openaca 0.1.0b1__py3-none-any.whl

docs/frameworks/README.md

@@ -0,0 +1,24 @@
+# Framework References
+
+These files are curated policy inputs for OpenACA overlay review and future
+LLM-assisted candidate annotation. They intentionally summarize the
+frameworks instead of mirroring full upstream documents.
+
+Use them as stable prompt context when drafting:
+
+- `database_specific.openaca.taxonomies`
+- `database_specific.openaca.threat_kind`
+
+Rules for updates:
+
+- Keep source URLs and access dates current.
+- Prefer concise mapping guidance over long copied text.
+- Treat changes as review-worthy because they can change corpus
+  classification behavior.
+- Do not duplicate upstream-owned CWE mappings into OpenACA overlays by
+  default; use `supplemental_taxonomies` only for reviewed OpenACA-owned
+  additions.
+
+Overlay taxonomy IDs use lowercase prefixes where the schema expects
+them, for example `asi04`, `mcp04:2025`, `ast02:2026`, and
+`llm03:2025`.

docs/frameworks/mitre-atlas.md

@@ -0,0 +1,212 @@
+# MITRE ATLAS
+
+Sources:
+- https://atlas.mitre.org/
+- https://github.com/mitre-atlas/atlas-data
+- https://raw.githubusercontent.com/mitre-atlas/atlas-data/main/dist/ATLAS.yaml
+
+ATLAS data version referenced: 5.6.0
+
+Accessed: 2026-05-13
+
+Use MITRE ATLAS for adversary behavior that is specific to AI, ML, LLM,
+agent, RAG, AI DevOps, AI service, or AI artifact systems. Do not force
+an ATLAS mapping onto ordinary software malware, package vulnerabilities,
+or generic web-app bugs unless the OSV record shows that the AI system is
+part of the attack path.
+
+ATLAS describes attacker techniques. An OpenACA overlay should map an ATLAS
+technique only when the advisory evidence shows the attacker behavior,
+not merely because the vulnerable package is used by an agent.
+
+## Selected IDs For OpenACA Review
+
+| Overlay ID | Name | Use When |
+| --- | --- | --- |
+| `AML.T0010` | AI Supply Chain Compromise | The issue compromises AI-specific hardware, data, software, models, tools, or artifacts before they are used by a victim system. |
+| `AML.T0010.001` | AI Software | A malicious or compromised software package is specifically AI, LLM, agent, MCP, model, data, or AI DevOps software. |
+| `AML.T0010.002` | Data | The issue affects data used to train, tune, evaluate, retrieve, or operate an AI system. |
+| `AML.T0010.003` | Model | The issue affects a model artifact, model weights, model package, or model provenance. |
+| `AML.T0010.005` | AI Agent Tool | The supply-chain target is an agent tool such as an MCP server, agent plugin, hosted tool endpoint, or package that expands an agent's tool access. |
+| `AML.T0011.002` | Poisoned AI Agent Tool | The victim invokes a malicious or poisoned tool through an agent interaction. |
+| `AML.T0051` | LLM Prompt Injection | Malicious prompt content causes an LLM or agent to ignore instructions, bypass controls, or take unintended actions. |
+| `AML.T0051.000` | Direct | The adversary submits the malicious prompt directly to the LLM or agent. |
+| `AML.T0051.001` | Indirect | The malicious prompt is embedded in retrieved content, documents, webpages, tool metadata, code comments, or another data channel. |
+| `AML.T0051.002` | Triggered | The injected prompt is dormant until a later user action, workflow event, retrieval, or tool invocation activates it. |
+| `AML.T0053` | AI Agent Tool Invocation | The adversary causes an agent to call a tool it can access. |
+| `AML.T0074` | Masquerading | Names, domains, package metadata, registry identity, branding, or file paths are crafted to look legitimate. |
+| `AML.T0085` | Data from AI Services | The adversary uses access to an AI-enabled service to collect sensitive data. |
+| `AML.T0085.001` | AI Agent Tools | The data collection path is an agent tool such as a repo, file, email, CRM, docs, chat, shell, browser, or SaaS connector. |
+| `AML.T0086` | Exfiltration via AI Agent Tool Invocation | The adversary uses a write-capable agent tool to transmit sensitive data out of the victim environment. |
+| `AML.T0096` | AI Service API | The adversary uses an AI service API as a command, control, or attack communication channel. |
+| `AML.T0098` | AI Agent Tool Credential Harvesting | The adversary uses agent tool access to retrieve credentials, tokens, keys, session data, or auth material. |
+| `AML.T0099` | AI Agent Tool Data Poisoning | The adversary plants malicious content where an agent tool can retrieve it. |
+| `AML.T0100` | AI Agent Clickbait | Deceptive web content is designed to lure computer-use agents or AI browsers into unintended actions. |
+| `AML.T0101` | Data Destruction via AI Agent Tool Invocation | The adversary causes an agent tool to delete, overwrite, encrypt, or otherwise destroy data. |
+| `AML.T0103` | Deploy AI Agent | The adversary launches an agent in the victim environment to act on their behalf. |
+| `AML.T0104` | Publish Poisoned AI Agent Tool | The adversary publishes a malicious agent tool for others to install or connect. |
+| `AML.T0105` | Escape to Host | The attack breaks out of a sandbox, container, VM, or other isolation boundary used by an AI system or agent. |
+| `AML.T0108` | AI Agent | The adversary abuses an existing AI agent as a command-and-control mechanism. |
+| `AML.T0109` | AI Supply Chain Rug Pull | The adversary first builds trust in an AI component, then ships a malicious update. |
+| `AML.T0110` | AI Agent Tool Poisoning | The adversary compromises or alters a tool already integrated with an agent so that it can influence future agent behavior. |
+
+## Classification Rules
+
+### Supply Chain
+
+Use `AML.T0010` when the attack path depends on compromised AI supply.
+Prefer a subtechnique when one is precise:
+
+- Use `AML.T0010.001` for malicious AI software, LLM libraries, agent
+  frameworks, MCP servers, AI coding assistant extensions, model-serving
+  components, or AI DevOps packages.
+- Use `AML.T0010.005` when the compromised supply-chain item is an
+  agent tool. This is the best default for malicious MCP servers and
+  malicious tool plugins that an agent can install or connect to.
+- Use `AML.T0104` when the advisory is about publishing the poisoned
+  tool into a registry, repository, catalog, or hosted remote-tool
+  directory. Pair it with `AML.T0010.005` when the published artifact is
+  also the compromised supply-chain item.
+- Use `AML.T0109` only when the record shows a trust-building phase
+  followed by a malicious update. Do not use it for one-off typosquats
+  or newly-published malicious packages.
+- Use `AML.T0074` in addition to supply-chain IDs when the evidence
+  includes typosquatting, namesquatting, misleading branding, copied
+  package metadata, lookalike domains, or deceptive artifact names.
+
+Do not use ATLAS supply-chain mappings for a normal CVE in a common
+library merely because that library appears in an agent dependency tree.
+The advisory needs AI, agent, model, tool, or AI DevOps relevance.
+
+### Prompt Injection
+
+Use `AML.T0051` when prompt content is the attack mechanism. Choose a
+subtechnique by where the malicious prompt enters the system:
+
+- `AML.T0051.000`: attacker directly sends the prompt to the agent,
+  chatbot, API, or model.
+- `AML.T0051.001`: prompt is hidden in content later retrieved or read
+  by the model, including webpages, documents, tickets, emails, repo
+  files, tool descriptions, MCP metadata, rules files, comments, or RAG
+  content.
+- `AML.T0051.002`: prompt is planted earlier and activates only after a
+  later event, retrieval, user action, or workflow step.
+
+Prompt injection often co-occurs with `AML.T0053`, `AML.T0086`,
+`AML.T0099`, or `AML.T0101`. Add those only when the record shows the
+agent tool behavior, data poisoning, exfiltration, or destructive action.
+
+### Agent Tool Abuse
+
+Use these mappings when the advisory evidence shows agent tool access,
+not merely the presence of an MCP package:
+
+- `AML.T0053`: the adversary causes an agent to invoke a tool. This is a
+  broad action mapping; add a more specific impact technique when known.
+- `AML.T0085.001`: the tool is used to retrieve sensitive data from
+  connected systems such as repos, document stores, email, chat, ticketing
+  systems, browsers, shells, or local files.
+- `AML.T0086`: the tool transmits data out of the victim environment
+  through an apparently legitimate write action, such as sending email,
+  creating a document, posting to chat, opening a URL, or writing to an
+  attacker-controlled system.
+- `AML.T0098`: the target data is credentials or auth material.
+- `AML.T0101`: the tool performs destructive mutation such as deleting,
+  overwriting, encrypting, or corrupting data.
+
+For a vulnerable MCP server that permits arbitrary command execution,
+map to `AML.T0053` only when the exploit path involves the agent invoking
+the server's tool. If the advisory is a conventional server-side command
+injection with no agent invocation semantics, omit ATLAS unless another
+AI-specific behavior is present.
+
+### Agent Tool Poisoning And Data Poisoning
+
+Use `AML.T0110` when an existing agent tool is compromised or altered
+after it is integrated. This is about persistence or long-term influence
+through a trusted tool.
+
+Use `AML.T0011.002` when the victim invokes the poisoned tool and that
+tool execution is the immediate entry point.
+
+Use `AML.T0099` when malicious content is planted where an agent tool can
+retrieve it, such as shared documents, repo files, websites, issues,
+tickets, emails, notes, vector-store content, or RAG sources. Add
+`AML.T0051.001` when the planted content includes prompt injection.
+
+### Agent Runtime And Host Boundary
+
+Use `AML.T0108` when the adversary uses an existing AI agent as a
+command-and-control mechanism, especially when the agent is instructed to
+retrieve commands, execute tools, suppress reporting, or maintain
+control.
+
+Use `AML.T0103` when the adversary deploys a new agent into the victim
+environment to perform actions on their behalf. Do not use it when the
+victim merely installs a malicious package that happens to be an agent
+tool.
+
+Use `AML.T0105` when the attack escapes an isolation boundary used by an
+AI system, such as an agent sandbox, container, browser isolation layer,
+VM, local execution jail, or tool runner. Pair it with ATT&CK container
+escape mappings outside the overlay if upstream already provides them.
+
+### Web And API Abuse
+
+Use `AML.T0100` when the advisory describes web content crafted to bait a
+computer-use agent or AI browser into actions such as clicking, copying,
+navigating, approving, downloading, or pasting commands. This should not
+be used for ordinary phishing unless the target is an AI browsing or
+computer-use agent.
+
+Use `AML.T0096` when an AI service API is the adversary communication
+channel or command path. This is for attacker traffic blending into AI
+service API usage, not for every vulnerability in an API-backed AI app.
+
+## Evidence Cues
+
+The following advisory evidence is usually enough to consider an ATLAS
+mapping:
+
+- Package or component is explicitly an MCP server, agent tool, AI
+  plugin, AI coding assistant extension, model package, RAG connector,
+  LLM framework, model-serving component, or AI DevOps tool.
+- Details mention agent tool invocation, tool descriptions, tool calls,
+  MCP, remote tools, local tools, computer-use agents, AI browsers,
+  model context, RAG ingestion, prompt injection, jailbreak, tool
+  poisoning, or agent configuration changes.
+- Impact involves agent permissions, source-code access through tools,
+  credential access through tools, exfiltration through tool outputs,
+  destructive tool actions, AI service command channels, model/data
+  poisoning, or malicious AI artifact publication.
+
+Evidence that is usually not enough:
+
+- Generic package malware with no AI, LLM, model, MCP, or agent
+  behavior.
+- Ordinary dependency vulnerabilities discovered in software used by an
+  agent.
+- Generic command injection, SSRF, path traversal, or XSS with no
+  agent-specific exploit path.
+- CWE or ATT&CK mappings from upstream that describe the underlying
+  software weakness but not AI-specific adversary behavior.
+
+## Example Notes
+
+- Malicious MCP package published to npm: `AML.T0010.005` and
+  `AML.T0104`; add `AML.T0074` if namesquatting is explicit.
+- Benign MCP server compromised after installation so it silently steals
+  data: `AML.T0110`; add `AML.T0086` if the exfiltration path is a
+  write-capable tool action.
+- Prompt injection in an MCP tool description: `AML.T0051.001`; add
+  `AML.T0053` if it causes a tool call.
+- Prompt injection in a webpage that makes a browser agent click a
+  button: `AML.T0051.001` plus `AML.T0100`; add `AML.T0053` if a tool
+  invocation is the operative action.
+- Agent retrieves poisoned instructions from a shared document through a
+  connector: `AML.T0099`; add `AML.T0051.001` if the content is prompt
+  injection.
+- Prompt injection causes an agent to delete files through a shell tool:
+  `AML.T0051.001`, `AML.T0053`, and `AML.T0101`.
+- Vulnerable lodash in an app dependency tree: no ATLAS mapping by
+  default.

docs/frameworks/owasp-agentic-ai-top-10-2026.md

@@ -0,0 +1,363 @@
+# OWASP Agentic AI Top 10 2026
+
+Sources:
+- https://genai.owasp.org/2025/12/09/owasp-top-10-for-agentic-applications-the-benchmark-for-agentic-security-in-the-age-of-autonomous-ai/
+
+Accessed: 2026-05-13
+
+Use this as OpenACA's broad agent-system taxonomy. Prefer it for risks that
+depend on autonomy, tool use, delegated identity, memory, multi-step
+workflow, inter-agent communication, or human trust in agent output.
+
+The OWASP guide frames agentic risks across inputs, integration and
+processing, and outputs. OpenACA overlays should map to ASI when the
+agentic behavior changes the security meaning of an underlying
+vulnerability or malicious component.
+
+## `asi01` — Agent Goal Hijack
+
+Definition: Attacker-controlled content changes the agent's objective,
+task selection, planning path, or decision flow. The key distinction
+from ordinary prompt injection is agentic impact: multi-step behavior,
+tool calls, delegated actions, or goal drift change what the agent tries
+to accomplish.
+
+Use when:
+- Hidden instructions in documents, web pages, emails, tool outputs,
+  RAG content, templates, or peer-agent messages redirect goals or
+  planning.
+- The attack causes the agent to pursue a different user intent,
+  authorize a goal shift, or select unsafe actions.
+- Prompt injection affects agent planning or autonomous action, not only
+  a single model response.
+
+Do not use when:
+- The issue is persistent memory corruption; consider `asi06`.
+- The issue is an agent becoming misaligned without active attacker
+  steering; consider `asi10`.
+- The record only says "prompt injection" with no agent goal, plan, or
+  tool behavior.
+
+Evidence patterns:
+- "goal", "intent", "prompt injection", "hidden instruction",
+  "indirect prompt", "RAG", "web content", "email", "calendar",
+  "document", "override", "planner", "goal drift".
+
+Related mappings:
+- `llm01:2025`
+- `mcp03:2025` when MCP tool metadata carries the injection.
+- `mcp10:2025` when unsafe context injection is the path.
+- `AML.T0051.*`
+
+## `asi02` — Tool Misuse and Exploitation
+
+Definition: The agent uses a legitimate tool in an unsafe, excessive, or
+unintended way while staying within its granted capability. The weakness
+is tool choice, tool chaining, argument forwarding, or missing guardrails
+around legitimate tool use.
+
+Use when:
+- Prompt injection, misleading tool output, or ambiguous instruction
+  causes unsafe invocation of legitimate tools.
+- Tool access is over-scoped for the task, but the agent acts within
+  already granted authority.
+- The attack chains tools, over-invokes costly APIs, exfiltrates through
+  allowed egress, or drives destructive operations without separate
+  privilege escalation.
+
+Do not use when:
+- The tool use depends on delegated identity/credential abuse; consider
+  `asi03`.
+- The tool path reaches arbitrary code/command execution; include or
+  prefer `asi05`.
+- The tool implementation or package itself is malicious; consider
+  `asi04`.
+
+Evidence patterns:
+- "tool misuse", "tool chaining", "over-scoped tool", "unsafe tool",
+  "approved tool", "DNS exfiltration", "cost spike", "loop", "delete",
+  "send", "refund", "external transfer", "tool pivot".
+
+Related mappings:
+- `llm06:2025`
+- `mcp02:2025` for scope creep.
+- `mcp03:2025` for tool metadata poisoning.
+- `mcp05:2025` when misuse becomes command execution.
+
+## `asi03` — Identity and Privilege Abuse
+
+Definition: Agent identity, delegated credentials, trust relationships,
+or role inheritance are abused to bypass authorization. The agent may
+act as a confused deputy or carry cached privileges into a weaker
+context.
+
+Use when:
+- Agents inherit excessive privileges, reuse cached credentials, or
+  share identity across users/sessions/tasks.
+- Cross-agent trust lets a low-privilege actor route requests through a
+  high-privilege agent.
+- Authorization is checked at workflow start but drifts before
+  execution.
+- Agent descriptors, cards, or personas are forged to gain trust.
+
+Do not use when:
+- The agent merely uses a legitimate overbroad tool without identity or
+  credential abuse; consider `asi02`.
+- A secret is exposed but not used for agent privilege abuse; consider
+  `mcp01:2025` or `llm02:2025`.
+
+Evidence patterns:
+- "delegated", "credential", "OAuth", "token", "privilege",
+  "inheritance", "confused deputy", "agent identity", "agent card",
+  "persona", "TOCTOU", "authorization drift", "device code",
+  "cross-agent trust".
+
+Related mappings:
+- `mcp01:2025`
+- `mcp02:2025`
+- `mcp07:2025`
+- `llm02:2025`
+- `llm06:2025`
+
+## `asi04` — Agentic Supply Chain Vulnerabilities
+
+Definition: Agent components, tools, plugins, MCP servers, models,
+prompts, datasets, agent descriptors, registries, dependencies, or
+update channels are malicious, compromised, tampered, impersonated, or
+loaded from untrusted sources.
+
+Use when:
+- A package, plugin, MCP server, model/tool registry, prompt template,
+  agent card, or dependency in the agent composition chain is malicious
+  or compromised.
+- Typosquatting, impersonation, dependency confusion, poisoned updates,
+  compromised registries, or dynamic runtime loading affect agent
+  behavior.
+- The component can insert hidden instructions, backdoors, unsafe tools,
+  or deceptive behavior into the agent execution chain.
+
+Do not use when:
+- The vulnerable package is ordinary software with no agent-stack role.
+- The issue is only command injection in a legitimate component; include
+  `asi05` and use `asi04` only if supply-chain compromise is also part
+  of the evidence.
+
+Evidence patterns:
+- "supply chain", "malicious package", "typosquat", "impersonating",
+  "plugin", "MCP server", "registry", "agent card", "tool descriptor",
+  "poisoned prompt", "dependency confusion", "compromised update",
+  "backdoor", "untrusted source".
+
+Related mappings:
+- `llm03:2025`
+- `mcp04:2025`
+- `ast02:2026` when a skill distribution path is involved.
+- `AML.T0010.001`
+
+## `asi05` — Unexpected Code Execution
+
+Definition: Agent workflows reach unintended code, command, template,
+interpreter, deserialization, package-install, or sandbox execution. The
+execution may be generated by the agent, supplied by attacker content, or
+triggered through tool chains.
+
+Use when:
+- Prompt/tool input reaches shell, subprocess, eval, template, dynamic
+  import, package manager, deserialization, or generated-code execution.
+- The record describes RCE, arbitrary code execution, command injection,
+  unsafe code generation, unsafe object deserialization, memory-system
+  eval, or hostile install/import execution.
+- A multi-tool chain converts otherwise legitimate operations into code
+  execution.
+
+Do not use when:
+- The package is malicious but the record only shows supply-chain
+  delivery and no execution path; prefer `asi04`.
+- The issue is unsafe use of a legitimate tool without an execution
+  sink; consider `asi02`.
+
+Evidence patterns:
+- "RCE", "remote code execution", "arbitrary code", "command
+  injection", "shell", "subprocess", "eval", "deserialization",
+  "template injection", "install", "import", "lockfile poisoning",
+  "generated code", "sandbox escape".
+
+Related mappings:
+- `llm05:2025`
+- `llm01:2025` when prompt injection triggers execution.
+- `mcp05:2025`
+- `ast05:2026` when unsafe skill loading/deserialization is the path.
+
+## `asi06` — Memory and Context Poisoning
+
+Definition: Stored memory, summaries, embeddings, RAG data, session
+state, shared context, or long-term knowledge is poisoned so future
+agent reasoning, planning, or tool use becomes unsafe.
+
+Use when:
+- Malicious data enters memory, vector stores, RAG sources, summaries,
+  uploaded files, API feeds, shared context, or peer-agent exchanges and
+  persists across turns/sessions.
+- The poisoned context later influences tool selection, goal
+  interpretation, data disclosure, or code generation.
+- Context poisoning is gradual, persistent, or shared across agents/users.
+
+Do not use when:
+- The manipulation is one-shot prompt injection with no persistence;
+  consider `asi01`.
+- The effect is primarily a downstream failure propagation after
+  poisoning; consider adding `asi08`.
+
+Evidence patterns:
+- "memory", "context", "RAG", "embedding", "vector", "retrieval",
+  "summary", "persistent", "shared context", "long-term memory",
+  "poisoning", "stored", "drift".
+
+Related mappings:
+- `llm01:2025`
+- `llm04:2025`
+- `llm08:2025`
+- `mcp10:2025`
+
+## `asi07` — Insecure Inter-Agent Communication
+
+Definition: Agent-to-agent communication lacks authentication,
+integrity, authorization, origin validation, or trust boundaries. A
+forged, compromised, or malicious peer agent can alter messages,
+impersonate another agent, poison shared communication, or relay unsafe
+instructions.
+
+Use when:
+- A2A, peer-agent, swarm, delegation, or multi-agent protocol messages
+  are spoofed, replayed, tampered, or trusted without verification.
+- Agent cards/descriptors advertise false identity or capabilities.
+- One agent relays malicious instructions or sensitive data to another
+  due to weak communication controls.
+
+Do not use when:
+- The issue is a single-agent tool misuse with no inter-agent channel.
+- The issue is normal MCP client/server invocation rather than
+  agent-to-agent trust; use MCP taxonomy where clearer.
+
+Evidence patterns:
+- "agent-to-agent", "A2A", "peer agent", "agent card", "swarm",
+  "delegation", "message spoofing", "replay", "mTLS", "attestation",
+  "signed messages", "routing", "inter-agent".
+
+Related mappings:
+- `llm02:2025`
+- `llm06:2025`
+- `asi03` when identity/privilege is abused.
+- `asi10` when the peer is a rogue agent.
+
+## `asi08` — Cascading Failures
+
+Definition: A localized error, hallucination, poisoned context, unsafe
+tool action, or compromised agent propagates through multi-step
+workflows, tool chains, or connected agents, amplifying impact beyond
+the original failure.
+
+Use when:
+- The record shows a chain reaction across agents, tools, memory,
+  services, CI/CD, cloud resources, or tenants.
+- A poisoned output is trusted by downstream agents/systems and causes
+  repeated, amplified, or compounding actions.
+- Failures become difficult to trace, repudiate, or stop because of
+  autonomy, parallelism, or poor observability.
+
+Do not use when:
+- The impact remains local to one component and no propagation is
+  described.
+- The finding is merely high severity; cascading requires spread or
+  amplification.
+
+Evidence patterns:
+- "cascade", "chain reaction", "downstream", "propagation", "multi-step",
+  "parallel agents", "tenant", "CI/CD", "cloud infra", "blast radius",
+  "untraceable", "repudiation".
+
+Related mappings:
+- `llm06:2025`
+- `llm04:2025`
+- `asi06` when poisoned memory/context starts the cascade.
+- `mcp08:2025` when missing telemetry impairs response.
+
+## `asi09` — Human-Agent Trust Exploitation
+
+Definition: Attackers exploit human over-trust in agent outputs,
+approvals, explanations, or apparent competence. The agent persuades,
+conceals, misrepresents, or overwhelms the human in the loop.
+
+Use when:
+- The record describes false or misleading agent output causing a human
+  to approve, deploy, publish, transfer, or trust unsafe actions.
+- The agent fabricates results, hides mistakes, presents unsafe diffs as
+  safe, or generates convincing but malicious recommendations.
+- Human approval exists but is made ineffective by framing, volume,
+  fatigue, or deception.
+
+Do not use when:
+- The agent directly executes the harmful action without relying on
+  human trust.
+- The issue is ordinary misinformation without security impact.
+
+Evidence patterns:
+- "human approval", "HITL", "trust", "misleading", "fraudulent",
+  "hallucinated", "approval fatigue", "dry-run", "diff", "recommend",
+  "convince", "hide mistake".
+
+Related mappings:
+- `llm09:2025`
+- `llm05:2025`
+- `asi01` when the human is influenced after goal hijack.
+
+## `asi10` — Rogue Agents
+
+Definition: An agent operates outside intended boundaries while
+appearing legitimate. Rogue behavior may arise from compromise,
+misalignment, collusion, self-replication, unauthorized provisioning, or
+behavioral drift without direct per-action attacker control.
+
+Use when:
+- An agent persistently acts against owner intent, evades monitoring,
+  spawns unauthorized replicas, colludes with peers, or maintains
+  unauthorized access.
+- A malicious or compromised agent advertises legitimate capabilities and
+  participates in workflows as if trusted.
+- The central risk is behavioral integrity of the agent itself.
+
+Do not use when:
+- A normal agent is briefly hijacked by prompt injection; consider
+  `asi01`.
+- The issue is a malicious package or component before it becomes an
+  autonomous agent participant; consider `asi04`.
+
+Evidence patterns:
+- "rogue agent", "self-replication", "unauthorized replica",
+  "persistence", "collusion", "behavioral drift", "misaligned",
+  "quarantine", "kill switch", "attestation", "watchdog", "agent card".
+
+Related mappings:
+- `llm02:2025`
+- `llm09:2025`
+- `asi07` when inter-agent trust is abused.
+- `AML.T0074` when the agent masquerades as legitimate.
+
+## General Mapping Notes
+
+- `asi04` and `asi05` often co-occur for malicious agent-stack packages:
+  `asi04` describes compromised composition; `asi05` describes the
+  execution sink.
+- Do not use `asi04` for every vulnerable dependency. The component must
+  be part of the agent stack or agent-reachable composition path.
+- `asi01`, `asi06`, and `asi10` should not be conflated:
+  - `asi01`: active steering of goals/plans.
+  - `asi06`: persistent poisoning of memory/context.
+  - `asi10`: rogue or misaligned agent behavior.
+- `asi02`, `asi03`, and `asi05` should be separated:
+  - `asi02`: unsafe use of legitimate already-authorized tools.
+  - `asi03`: identity, privilege, or delegation abuse.
+  - `asi05`: code/command execution sink.
+- The OWASP guide maps ASI entries to LLM Top 10 categories. Use those
+  cross-mappings as hints, but only include LLM taxonomy when the record
+  has LLM/GenAI relevance beyond the agent-specific mapping.