "ATR Rule v1.0",
+  "description": "Machine-readable schema for ATR detection rule format. Normative prose spec at ATR-SPEC-v1.md. Existing YAML schema at spec/atr-schema.yaml. This JSON Schema adds v2.0 provenance + lifecycle fields per governance/CHARTER.md and is backward-compatible with v1.0 rules (new fields optional). License: CC BY 4.0.",
+  "type": "object",
+  "required": [
+    "schema_version",
+    "id",
+    "title",
+    "status",
+    "description",
+    "author",
+    "date",
+    "severity",
+    "detection_tier",
+    "maturity",
+    "tags",
+    "agent_source",
+    "detection",
+    "response"
+  ],
+  "additionalProperties": true,
+  "properties": {
+    "schema_version": {
+      "type": "string",
+      "pattern": "^\\d+\\.\\d+$"
+    },
+    "id": {
+      "type": "string",
+      "pattern": "^ATR-(?:[A-Z]{2}-)?[0-9]{4}-[0-9]{5}$",
+      "description": "Canonical: ATR-YYYY-NNNNN. Sovereign-prefixed: ATR-XX-YYYY-NNNNN per CHARTER § 8.2."
+    },
+    "rule_version": {
+      "type": "integer",
+      "minimum": 1,
+      "default": 1
+    },
+    "title": {"type": "string", "minLength": 5},
+    "status": {
+      "type": "string",
+      "enum": ["draft", "experimental", "stable", "deprecated"]
+    },
+    "description": {"type": "string", "minLength": 20},
+    "author": {"type": "string", "minLength": 1},
+    "date": {
+      "type": "string",
+      "anyOf": [
+        {"format": "date"},
+        {"pattern": "^[0-9]{4}/[0-9]{2}/[0-9]{2}$"}
+      ]
+    },
+    "modified": {"type": "string"},
+    "severity": {
+      "type": "string",
+      "enum": ["critical", "high", "medium", "low", "informational"]
+    },
+    "detection_tier": {
+      "type": "string",
+      "enum": ["pattern", "behavioral", "protocol", "classifier"]
+    },
+    "maturity": {
+      "type": "string",
+      "enum": ["draft", "experimental", "test", "stable", "deprecated"]
+    },
+    "confidence": {
+      "type": "integer",
+      "minimum": 0,
+      "maximum": 100,
+      "description": "Engine confidence percentage 0-100."
+    },
+    "tags": {
+      "type": "object",
+      "required": ["category"],
+      "properties": {
+        "category": {"type": "string"},
+        "subcategory": {"type": "string"},
+        "confidence": {"type": "string", "enum": ["high", "medium", "low"]},
+        "scan_target": {"type": "string", "enum": ["mcp", "skill", "skill_md", "llm_io", "runtime", "user_input", "tool_response", "both", "llm"]},
+        "source": {"type": "string"},
+        "vendor_sources": {"oneOf": [{"type": "string"}, {"type": "array"}]},
+        "suppress_in_code_blocks": {"type": "boolean"}
+      },
+      "additionalProperties": true
+    },
+    "agent_source": {
+      "type": "object",
+      "required": ["type"],
+      "properties": {
+        "type": {"type": "string"},
+        "framework": {"type": "array", "items": {"type": "string"}},
+        "provider": {"type": "array", "items": {"type": "string"}}
+      },
+      "additionalProperties": true
+    },
+    "detection": {
+      "type": "object",
+      "required": ["conditions"],
+      "properties": {
+        "conditions": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "object",
+            "anyOf": [
+              {
+                "required": ["field", "operator", "value"],
+                "properties": {
+                  "field": {"type": "string"},
+                  "operator": {"type": "string", "enum": ["regex", "equals", "contains", "matches", "ml_classifier", "ast", "bytecode"]},
+                  "value": {"type": ["string", "array", "object"]},
+                  "language": {"type": "string", "description": "ISO 639-1 code per spec/atr-language-detection-v1.0.md"},
+                  "description": {"type": "string"}
+                }
+              },
+              {
+                "required": ["metric", "operator", "threshold"],
+                "properties": {
+                  "metric": {"type": "string"},
+                  "operator": {"type": "string"},
+                  "threshold": {"type": ["number", "string"]}
+                }
+              }
+            ]
+          }
+        },
+        "condition": {"type": "string", "description": "Boolean expression over condition aliases. Default: 'any' (OR)."},
+        "false_positives": {"type": "array", "items": {"type": "string"}}
+      }
+    },
+    "response": {
+      "type": "object",
+      "required": ["actions"],
+      "properties": {
+        "actions": {
+          "type": "array",
+          "items": {"type": "string", "enum": ["block_input", "block_output", "redact", "alert", "snapshot", "quarantine", "terminate_session"]},
+          "minItems": 1
+        },
+        "auto_response_threshold": {"type": "string"},
+        "message_template": {"type": "string"}
+      }
+    },
+    "references": {
+      "type": "object",
+      "additionalProperties": true,
+      "properties": {
+        "owasp_llm": {"type": "array", "items": {"type": "string"}},
+        "owasp_agentic": {"type": "array", "items": {"type": "string"}},
+        "mitre_atlas": {"type": "array", "items": {"type": "string"}},
+        "cve": {"type": "array", "items": {"type": "string"}},
+        "ghsa": {"type": "array", "items": {"type": "string"}}
+      }
+    },
+    "compliance": {
+      "type": "object",
+      "additionalProperties": true,
+      "description": "Mappings to compliance frameworks (OWASP, EU AI Act, NIST AI RMF, ISO 42001, etc.). Each is an array of objects with id/article/clause + context + strength fields."
+    },
+    "test_cases": {
+      "type": "object",
+      "properties": {
+        "true_positives": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "object",
+            "required": ["input", "expected"],
+            "properties": {
+              "input": {"type": "string"},
+              "expected": {"type": "string", "enum": ["triggered", "not_triggered"]},
+              "description": {"type": "string"}
+            }
+          }
+        },
+        "true_negatives": {
+          "type": "array",
+          "minItems": 1,
+          "items": {
+            "type": "object",
+            "required": ["input", "expected"],
+            "properties": {
+              "input": {"type": "string"},
+              "expected": {"type": "string", "enum": ["triggered", "not_triggered"]},
+              "description": {"type": "string"}
+            }
+          }
+        }
+      }
+    },
+    "provenance": {
+      "type": "object",
+      "description": "v2.0 — producer attribution per CHARTER § 5 multi-producer architecture. Optional in v1.0 rules for backward compatibility.",
+      "properties": {
+        "producer": {
+          "type": "string",
+          "enum": ["red_team", "tc_flywheel", "cve_pipeline", "research_paper", "community", "sovereign"]
+        },
+        "contributor": {"type": "string"},
+        "contributor_org": {"type": "string"},
+        "attestation_signature": {
+          "type": "string",
+          "description": "ed25519 sig for sovereign-issued rules per CHARTER § 8.2."
+        },
+        "origin_event_id": {
+          "type": "string",
+          "description": "Link to source CVE / TC event / research paper."
+        }
+      }
+    },
+    "lifecycle": {
+      "type": "object",
+      "description": "v2.0 — explicit lifecycle metadata per CHARTER § 5.",
+      "properties": {
+        "review_status": {
+          "type": "string",
+          "enum": ["unreviewed", "community_reviewed", "tsc_approved"]
+        },
+        "created": {"type": "string", "format": "date"},
+        "last_validated": {"type": "string", "format": "date"}
+      }
+    }
+  }
+}

package/spec/stix-extension/README.md

@@ -4,19 +4,23 @@ This directory defines a STIX 2.1 extension that introduces the
 `x-atr-rule` custom Domain Object so ATR rules can be represented
 natively in STIX/TAXII threat-intelligence pipelines.
 
+**Current version: 1.1.0** (2026-05-28). See [Changelog](#changelog) below.
+
 ## Why a STIX extension
 
 ATR rules are an open detection vocabulary for AI agent threats —
-prompt injection, tool poisoning, MCP server attacks, skill compromise.
+prompt injection, tool poisoning, MCP server attacks, skill compromise,
+plus the v1.1 trace-method rules for silent failures and scope drift.
 They were adopted as a MISP taxonomy in [MISP/misp-taxonomies#323][misp-tax]
 on 2026-05-10 and a MISP galaxy in [MISP/misp-galaxy#1207][misp-gal].
 
 Several CTI consumers use STIX/TAXII rather than MISP. Mapping ATR to a
 generic STIX `indicator` or `attack-pattern` object is lossy: the
-nine-category attack class, regex detection patterns, severity, and the
-compliance-framework references (EU AI Act, NIST AI RMF, ISO 42001) all
-get flattened. This extension preserves them as first-class fields on a
-new `x-atr-rule` SDO.
+ten-category attack class, regex detection patterns, severity, the
+five-plane detection method (v1.1), and the compliance-framework references
+(EU AI Act, NIST AI RMF, NIST CSF 2.0, ISO 42001, ETSI TS 104 223, OSCAL)
+all get flattened. This extension preserves them as first-class fields on
+a new `x-atr-rule` SDO.
 
 ## Files
 
@@ -24,24 +28,42 @@ new `x-atr-rule` SDO.
   STIX 2.1 Extension Definition object. Stable id
   `extension-definition--93370194-c964-570f-9802-9d1154e5525d`. Consumers
   reference this id in the `extensions` map of every `x-atr-rule`
-  instance.
+  instance. v1.1.0 as of 2026-05-28.
 - [`x-atr-rule-schema.json`](./x-atr-rule-schema.json) — JSON Schema
   (Draft 7) for the new SDO. Defines required fields, enum values for
-  `atr_category` / `severity` / `agent_source_type` / `response_actions`,
-  and structural constraints on `detection_patterns` and
-  `compliance_refs`.
+  `atr_category` / `atr_method` / `atr_runtime_profile` / `severity` /
+  `agent_source_type` / `response_actions`, and structural constraints
+  on `detection_patterns`, `signature_indicators`, `semantic_judge`,
+  `trace_detection`, and `compliance_refs`.
 - [`examples/atr-rule-prompt-injection-example.json`](./examples/atr-rule-prompt-injection-example.json)
-  — concrete instance for `ATR-2026-00001` showing the full payload
-  shape including the extension reference.
+  — pattern-method instance for `ATR-2026-00001`.
+- [`examples/atr-rule-trace-method-example.json`](./examples/atr-rule-trace-method-example.json)
+  — v1.1 trace-method instance for `ATR-2026-00548`. Shows the
+  `trace_detection` payload with the `invariant` primitive.
 
 ## Identifier convention
 
 `x-atr-rule.id` is recommended to be a deterministic UUIDv5 derived
-from the canonical ATR rule id (e.g. `ATR-2026-00431`) under the
+from the canonical ATR rule id (e.g. `ATR-2026-00548`) under the
 namespace UUID `6f7a8b9c-1d2e-4f5a-9b8c-7e6d5f4a3b2c`. The same rule id
 therefore always produces the same STIX id across consumers, which lets
 multiple feeds align without conflict resolution.
 
+## Method-specific payload mapping (v1.1)
+
+The `atr_method` field selects which optional payload field is populated:
+
+| `atr_method` | Required companion field | Maps to ATR YAML |
+|--------------|--------------------------|------------------|
+| `pattern` | `detection_patterns` | `detection.conditions` |
+| `signature` | `signature_indicators` | `detection.signature.indicators` |
+| `semantic` | `semantic_judge` | `detection.semantic` |
+| `behavioral` | (placeholder; spec §7) | — |
+| `trace` | `trace_detection` | `detection.trace` |
+
+For multi-method rules (e.g., rule 00552 uses both invariant AND forbid
+inside one trace block), all primitives ship under `trace_detection.primitives`.
+
 ## Extension type
 
 `extension_types: ["new-sdo"]` per STIX 2.1 §7.3, which is the correct
@@ -50,6 +72,23 @@ The schema field on the Extension Definition points at the JSON Schema
 in this directory via raw GitHub URL so the schema is dereferenceable
 for validating consumers.
 
+## MISP export hint
+
+Consumers that bridge STIX → MISP can map `x-atr-rule` to MISP objects:
+
+| `x-atr-rule` field | MISP object / attribute |
+|--------------------|-------------------------|
+| `atr_id` | `external-references[type=external_analysis]` or first `atr` attribute |
+| `atr_category` | MISP taxonomy `atr:category="<value>"` (via misp-taxonomies#323) |
+| `severity` | MISP `threat-level` |
+| `detection_patterns[].pattern` | `pattern-in-file` attribute (one per regex) |
+| `signature_indicators[].value` | MISP `sha256` / `filename` / `url` attribute by `type` |
+| `cve_refs` | MISP `vulnerability` attribute |
+| `mitre_atlas_refs` | MISP galaxy `mitre-atlas-techniques` |
+| `compliance_refs.*` | MISP free-form tag, namespace per framework |
+
+A reference STIX→MISP transpiler is planned at `scripts/export-stix-to-misp.ts`.
+
 ## Validation
 
 ```bash
@@ -58,12 +97,34 @@ python3 -c "import json, jsonschema; \
   schema = json.load(open('spec/stix-extension/x-atr-rule-schema.json')); \
   example = json.load(open('spec/stix-extension/examples/atr-rule-prompt-injection-example.json')); \
   jsonschema.validate(example, schema); \
+  trace_example = json.load(open('spec/stix-extension/examples/atr-rule-trace-method-example.json')); \
+  jsonschema.validate(trace_example, schema); \
   print('OK')"
 ```
 
+## Changelog
+
+### v1.1.0 — 2026-05-28
+- Added `atr_method` enum field (pattern / signature / semantic / behavioral / trace).
+- Added `atr_runtime_profile` enum field (deterministic / assisted).
+- Added 10th category `model-security` to `atr_category` enum.
+- Added `agent_trace` to `agent_source_type` enum.
+- Added method-specific payload objects: `signature_indicators`,
+  `semantic_judge`, `trace_detection`.
+- Added `probe_id_refs` for adversarial probe binding (PyRIT / garak / etc).
+- Added compliance fields: `nist_csf`, `etsi_ts_104223`, `oscal_assessment_objective`.
+- Added `owasp_ast_refs`, `safe_mcp_refs`.
+- Extended `response_actions` enum with SPEC.md Appendix A canonical
+  vocabulary (`block_request`, `log_alert`, `redact_match`, etc).
+- Added `draft` to `maturity` enum to match on-disk rule status vocabulary.
+- New example: `examples/atr-rule-trace-method-example.json`.
+
+### v1.0.0 — 2026-05-11
+- Initial release. Nine categories. Pattern-method only.
+
 ## Status
 
-Draft v1.0.0. Not yet submitted to the OASIS CTI Technical Committee.
+Draft v1.1.0. Not yet submitted to the OASIS CTI Technical Committee.
 The extension is usable today by any consumer that processes STIX
 extensions per the spec; OASIS submission becomes relevant if a
 subset of fields ends up wanting promotion into core STIX.
@@ -72,6 +133,8 @@ subset of fields ends up wanting promotion into core STIX.
 
 - Canonical ATR repo: <https://github.com/Agent-Threat-Rule/agent-threat-rules>
 - ATR YAML schema: [`../atr-schema.yaml`](../atr-schema.yaml)
+- ATR Core Specification: [`../../SPEC.md`](../../SPEC.md)
+- ATR Method Extensions: [`../atr-method-v1.1.md`](../atr-method-v1.1.md)
 - npm: <https://www.npmjs.com/package/agent-threat-rules>
 - DOI: 10.5281/zenodo.19178002
 

package/spec/stix-extension/examples/atr-rule-trace-method-example.json

@@ -0,0 +1,85 @@
+{
+  "type": "x-atr-rule",
+  "id": "x-atr-rule--c2e83f15-44b7-5e8a-b9c3-aae5d2348816",
+  "spec_version": "2.1",
+  "created_by_ref": "identity--4ee77ba4-f956-5d27-aeb1-cbfeb4c8f8d5",
+  "created": "2026-05-28T00:00:00.000Z",
+  "modified": "2026-05-28T00:00:00.000Z",
+  "atr_id": "ATR-2026-00548",
+  "atr_category": "context-exfiltration",
+  "atr_subcategory": "cross-agent-context-drift",
+  "atr_method": "trace",
+  "atr_runtime_profile": "assisted",
+  "name": "Cross-agent session context leak across delegation chain",
+  "description": "Detects cross-agent context leakage in multi-agent systems where a privileged context attribute (typically session.id, user.id, or conversation.id) fails to remain constant across a single agent delegation chain. Trace-method rule operating on agent execution traces in OpenInference format.",
+  "severity": "high",
+  "maturity": "draft",
+  "agent_source_type": "agent_trace",
+  "trace_detection": {
+    "ingest_format": "openinference",
+    "primitives": {
+      "invariant": [
+        {
+          "attribute": "session.id",
+          "across": "agent.delegation_chain",
+          "description": "session.id MUST remain constant across every span in one delegation chain."
+        },
+        {
+          "attribute": "user.id",
+          "across": "agent.delegation_chain",
+          "description": "user.id MUST remain constant across the delegation chain."
+        }
+      ]
+    }
+  },
+  "response_actions": [
+    "alert",
+    "quarantine_session"
+  ],
+  "owasp_agentic_refs": [
+    "ASI03:2026 - Data Exfiltration",
+    "ASI06:2026 - Identity Spoofing & Impersonation"
+  ],
+  "mitre_atlas_refs": [
+    "AML.T0024 - Exfiltration via Cyber Means"
+  ],
+  "compliance_refs": {
+    "nist_csf": [
+      "DE.CM-09"
+    ],
+    "etsi_ts_104223": [
+      "P4.3"
+    ],
+    "eu_ai_act": [
+      {
+        "article": "10",
+        "context": "Data governance — multi-agent systems must preserve session-scope boundaries.",
+        "strength": "primary"
+      }
+    ],
+    "nist_ai_rmf": [
+      {
+        "subcategory": "MS.2.6",
+        "context": "Information security — agent delegation chains must preserve session and user scope.",
+        "strength": "primary"
+      }
+    ]
+  },
+  "external_references": [
+    {
+      "source_name": "agent-threat-rules",
+      "external_id": "ATR-2026-00548",
+      "url": "https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/rules/context-exfiltration/ATR-2026-00548-cross-agent-session-context-leak.yaml"
+    },
+    {
+      "source_name": "Argus paper",
+      "description": "Hierarchical Reference-Relationship Graph for Multi-Agent Information Leakage",
+      "url": "https://arxiv.org/abs/2512.08326"
+    }
+  ],
+  "extensions": {
+    "extension-definition--93370194-c964-570f-9802-9d1154e5525d": {
+      "extension_type": "new-sdo"
+    }
+  }
+}