agent-audit-kit 0.2.0__tar.gz → 0.3.2__tar.gz

agent_audit_kit-0.3.2/.claude/auto-memory/config.json

@@ -0,0 +1,3 @@
+{
+  "triggerMode": "default"
+}

agent_audit_kit-0.3.2/.github/FUNDING.yml

@@ -0,0 +1 @@
+github: sattyamjjain

agent_audit_kit-0.3.2/.github/workflows/cve-watcher.yml

@@ -0,0 +1,72 @@
+name: AAK Response SLA — CVE watcher
+
+# Implements the public 48-hour CVE-to-rule commitment described in
+# ROADMAP_2026.md §2.3. Queries NVD's keyword feed for recent MCP-related
+# CVEs, diffs against what's already in CHANGELOG.cves.md, and files an
+# issue tagged `cve-response` for anything new. Runs every 6 hours.
+
+on:
+  schedule:
+    - cron: "17 */6 * * *"
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  watch:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Fetch NVD MCP CVEs and diff against CHANGELOG.cves.md
+        id: diff
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+        run: |
+          python3 scripts/cve_watcher.py > new_cves.json
+          test -s new_cves.json && echo "new_cves=true" >> "$GITHUB_OUTPUT" || echo "new_cves=false" >> "$GITHUB_OUTPUT"
+
+      - name: File response-tracking issue
+        if: steps.diff.outputs.new_cves == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const cves = JSON.parse(fs.readFileSync('new_cves.json', 'utf-8'));
+            for (const cve of cves) {
+              const title = `CVE-response: ${cve.id} (${cve.severity || 'unknown'} CVSS ${cve.cvss || 'n/a'})`;
+              const body = [
+                `## ${cve.id}`,
+                ``,
+                `**NVD:** https://nvd.nist.gov/vuln/detail/${cve.id}`,
+                `**Published:** ${cve.published}`,
+                `**CVSS:** ${cve.cvss || 'n/a'}`,
+                ``,
+                `### Description`,
+                ``,
+                cve.description || '(no description yet)',
+                ``,
+                `### AAK response checklist (48h SLA)`,
+                ``,
+                `- [ ] Verify CVE on NVD + vendor advisory`,
+                `- [ ] Author rule(s): \`AAK-XXX-XXX\``,
+                `- [ ] Add positive + negative fixtures under \`tests/fixtures/cves/\``,
+                `- [ ] Add remediation + framework mapping`,
+                `- [ ] Update \`CHANGELOG.cves.md\` with shipped-at timestamp`,
+                `- [ ] Tag patch release`,
+              ].join('\n');
+              await github.rest.issues.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title,
+                body,
+                labels: ['cve-response', 'sla-48h'],
+              });
+            }

agent_audit_kit-0.3.2/.github/workflows/docker-nightly.yml

@@ -0,0 +1,74 @@
+name: Docker nightly rebuild
+
+# Closes C13 — scheduled rebuild so the :latest and :nightly tags pick up
+# base-image security patches without waiting for a release tag.
+
+on:
+  schedule:
+    - cron: "23 3 * * *"   # 03:23 UTC daily (off-peak; random minute per fleet-hygiene)
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  attestations: write
+
+jobs:
+  rebuild:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Compute tag set
+        id: tags
+        run: |
+          date_tag=$(date -u +%Y%m%d)
+          echo "date_tag=${date_tag}" >> "$GITHUB_OUTPUT"
+
+      - name: Build + push (latest + nightly + date tag)
+        id: push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          pull: true           # force re-pull of base image to catch upstream patches
+          no-cache: true       # avoid cached base-image layers
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/agent-audit-kit:latest
+            ghcr.io/${{ github.repository_owner }}/agent-audit-kit:nightly
+            ghcr.io/${{ github.repository_owner }}/agent-audit-kit:nightly-${{ steps.tags.outputs.date_tag }}
+          labels: |
+            org.opencontainers.image.title=AgentAuditKit
+            org.opencontainers.image.description=Security scanner for MCP-connected AI agent pipelines
+            org.opencontainers.image.source=https://github.com/${{ github.repository_owner }}/agent-audit-kit
+            org.opencontainers.image.licenses=MIT
+            org.opencontainers.image.revision=${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Trivy scan (fail if new CRITICAL/HIGH in base image)
+        uses: aquasecurity/trivy-action@master
+        continue-on-error: true
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/agent-audit-kit:nightly
+          format: sarif
+          output: trivy-nightly.sarif
+          severity: CRITICAL,HIGH
+
+      - name: Upload Trivy SARIF to Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-nightly.sarif
+          category: trivy-nightly

agent_audit_kit-0.3.2/.github/workflows/mcp-security-index.yml

@@ -0,0 +1,87 @@
+name: MCP Security Index — weekly snapshot
+
+# Closes B4 / #25: MkDocs docs live at gh-pages/docs/, MCP Security
+# Index at gh-pages/. Replaces the broken .github/workflows/docs.yml
+# (stale deploy-pages SHA) with a single deploy pipeline.
+
+on:
+  schedule:
+    - cron: "11 7 * * 1"   # Mondays, 07:11 UTC
+  push:
+    branches: [main]
+    paths:
+      - "docs/**"
+      - "mkdocs.yml"
+      - ".github/workflows/mcp-security-index.yml"
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+
+jobs:
+  snapshot:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install agent-audit-kit + MkDocs
+        run: |
+          pip install -e .
+          pip install mkdocs mkdocs-material
+
+      # ---- MCP Security Index (only on schedule / manual dispatch) ----
+      - name: Crawl public MCP servers
+        if: github.event_name != 'push'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mkdir -p benchmarks/data
+          python benchmarks/crawler.py --limit 500 --output benchmarks/results.json
+
+      - name: Build MCP Security Index site
+        if: github.event_name != 'push'
+        run: python benchmarks/index_builder.py --input benchmarks/results.json --site-dir benchmarks/site --clean
+
+      # ---- MkDocs ----
+      - name: Build MkDocs
+        run: mkdocs build -d docs_build
+
+      # ---- Assemble gh-pages payload: index/ at root, docs at /docs/ ----
+      - name: Fetch prior gh-pages state (so we preserve the index on docs-only pushes)
+        run: |
+          git fetch origin gh-pages:gh-pages-remote || echo "no existing gh-pages branch"
+          mkdir -p pages_staging
+          if git show-ref --verify --quiet refs/heads/gh-pages-remote; then
+            git --work-tree=pages_staging checkout gh-pages-remote -- . || true
+          fi
+
+      - name: Stage payload
+        run: |
+          # docs always rebuilt from latest main
+          rm -rf pages_staging/docs
+          mv docs_build pages_staging/docs
+          # index only refreshed on schedule / dispatch
+          if [ -d benchmarks/site ]; then
+            cp -r benchmarks/site/. pages_staging/
+          fi
+          # .nojekyll so GitHub Pages serves the raw HTML
+          touch pages_staging/.nojekyll
+
+      - name: Publish to gh-pages
+        run: |
+          cd pages_staging
+          git init -q
+          git config user.name 'mcp-security-index'
+          git config user.email 'mcp-security-index@users.noreply.github.com'
+          git checkout -b gh-pages
+          git add .
+          git commit -q -m "snapshot: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
+          git remote add origin "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git"
+          git push --force origin gh-pages

agent_audit_kit-0.3.2/.github/workflows/release.yml

@@ -0,0 +1,257 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+  packages: write
+  id-token: write
+  attestations: write
+
+jobs:
+  # --------------------------------------------------------------------------
+  # 0. Gate: refuse to release while any sla-48h CVE-response issue is open.
+  #    Implements CLAUDE_PROMPT.md §5(1) — "blocks release until the issue
+  #    is closed". (C14)
+  # --------------------------------------------------------------------------
+  cve-response-gate:
+    name: CVE-response gate
+    runs-on: ubuntu-latest
+    permissions:
+      issues: read
+      contents: read
+    steps:
+      - name: Block release if open cve-response issues exist
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+          count=$(gh issue list --repo "$GITHUB_REPOSITORY" --label sla-48h --state open --json number --jq length)
+          if [ "$count" != "0" ]; then
+            echo "::error ::cve-response gate: $count open sla-48h issue(s). Close them (or resolve with patch-release) before tagging."
+            gh issue list --repo "$GITHUB_REPOSITORY" --label sla-48h --state open
+            exit 1
+          fi
+          echo "cve-response gate: clean — 0 open sla-48h issues."
+
+  # --------------------------------------------------------------------------
+  # 1. Publish to PyPI using trusted publishing (OIDC)
+  # --------------------------------------------------------------------------
+  pypi:
+    needs: cve-response-gate
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/agent-audit-kit
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install build tools
+        run: python -m pip install --upgrade pip build
+
+      - name: Build package
+        run: python -m build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@v1.13.0
+
+  # --------------------------------------------------------------------------
+  # 2. Build, scan, and push Docker image to GHCR
+  # --------------------------------------------------------------------------
+  docker:
+    name: Push Docker image to GHCR
+    needs: cve-response-gate
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract version from tag
+        id: version
+        run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
+
+      - name: Build image for scanning
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          load: true
+          tags: agent-audit-kit:scan
+
+      - name: Scan Docker image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: agent-audit-kit:scan
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH
+
+      - name: Build and push
+        id: push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: |
+            ghcr.io/sattyamjjain/agent-audit-kit:${{ steps.version.outputs.version }}
+            ghcr.io/sattyamjjain/agent-audit-kit:latest
+          labels: |
+            org.opencontainers.image.title=AgentAuditKit
+            org.opencontainers.image.description=Security scanner for MCP-connected AI agent pipelines
+            org.opencontainers.image.version=${{ steps.version.outputs.version }}
+            org.opencontainers.image.source=https://github.com/sattyamjjain/agent-audit-kit
+            org.opencontainers.image.licenses=MIT
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Generate SLSA provenance attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ghcr.io/sattyamjjain/agent-audit-kit
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+  # --------------------------------------------------------------------------
+  # 3. Sign the rule bundle + SBOMs with Sigstore (keyless OIDC)
+  # --------------------------------------------------------------------------
+  bundle-and-sign:
+    name: Rule bundle + SBOM (Sigstore)
+    needs: cve-response-gate
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: Install agent-audit-kit
+        run: pip install -e .
+
+      - name: Export rule bundle + compute digest
+        run: |
+          agent-audit-kit export-rules --out rules.json
+          sha256sum rules.json > rules.json.sha256
+          cat rules.json.sha256
+
+      - name: Emit SBOMs (CycloneDX + SPDX)
+        run: |
+          agent-audit-kit sbom . --format cyclonedx --output sbom.cdx.json
+          agent-audit-kit sbom . --format spdx      --output sbom.spdx.json
+
+      - name: Sigstore keyless sign
+        uses: sigstore/gh-action-sigstore-python@v3.0.0
+        with:
+          inputs: |
+            rules.json
+            sbom.cdx.json
+            sbom.spdx.json
+          # Keep sigs in the workflow; we attach them ourselves in github-release.
+          release-signing-artifacts: false
+          upload-signing-artifacts: true
+
+      - name: Verify sigstore outputs landed
+        run: |
+          ls -la ./*.sigstore* || true
+          ls -la ./rules.json ./sbom.cdx.json ./sbom.spdx.json
+
+      - name: Upload signed artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: signed-bundle
+          path: |
+            rules.json
+            rules.json.sha256
+            sbom.cdx.json
+            sbom.spdx.json
+            *.sigstore
+            *.sigstore.json
+            *.sig
+          if-no-files-found: warn
+
+  # --------------------------------------------------------------------------
+  # 4. Create GitHub Release with auto-generated notes + signed bundle
+  # --------------------------------------------------------------------------
+  github-release:
+    name: Create GitHub Release
+    runs-on: ubuntu-latest
+    needs: [pypi, docker, bundle-and-sign]
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download signed artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: signed-bundle
+          path: signed
+
+      - name: Create release
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true
+          files: |
+            signed/rules.json
+            signed/rules.json.sha256
+            signed/sbom.cdx.json
+            signed/sbom.spdx.json
+            signed/*.sigstore
+            signed/*.sigstore.json
+            signed/*.sig
+          body: |
+            ## Installation
+
+            **pip:**
+            ```bash
+            pip install agent-audit-kit==${{ github.ref_name }}
+            ```
+
+            **Docker:**
+            ```bash
+            docker pull ghcr.io/sattyamjjain/agent-audit-kit:${{ github.ref_name }}
+            ```
+
+            **GitHub Action:**
+            ```yaml
+            - uses: sattyamjjain/agent-audit-kit@${{ github.ref_name }}
+              with:
+                fail-on: high
+            ```
+
+            ## Supply chain
+
+            - `rules.json` — deterministic rule bundle
+            - `rules.json.sha256` — trusted digest
+            - `sbom.cdx.json` / `sbom.spdx.json` — CycloneDX + SPDX SBOM
+            - `*.sigstore` — Sigstore keyless signatures (verify with `agent-audit-kit verify-bundle`)
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

agent_audit_kit-0.3.2/.github/workflows/sync-rule-count.yml

@@ -0,0 +1,60 @@
+name: Sync rule count
+
+# Keeps README badge + action.yml description + __init__.RULE_COUNT in
+# lockstep with the rule bundle. Runs on every push to main that touches
+# rules.json or the rule source, then commits the bumped files back if
+# anything drifted.
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - rules.json
+      - agent_audit_kit/rules/**
+      - agent_audit_kit/bundle.py
+      - scripts/sync_rule_count.py
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    if: github.actor != 'github-actions[bot]'
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install agent-audit-kit
+        run: pip install -e .
+
+      - name: Regenerate bundle + sync surfaces
+        id: sync
+        run: python scripts/sync_rule_count.py --regenerate
+
+      - name: Check for drift
+        id: diff
+        run: |
+          if git diff --quiet; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+            git diff --stat
+          fi
+
+      - name: Commit
+        if: steps.diff.outputs.changed == 'true'
+        run: |
+          git config user.name 'agent-audit-kit-bot'
+          git config user.email 'agent-audit-kit-bot@users.noreply.github.com'
+          git add rules.json README.md action.yml agent_audit_kit/__init__.py
+          git commit -m "chore(rule-count): auto-sync after rules.json change"
+          git push

{agent_audit_kit-0.2.0 → agent_audit_kit-0.3.2}/.gitignore

@@ -35,9 +35,13 @@ Thumbs.db
 .env
 .env.*
 
+# Claude Code auto-memory
+.claude/auto-memory/dirty-files
+
 # Agent Audit Kit cache
 .agent-audit-kit/
 
 # Benchmark data (downloaded configs)
 benchmarks/data/
 benchmarks/results.json
+benchmarks/site/

agent_audit_kit-0.3.2/.pre-commit-config.yaml

@@ -0,0 +1,26 @@
+# Pre-commit hooks run against this repo.
+# Install once:
+#   pip install pre-commit && pre-commit install
+#
+# To skip (e.g. emergency commits): `git commit --no-verify`.
+repos:
+  # ---------------------------------------------------------------------
+  # Local: block rule-count drift at commit time.
+  # ---------------------------------------------------------------------
+  - repo: local
+    hooks:
+      - id: aak-sync-rule-count
+        name: AAK — rule count in lockstep with rules.json
+        entry: python scripts/sync_rule_count.py --check
+        language: system
+        pass_filenames: false
+        files: "^(rules\\.json|README\\.md|action\\.yml|agent_audit_kit/rules/|agent_audit_kit/__init__\\.py$)"
+
+  # ---------------------------------------------------------------------
+  # Upstream lint / format.
+  # ---------------------------------------------------------------------
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.8.4
+    hooks:
+      - id: ruff
+        args: [--fix]

agent_audit_kit-0.3.2/CHANGELOG.cves.md

@@ -0,0 +1,59 @@
+# AAK Response SLA — CVE-to-Rule Ledger
+
+We publicly commit to shipping rule coverage for every disclosed MCP CVE
+within **48 hours of NVD disclosure**. This file is the audit trail.
+
+Format: one line per CVE, `CVE-YYYY-NNNNN` → `AAK-XXX-NNN` with the
+shipped-at timestamp. The GitHub Action `.github/workflows/cve-watcher.yml`
+diffs NVD's MCP keyword feed against this file and opens an
+`sla-48h`-labelled issue for anything new.
+
+## Shipped in v0.3.2 (2026-04-20)
+
+| CVE / Incident | Advisory | AAK rule(s) | Shipped | Latency |
+|---|---|---|---|---|
+| CVE-2026-33032 (MCPwn, KEV) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-33032) — nginx-ui, CVSS 9.8 | **AAK-MCPWN-001** (primary) · AAK-MCP-011/012/020 (secondary, retained) | 2026-04-20 | targeted follow-up 4d after PoC |
+| CVE-2026-40933 | [GHSA-c9gw-hvqq-f33r](https://github.com/advisories/GHSA-c9gw-hvqq-f33r) — Flowise MCP adapter, CVSS 10.0 | AAK-FLOWISE-001 (primary) · AAK-STDIO-001 (architectural class) | 2026-04-20 | <48h |
+| VERCEL-2026-04-19 (incident) | [Vercel bulletin](https://vercel.com/kb/bulletin/vercel-april-2026-security-incident) | AAK-OAUTH-SCOPE-001, AAK-OAUTH-3P-001 | 2026-04-20 | <24h |
+| MCPWN-2026-04-16 (incident) | [Rapid7 ETR](https://www.rapid7.com/blog/post/etr-cve-2026-33032-nginx-ui-missing-mcp-authentication/) | AAK-MCPWN-001 | 2026-04-20 | 4d (targeted) |
+
+## Shipped in v0.3.1 (2026-04-19)
+
+| CVE | Advisory | AAK rule(s) | Shipped | Latency |
+|---|---|---|---|---|
+| CVE-2026-30615 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-30615) (Windsurf, CVSS 8.0) | AAK-STDIO-001, AAK-WINDSURF-001 | 2026-04-19 | <48h |
+| CVE-2026-35402 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-35402) (mcp-neo4j-cypher, CVSS 2.3) | AAK-NEO4J-001 | 2026-04-19 | <48h |
+| CVE-2026-35603 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-35603) (Claude Code Windows, CVSS 5.4) | AAK-CLAUDE-WIN-001 | 2026-04-19 | <48h |
+| CVE-2026-6494  | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-6494)  (AAP MCP log injection, CVSS 5.3) | AAK-LOGINJ-001 | 2026-04-19 | <48h |
+
+### Ox Security architectural class (Apr 16 2026 disclosure)
+
+AAK-STDIO-001 closes this whole family with a single AST-based
+detection in `scanners/stdio_injection.py`:
+
+| CVE | Product |
+|---|---|
+| CVE-2025-65720 | GPT Researcher |
+| CVE-2026-26015 | DocsGPT |
+| CVE-2026-30615 | Windsurf |
+| CVE-2026-30617 | Langchain-Chatchat |
+| CVE-2026-30618 | Fay Framework |
+| CVE-2026-30623 | LiteLLM |
+| CVE-2026-30624 | Agent Zero |
+| CVE-2026-30625 | Upsonic |
+| CVE-2026-33224 | Bisheng / Jaaz |
+
+Source: <https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/>
+
+## Shipped in v0.3.0
+
+| CVE | Advisory | AAK rule(s) | Shipped | Latency |
+|---|---|---|---|---|
+| CVE-2025-59536 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-59536) | AAK-HOOK-RCE-001, AAK-HOOK-RCE-002, AAK-HOOK-RCE-003 | 2026-04-18 | retroactive |
+| CVE-2026-33032 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-33032) | AAK-MCP-011, AAK-MCP-012, AAK-MCP-020 | 2026-04-18 | retroactive |
+| CVE-2026-34070 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-34070) | AAK-LANGCHAIN-001, AAK-LANGCHAIN-002 | 2026-04-18 | retroactive |
+| CVE-2025-68664 | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-68664) | AAK-LANGCHAIN-003 | 2026-04-18 | retroactive |
+
+## Open (48h SLA ticking)
+
+_none — file response-tracking issues get posted here when the SLA fires._