traceforge-toolkit 0.1.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (205) hide show
  1. traceforge/__init__.py +72 -0
  2. traceforge/__main__.py +5 -0
  3. traceforge/_generated.py +254 -0
  4. traceforge/adapters/__init__.py +12 -0
  5. traceforge/adapters/base.py +82 -0
  6. traceforge/adapters/genai_otel.py +164 -0
  7. traceforge/adapters/mapped_json.py +297 -0
  8. traceforge/adapters/otel.py +220 -0
  9. traceforge/boundary/__init__.py +46 -0
  10. traceforge/boundary/data/boundary-model.joblib +0 -0
  11. traceforge/boundary/decode.py +87 -0
  12. traceforge/boundary/features.py +137 -0
  13. traceforge/boundary/inference.py +267 -0
  14. traceforge/boundary/inferencer.py +146 -0
  15. traceforge/classify/__init__.py +95 -0
  16. traceforge/classify/cmd.py +109 -0
  17. traceforge/classify/coding.py +213 -0
  18. traceforge/classify/config.py +554 -0
  19. traceforge/classify/core.py +266 -0
  20. traceforge/classify/data/binary_info.yaml +358 -0
  21. traceforge/classify/data/canonical_tools.yaml +251 -0
  22. traceforge/classify/data/effect_overrides.yaml +480 -0
  23. traceforge/classify/data/mcp_profiles.yaml +711 -0
  24. traceforge/classify/data/recommendation_rules.yaml +111 -0
  25. traceforge/classify/data/risk.yaml +534 -0
  26. traceforge/classify/data/shell_defaults.yaml +95 -0
  27. traceforge/classify/data/shell_rules.yaml +1192 -0
  28. traceforge/classify/data/tool_classifications.yaml +215 -0
  29. traceforge/classify/data/verb_inference.yaml +218 -0
  30. traceforge/classify/mcp.py +181 -0
  31. traceforge/classify/phases.py +75 -0
  32. traceforge/classify/powershell.py +93 -0
  33. traceforge/classify/registry.py +138 -0
  34. traceforge/classify/risk.py +553 -0
  35. traceforge/classify/rules.py +215 -0
  36. traceforge/classify/schema.yaml +282 -0
  37. traceforge/classify/shell.py +503 -0
  38. traceforge/classify/tools.py +91 -0
  39. traceforge/classify/workflow.py +32 -0
  40. traceforge/cli/__init__.py +42 -0
  41. traceforge/cli/config_cmd.py +130 -0
  42. traceforge/cli/detect.py +46 -0
  43. traceforge/cli/download_cmd.py +74 -0
  44. traceforge/cli/factory.py +60 -0
  45. traceforge/cli/gate_cmd.py +30 -0
  46. traceforge/cli/init_cmd.py +86 -0
  47. traceforge/cli/replay.py +130 -0
  48. traceforge/cli/runner.py +181 -0
  49. traceforge/cli/score.py +217 -0
  50. traceforge/cli/status.py +65 -0
  51. traceforge/cli/watch.py +297 -0
  52. traceforge/config/__init__.py +80 -0
  53. traceforge/config/defaults.py +149 -0
  54. traceforge/config/loader.py +239 -0
  55. traceforge/config/mappings.py +104 -0
  56. traceforge/config/models.py +579 -0
  57. traceforge/enricher.py +576 -0
  58. traceforge/formatting/__init__.py +12 -0
  59. traceforge/formatting/budget.py +92 -0
  60. traceforge/formatting/density.py +154 -0
  61. traceforge/gate/__init__.py +17 -0
  62. traceforge/gate/client.py +145 -0
  63. traceforge/gate/external.py +305 -0
  64. traceforge/gate/registry.py +108 -0
  65. traceforge/gate/server.py +174 -0
  66. traceforge/gates/__init__.py +8 -0
  67. traceforge/gates/pii.py +352 -0
  68. traceforge/gates/pii_patterns.yaml +228 -0
  69. traceforge/governance/__init__.py +121 -0
  70. traceforge/governance/assessor.py +441 -0
  71. traceforge/governance/budget.py +59 -0
  72. traceforge/governance/canonical.py +56 -0
  73. traceforge/governance/codec.py +414 -0
  74. traceforge/governance/context.py +249 -0
  75. traceforge/governance/drift.py +196 -0
  76. traceforge/governance/emitter.py +234 -0
  77. traceforge/governance/envelope.py +138 -0
  78. traceforge/governance/ifc.py +364 -0
  79. traceforge/governance/integrity.py +162 -0
  80. traceforge/governance/labeler.py +250 -0
  81. traceforge/governance/mcp_drift.py +328 -0
  82. traceforge/governance/monitor.py +539 -0
  83. traceforge/governance/observer.py +276 -0
  84. traceforge/governance/persistence.py +401 -0
  85. traceforge/governance/phase1.py +77 -0
  86. traceforge/governance/pii.py +276 -0
  87. traceforge/governance/pipeline.py +840 -0
  88. traceforge/governance/registry.py +110 -0
  89. traceforge/governance/results.py +183 -0
  90. traceforge/governance/risk_wrapper.py +113 -0
  91. traceforge/governance/rules.py +368 -0
  92. traceforge/governance/scorer.py +262 -0
  93. traceforge/governance/shield.py +318 -0
  94. traceforge/governance/state.py +466 -0
  95. traceforge/governance/types.py +176 -0
  96. traceforge/mappings/__init__.py +1 -0
  97. traceforge/mappings/aider.yaml +216 -0
  98. traceforge/mappings/aider_markdown.yaml +113 -0
  99. traceforge/mappings/amazonq.yaml +56 -0
  100. traceforge/mappings/antigravity.yaml +88 -0
  101. traceforge/mappings/claude.yaml +93 -0
  102. traceforge/mappings/cline.yaml +286 -0
  103. traceforge/mappings/codex.yaml +158 -0
  104. traceforge/mappings/continue_dev.yaml +57 -0
  105. traceforge/mappings/copilot.yaml +266 -0
  106. traceforge/mappings/copilot_markdown.yaml +72 -0
  107. traceforge/mappings/copilot_vscode.yaml +181 -0
  108. traceforge/mappings/crewai.yaml +592 -0
  109. traceforge/mappings/goose.yaml +128 -0
  110. traceforge/mappings/langgraph.yaml +165 -0
  111. traceforge/mappings/maf.yaml +90 -0
  112. traceforge/mappings/maf_transcript.yaml +99 -0
  113. traceforge/mappings/openai_agents.yaml +144 -0
  114. traceforge/mappings/opencode.yaml +473 -0
  115. traceforge/mappings/openhands.yaml +320 -0
  116. traceforge/mappings/pydantic_ai.yaml +183 -0
  117. traceforge/mappings/smolagents.yaml +89 -0
  118. traceforge/mappings/sweagent.yaml +82 -0
  119. traceforge/migrations/__init__.py +1 -0
  120. traceforge/migrations/env.py +60 -0
  121. traceforge/migrations/models.py +145 -0
  122. traceforge/migrations/runner.py +44 -0
  123. traceforge/migrations/script.py.mako +25 -0
  124. traceforge/migrations/versions/0001_initial.py +176 -0
  125. traceforge/migrations/versions/__init__.py +4 -0
  126. traceforge/models.py +29 -0
  127. traceforge/parsers/__init__.py +21 -0
  128. traceforge/parsers/aider.py +416 -0
  129. traceforge/parsers/base.py +226 -0
  130. traceforge/parsers/copilot.py +314 -0
  131. traceforge/phase/__init__.py +50 -0
  132. traceforge/phase/data/phase-model.joblib +0 -0
  133. traceforge/phase/data/potion-base-8M/README.md +99 -0
  134. traceforge/phase/data/potion-base-8M/config.json +13 -0
  135. traceforge/phase/data/potion-base-8M/model.safetensors +0 -0
  136. traceforge/phase/data/potion-base-8M/modules.json +14 -0
  137. traceforge/phase/data/potion-base-8M/tokenizer.json +1 -0
  138. traceforge/phase/event_rows.py +107 -0
  139. traceforge/phase/features.py +468 -0
  140. traceforge/phase/inference.py +279 -0
  141. traceforge/phase/inferencer.py +171 -0
  142. traceforge/phase/segmentation.py +258 -0
  143. traceforge/pipeline.py +891 -0
  144. traceforge/preprocessors/__init__.py +34 -0
  145. traceforge/preprocessors/amazonq.py +224 -0
  146. traceforge/preprocessors/antigravity.py +116 -0
  147. traceforge/preprocessors/claude.py +95 -0
  148. traceforge/preprocessors/cline.py +36 -0
  149. traceforge/preprocessors/codex.py +311 -0
  150. traceforge/preprocessors/continue_dev.py +119 -0
  151. traceforge/preprocessors/copilot_vscode.py +171 -0
  152. traceforge/preprocessors/goose.py +156 -0
  153. traceforge/preprocessors/maf_transcript.py +84 -0
  154. traceforge/preprocessors/openai_agents.py +86 -0
  155. traceforge/preprocessors/opencode.py +85 -0
  156. traceforge/preprocessors/openhands.py +36 -0
  157. traceforge/preprocessors/pydantic_ai.py +62 -0
  158. traceforge/preprocessors/registry.py +24 -0
  159. traceforge/preprocessors/smolagents.py +90 -0
  160. traceforge/py.typed +0 -0
  161. traceforge/sdk/__init__.py +59 -0
  162. traceforge/sdk/gate_policy.py +63 -0
  163. traceforge/sdk/gate_types.py +140 -0
  164. traceforge/sdk/pipeline.py +265 -0
  165. traceforge/sdk/verdict.py +81 -0
  166. traceforge/sinks/__init__.py +23 -0
  167. traceforge/sinks/base.py +95 -0
  168. traceforge/sinks/callback.py +132 -0
  169. traceforge/sinks/console.py +112 -0
  170. traceforge/sinks/factory.py +94 -0
  171. traceforge/sinks/jsonl.py +125 -0
  172. traceforge/sinks/otel_exporter.py +212 -0
  173. traceforge/sinks/parquet.py +260 -0
  174. traceforge/sinks/s3.py +206 -0
  175. traceforge/sinks/sqlite_output.py +234 -0
  176. traceforge/sinks/webhook.py +136 -0
  177. traceforge/sources/__init__.py +18 -0
  178. traceforge/sources/auto_detect.py +173 -0
  179. traceforge/sources/base.py +45 -0
  180. traceforge/sources/file_poll.py +136 -0
  181. traceforge/sources/file_watch.py +221 -0
  182. traceforge/sources/http_poll.py +141 -0
  183. traceforge/sources/replay.py +63 -0
  184. traceforge/sources/sqlite.py +187 -0
  185. traceforge/sources/sse.py +198 -0
  186. traceforge/telemetry/__init__.py +192 -0
  187. traceforge/title/__init__.py +23 -0
  188. traceforge/title/_resolve.py +79 -0
  189. traceforge/title/context.py +295 -0
  190. traceforge/title/data/boilerplate_files.json +14 -0
  191. traceforge/title/heuristics.py +429 -0
  192. traceforge/title/hygiene.py +90 -0
  193. traceforge/title/inference.py +314 -0
  194. traceforge/title/inferencer.py +477 -0
  195. traceforge/title/naming.py +398 -0
  196. traceforge/trace.py +291 -0
  197. traceforge/tracking/__init__.py +30 -0
  198. traceforge/tracking/models.py +115 -0
  199. traceforge/tracking/phase_tracker.py +288 -0
  200. traceforge/types.py +315 -0
  201. traceforge_toolkit-0.1.0.dist-info/METADATA +188 -0
  202. traceforge_toolkit-0.1.0.dist-info/RECORD +205 -0
  203. traceforge_toolkit-0.1.0.dist-info/WHEEL +4 -0
  204. traceforge_toolkit-0.1.0.dist-info/entry_points.txt +2 -0
  205. traceforge_toolkit-0.1.0.dist-info/licenses/LICENSE +21 -0
@@ -0,0 +1,111 @@
1
+ # Governance recommendation rules — first match wins (top-to-bottom).
2
+ # All `recommend` values are classification labels, not enforcement actions.
3
+
4
+ recommendation_rules:
5
+ # Critical: destructive at host/network scope
6
+ - id: destructive_host_network
7
+ when:
8
+ effect: destructive
9
+ scope: [host, network]
10
+ recommend: deny
11
+ reason: destructive_host_or_network
12
+
13
+ # Dangerous: destructive at repo/project scope
14
+ - id: destructive_repo_scope
15
+ when:
16
+ effect: destructive
17
+ scope: [repository, project]
18
+ recommend: escalate
19
+ reason: destructive_repo_scope
20
+
21
+ # Network exfiltration with mutation
22
+ - id: mutating_network
23
+ when:
24
+ effect: mutating
25
+ capability: [network_outbound]
26
+ recommend: escalate
27
+ reason: mutating_with_network
28
+
29
+ # Piped download-execute pattern
30
+ - id: piped_download_execute
31
+ when:
32
+ structure: [piped]
33
+ capability: { all_of: [network_outbound, arbitrary_execution] }
34
+ recommend: deny
35
+ reason: piped_download_execute
36
+
37
+ # Phase drift combined with destructive action
38
+ - id: drift_destructive
39
+ when:
40
+ structure: [phase_anomaly]
41
+ effect: destructive
42
+ recommend: deny
43
+ reason: drift_plus_destructive
44
+
45
+ # Budget pressure escalation
46
+ - id: budget_exceeded
47
+ when:
48
+ capability: [budget_pressure]
49
+ recommend: escalate
50
+ reason: budget_exceeded
51
+
52
+ # Credential exposure
53
+ - id: credential_exposure
54
+ when:
55
+ capability: [credential_exposure]
56
+ recommend: escalate
57
+ reason: credential_exposure
58
+
59
+ # PII with network — requires BOTH capabilities simultaneously
60
+ - id: pii_network
61
+ when:
62
+ capability: { all_of: [pii_exposure, network_outbound] }
63
+ recommend: deny
64
+ reason: pii_network_exfiltration
65
+
66
+ # MCP tool drift
67
+ - id: mcp_drift
68
+ when:
69
+ capability: [mcp_drift]
70
+ recommend: warn
71
+ reason: mcp_tool_fingerprint_changed
72
+
73
+ # IFC violation
74
+ - id: ifc_violation
75
+ when:
76
+ structure: [ifc_violation]
77
+ recommend: escalate
78
+ reason: ifc_clearance_violation
79
+
80
+ # Tainted flow
81
+ - id: tainted_flow
82
+ when:
83
+ structure: [tainted_flow]
84
+ recommend: warn
85
+ reason: tainted_data_flow
86
+
87
+ # Integrity verification failure
88
+ - id: integrity_unverified
89
+ when:
90
+ capability: [integrity_unverified]
91
+ recommend: warn
92
+ reason: content_integrity_mismatch
93
+
94
+ # Fallback risk score thresholds
95
+ - id: risk_critical
96
+ when:
97
+ risk_score: ">=85"
98
+ recommend: deny
99
+ reason: risk_score_critical
100
+
101
+ - id: risk_danger
102
+ when:
103
+ risk_score: ">=65"
104
+ recommend: escalate
105
+ reason: risk_score_danger
106
+
107
+ - id: risk_caution
108
+ when:
109
+ risk_score: ">=40"
110
+ recommend: warn
111
+ reason: risk_score_caution
@@ -0,0 +1,534 @@
1
+ # Risk scoring configuration for shell command enrichment.
2
+ # Produces a 0-100 score as analytics metadata — no blocking semantics.
3
+ #
4
+ # Weights are calibrated using CVSS v3.1, CWSS v1.0.1, NIST 800-30, and
5
+ # ToolEmu (Ruan et al. 2023) risk concepts as qualitative anchors. The
6
+ # resulting values are adapted to an additive 0-100 command-risk scale and
7
+ # are NOT CVSS/CWSS scores themselves.
8
+ #
9
+ # Scoring version: risk-v2
10
+ # Algorithm: structural + flag_bonus + min(patterns, cap) + taint + context_adj
11
+
12
+ version: "risk-v2"
13
+
14
+ # ═══════════════════════════════════════════════════════════════════════════
15
+ # Layer 1: Intent weights — Impact Severity dimension (0-42)
16
+ # ═══════════════════════════════════════════════════════════════════════════
17
+ # Grounded in CWSS Technical Impact (TI) factor:
18
+ # TI: Low=0.3, Medium=0.6, High=0.9, Critical=1.0
19
+ # (MITRE CWE/CWSS v1.0.1, §3.1 — Technical Impact)
20
+ # Mapped to 0-42 impact sub-band (50% of total score budget for impact):
21
+ # read_only → TI:Low (0.3 × 42 ≈ 12.6, discounted to 8: agent reads rarely harm)
22
+ # mutating → TI:Medium (0.6 × 42 ≈ 25.2, rounded to 24)
23
+ # destructive→ TI:High (0.9 × 42 ≈ 37.8, ceiling of band: irreversible local harm)
24
+ # unknown → TI:Medium (same as mutating; escalated by scope/flags/patterns)
25
+ # Rationale for unknown=24: NIST 800-30 Rev.1 §2.3 recommends "moderate"
26
+ # as default when threat characterization is uncertain; evidence-based
27
+ # dimensions (scope, flags, patterns) provide escalation.
28
+ intent_weights:
29
+ read_only: 8
30
+ mutating: 24
31
+ destructive: 42
32
+ unknown: 24
33
+
34
+ # ═══════════════════════════════════════════════════════════════════════════
35
+ # Layer 1: Scope modifiers — Scope/Privilege dimension (0-18)
36
+ # ═══════════════════════════════════════════════════════════════════════════
37
+ # Grounded in CVSS v3.1 Scope metric (Changed vs Unchanged adds 1.08×) and
38
+ # CWSS Acquired Privilege (AP) factor:
39
+ # AP: Administrator=1.0, Partially-privileged=0.9, Regular-user=0.7,
40
+ # Limited/Guest=0.6, None=0.1
41
+ # (MITRE CWE/CWSS v1.0.1, §3.2 — Acquired Privilege)
42
+ # Scaled to 0-18 (budget: ~18% of total score):
43
+ # source_code = 0 (own workspace, no scope change)
44
+ # config = 3 (AP:None→Limited, may affect runtime behavior)
45
+ # dependency = 4 (supply chain — downstream build impact)
46
+ # build_output = 0 (ephemeral, no persistent scope change)
47
+ # system.os = 14 (CVSS Scope:Changed — affects kernel/system-level)
48
+ # system.secrets= 18 (max: credential compromise affects OTHER systems)
49
+ # system.network= 14 (AV:Network-adjacent — CVSS v3.1 AV:A=0.62 scaled)
50
+ # external.service=10 (affects external parties — CVSS Scope:Changed partial)
51
+ # external.api = 6 (scoped API, limited blast radius)
52
+ scope_modifiers:
53
+ "artifact.source_code": 0
54
+ "artifact.config": 3
55
+ "artifact.dependency": 4
56
+ "artifact.build_output": 0
57
+ "system.os": 14
58
+ "system.secrets": 18
59
+ "system.network": 14
60
+ "external.service": 10
61
+ "external.api": 6
62
+
63
+ # ═══════════════════════════════════════════════════════════════════════════
64
+ # Layer 1: Sensitive path bonuses
65
+ # ═══════════════════════════════════════════════════════════════════════════
66
+ # Applied when file targets match known-sensitive path patterns.
67
+ # Overrides scope_modifiers if higher — represents confirmed sensitivity.
68
+ # Grounded in CWSS AP factor scaled to 0-20 (AP:Admin=1.0 → 20):
69
+ # secrets: AP:Administrator (1.0 × 20 = 20) — credential access
70
+ # system: AP:Regular-user (0.7 × 20 = 14) — system file access
71
+ sensitive_path_bonuses:
72
+ secrets: 20
73
+ system: 14
74
+
75
+ # ═══════════════════════════════════════════════════════════════════════════
76
+ # Capability escalation weights (used for native/MCP tool risk scoring)
77
+ # ═══════════════════════════════════════════════════════════════════════════
78
+ # Grounded in CVSS v3.1 Attack Vector (AV) and Privileges Required (PR):
79
+ # AV: Network=0.85, Adjacent=0.62, Local=0.55, Physical=0.20
80
+ # PR: None=0.85, Low=0.62, High=0.27
81
+ # Applied as additive bonus when a tool's Classification includes these
82
+ # capabilities. Only relevant for native/MCP tools (shell tools use
83
+ # flag/pattern analysis instead).
84
+ capability_weights:
85
+ # Network access increases blast radius — CVSS AV:Network (0.85)
86
+ network_outbound: 10
87
+ network_inbound: 8
88
+ # Subprocess spawning — potential for uncontrolled execution
89
+ subprocess: 12
90
+ # Credential access — CVSS C:High (0.56) for confidentiality impact
91
+ uses_credentials: 15
92
+ # Privilege escalation — CVSS PR:None (0.85) vs PR:High (0.27)
93
+ elevated_privilege: 18
94
+
95
+ # ═══════════════════════════════════════════════════════════════════════════
96
+ # Layer 2: Per-binary flag risk modifiers
97
+ # ═══════════════════════════════════════════════════════════════════════════
98
+ # Grounded in CVSS v3.1 Privileges Required (PR) ratio and ToolEmu
99
+ # reversibility categorization:
100
+ # CVSS PR: None=0.85, Low=0.62, High=0.27 (FIRST SIG empirical weights)
101
+ # Ratio PR:None / PR:High = 3.15× — privilege escalation is ~3× riskier
102
+ # ToolEmu: Reversible < Partially-reversible < Irreversible
103
+ #
104
+ # Modifier design principle: each flag rule adds risk proportional to how
105
+ # much it increases impact scope or reduces reversibility.
106
+ flag_modifiers:
107
+ rm:
108
+ # -r increases blast radius (scope escalation)
109
+ # Grounding: CVSS Scope:Changed (1.08×) applied to destructive base
110
+ - flags: ["-r", "--recursive"]
111
+ requires_all: false
112
+ modifier: 12
113
+ factor: "recursive_flag"
114
+ # -f removes interactive safety prompt (reduces reversibility)
115
+ # Grounding: ToolEmu "partially-reversible → irreversible" transition
116
+ - flags: ["-f", "--force"]
117
+ requires_all: false
118
+ modifier: 8
119
+ factor: "force_flag"
120
+ # --no-preserve-root: irreversible system-wide destruction
121
+ # Grounding: ToolEmu "catastrophic" + DREAD Reproducibility=0
122
+ - flags: ["--no-preserve-root"]
123
+ requires_all: false
124
+ modifier: 20
125
+ factor: "root_deletion"
126
+ mitre: "T1485"
127
+ docker:
128
+ # --privileged: full host root access from container
129
+ # Grounding: CVSS PR:None (0.85) — effectively no privilege barrier
130
+ - flags: ["--privileged"]
131
+ requires_all: false
132
+ modifier: 25
133
+ factor: "privileged_container"
134
+ mitre: "T1610"
135
+ # --cap-add: partial privilege escalation
136
+ # Grounding: CWSS AP:Partially-privileged (0.9) vs Regular (0.7) → ~1.3×
137
+ - flags: ["--cap-add"]
138
+ requires_all: false
139
+ modifier: 15
140
+ factor: "added_capability"
141
+ curl:
142
+ # Data upload flags: potential exfiltration channel
143
+ # Grounding: CVSS C:High (0.56) — confidentiality impact
144
+ - flags: ["-X", "--request", "-d", "--data", "--data-raw", "--upload-file", "-T"]
145
+ requires_all: false
146
+ modifier: 12
147
+ factor: "data_upload"
148
+ mitre: "T1041"
149
+ chmod:
150
+ # setuid: direct privilege escalation
151
+ # Grounding: CVSS PR:None (0.85) — any user can exploit setuid binary
152
+ - flags: ["+s", "u+s", "g+s"]
153
+ requires_all: false
154
+ modifier: 25
155
+ factor: "setuid"
156
+ mitre: "T1548.001"
157
+ - flags: ["4755", "4775", "2755"]
158
+ requires_all: false
159
+ modifier: 25
160
+ factor: "setuid_numeric"
161
+ mitre: "T1548.001"
162
+ sudo:
163
+ # Privilege escalation: intended but still high-risk
164
+ # Grounding: CVSS PR:None/PR:Low boundary (0.85 vs 0.62 → ~1.37×)
165
+ # Lower than chmod +s because sudo is an audited, intended mechanism
166
+ - flags: []
167
+ requires_all: false
168
+ modifier: 18
169
+ factor: "privilege_escalation"
170
+ mitre: "T1548.001"
171
+ dd:
172
+ # Raw disk access: potentially irreversible
173
+ # Grounding: ToolEmu "catastrophic" category — raw block device I/O
174
+ - flags: []
175
+ requires_all: false
176
+ modifier: 15
177
+ factor: "raw_disk_access"
178
+ kubectl:
179
+ # Cluster-wide scope: affects all namespaces
180
+ # Grounding: CVSS Scope:Changed — blast radius extends beyond workspace
181
+ - flags: ["--all-namespaces", "-A"]
182
+ requires_all: false
183
+ modifier: 8
184
+ factor: "cluster_wide"
185
+ # Container exec: lateral movement
186
+ # Grounding: CVSS AV:Adjacent (0.62) — network-adjacent access
187
+ - flags: ["exec"]
188
+ requires_all: false
189
+ modifier: 12
190
+ factor: "container_exec"
191
+ find:
192
+ # find -delete: filesystem-wide destruction without rm
193
+ # Grounding: ToolEmu "irreversible" — recursive delete with no undo
194
+ - flags: ["-delete"]
195
+ requires_all: false
196
+ modifier: 18
197
+ factor: "find_delete"
198
+ mitre: "T1485"
199
+ # find -exec: arbitrary command execution on matched files
200
+ # Grounding: CVSS AC:Low — execution on potentially many targets
201
+ - flags: ["-exec", "-execdir"]
202
+ requires_all: false
203
+ modifier: 12
204
+ factor: "find_exec"
205
+ mitre: "T1059.004"
206
+ mkfs:
207
+ # Disk formatting: catastrophic irreversible operation
208
+ # Grounding: ToolEmu "catastrophic" + DREAD Reproducibility=0
209
+ - flags: []
210
+ requires_all: false
211
+ modifier: 25
212
+ factor: "disk_format"
213
+ mitre: "T1485"
214
+ kill:
215
+ # kill -9 / SIGKILL: no graceful shutdown, potential data loss
216
+ # Grounding: ToolEmu "partially-reversible" — processes lost
217
+ - flags: ["-9", "-KILL", "--signal=9", "--signal=KILL"]
218
+ requires_all: false
219
+ modifier: 10
220
+ factor: "forced_kill"
221
+ systemctl:
222
+ # Service control: system-wide availability impact
223
+ # Grounding: CVSS A:High (0.56) — service disruption
224
+ - flags: ["stop", "disable", "mask"]
225
+ requires_all: false
226
+ modifier: 12
227
+ factor: "service_disruption"
228
+ iptables:
229
+ # Firewall mutation: network security boundary change
230
+ # Grounding: CVSS Scope:Changed + I:High — affects network security posture
231
+ - flags: ["-F", "--flush", "-X", "-D"]
232
+ requires_all: false
233
+ modifier: 18
234
+ factor: "firewall_mutation"
235
+ mitre: "T1562.004"
236
+ truncate:
237
+ # File truncation: data destruction
238
+ # Grounding: ToolEmu "partially-reversible" — data lost
239
+ - flags: []
240
+ requires_all: false
241
+ modifier: 12
242
+ factor: "file_truncation"
243
+ aws:
244
+ # --force: skip confirmation prompts on destructive operations
245
+ # Grounding: ToolEmu "partially-reversible → irreversible" — bypasses safety
246
+ - flags: ["--force"]
247
+ requires_all: false
248
+ modifier: 10
249
+ factor: "force_flag"
250
+ # --recursive: scope escalation for S3 and IAM operations
251
+ # Grounding: CVSS Scope:Changed (1.08×) — affects multiple resources
252
+ - flags: ["--recursive"]
253
+ requires_all: false
254
+ modifier: 10
255
+ factor: "recursive_flag"
256
+ # --no-verify-ssl: disables TLS verification (MITM risk)
257
+ # Grounding: CVSS AV:Network + weakened confidentiality
258
+ - flags: ["--no-verify-ssl"]
259
+ requires_all: false
260
+ modifier: 15
261
+ factor: "tls_bypass"
262
+ mitre: "T1557"
263
+ az:
264
+ # --yes / -y: skip confirmation prompts
265
+ # Grounding: ToolEmu — removes human-in-the-loop safety check
266
+ - flags: ["--yes", "-y"]
267
+ requires_all: false
268
+ modifier: 8
269
+ factor: "skip_confirmation"
270
+ # --force-string: bypass template validation
271
+ - flags: ["--force-string"]
272
+ requires_all: false
273
+ modifier: 6
274
+ factor: "force_string"
275
+ # --no-wait: fire-and-forget mode for destructive operations
276
+ # Grounding: reduces observability of impact
277
+ - flags: ["--no-wait"]
278
+ requires_all: false
279
+ modifier: 4
280
+ factor: "async_unmonitored"
281
+ gcloud:
282
+ # --quiet / -q: suppresses all interactive prompts
283
+ # Grounding: ToolEmu — removes human-in-the-loop safety check
284
+ - flags: ["--quiet", "-q"]
285
+ requires_all: false
286
+ modifier: 8
287
+ factor: "quiet_mode"
288
+ # --force: skip confirmation on destructive operations
289
+ - flags: ["--force"]
290
+ requires_all: false
291
+ modifier: 10
292
+ factor: "force_flag"
293
+ # --delete-all-versions: version-level destruction
294
+ # Grounding: CVSS Scope:Changed — affects all versions, not just current
295
+ - flags: ["--delete-all-versions"]
296
+ requires_all: false
297
+ modifier: 12
298
+ factor: "all_versions_delete"
299
+
300
+ # ═══════════════════════════════════════════════════════════════════════════
301
+ # Layer 3: Injection/evasion patterns (regex on raw command text)
302
+ # ═══════════════════════════════════════════════════════════════════════════
303
+ # Grounded in CVSS v3.1 User Interaction (UI) metric:
304
+ # UI:None = 0.85, UI:Required = 0.62
305
+ # Injection removes the need for user interaction → max exploitability.
306
+ # Additive, capped at max_pattern_bonus to prevent overflow from
307
+ # multi-signal commands (defense-in-depth scoring).
308
+ max_pattern_bonus: 25
309
+
310
+ injection_patterns:
311
+ # Direct code execution — CVSS AC:Low (0.77) + UI:None (0.85)
312
+ - pattern: '\beval\s'
313
+ score: 20
314
+ factor: "eval_usage"
315
+ mitre: "T1059.004"
316
+ # Pipe to interpreter — equivalent to eval for risk purposes
317
+ - pattern: '\|\s*(?:bash|sh|zsh|fish|dash|ksh|python[23]?|perl|ruby|node)\b'
318
+ score: 20
319
+ factor: "pipe_to_shell"
320
+ mitre: "T1204.002"
321
+ # Interpreter with -c/-e flag: inline code execution
322
+ # Grounding: same as eval — arbitrary code from string argument
323
+ - pattern: '\b(?:bash|sh|zsh|dash|ksh)\s+-c\s'
324
+ score: 18
325
+ factor: "shell_inline_exec"
326
+ mitre: "T1059.004"
327
+ - pattern: '\b(?:python[23]?|perl|ruby|node)\s+-[ce]\s'
328
+ score: 18
329
+ factor: "interpreter_inline_exec"
330
+ mitre: "T1059"
331
+ # xargs piping to shell — indirect execution on iterated input
332
+ - pattern: '\bxargs\b.*\b(?:sh|bash|zsh)\s+-c'
333
+ score: 18
334
+ factor: "xargs_shell_exec"
335
+ mitre: "T1059.004"
336
+ # Command substitution via $() or backticks — dynamic code generation
337
+ - pattern: '\$\([^)]+\)|`[^`]+`'
338
+ score: 10
339
+ factor: "command_substitution"
340
+ mitre: "T1059.004"
341
+ # Library injection — CVSS PR:Low (0.62), requires local access
342
+ - pattern: 'LD_PRELOAD'
343
+ score: 20
344
+ factor: "ld_preload"
345
+ mitre: "T1574.006"
346
+ # Bash network redirection — CVSS AV:Network (0.85)
347
+ - pattern: '/dev/(?:tcp|udp)/'
348
+ score: 20
349
+ factor: "dev_tcp_udp"
350
+ mitre: "T1071.001"
351
+ # Recursive permission broadening — system-wide security degradation
352
+ # Grounding: CVSS I:High + Scope:Changed — weakens all file protections
353
+ - pattern: 'chmod\s+(-R\s+)?[0-7]*7[0-7]{2}\s'
354
+ score: 15
355
+ factor: "permission_broadening"
356
+ mitre: "T1222.002"
357
+ # Defense evasion — reduces detectability, not direct harm
358
+ # Lower score: CVSS impact is on Availability of audit trail only
359
+ - pattern: 'HISTFILE|HISTSIZE=0|unset\s+HISTFILE'
360
+ score: 12
361
+ factor: "history_manipulation"
362
+ mitre: "T1070.003"
363
+ # Info disclosure — CVSS C:High but no I/A impact
364
+ - pattern: '/proc/self/environ'
365
+ score: 15
366
+ factor: "proc_environ"
367
+ mitre: "T1082"
368
+ # Obfuscation indicator — CVSS: no direct impact, signals evasion intent
369
+ - pattern: '\\x[0-9a-fA-F]{2}'
370
+ score: 10
371
+ factor: "hex_escape"
372
+ mitre: "T1027"
373
+
374
+ # ═══════════════════════════════════════════════════════════════════════════
375
+ # Pipeline taint rules
376
+ # ═══════════════════════════════════════════════════════════════════════════
377
+ # Applied only when commands are connected by | (pipe), not ;/&&/||.
378
+ # Grounded in CVSS attack chain composition — multi-step attacks compound:
379
+ # CVSS v3.1 §7.4: chained vulnerabilities score via highest-impact link.
380
+ # Source/sink determined by effect + path sensitivity of pipe segments.
381
+ taint_rules:
382
+ # Credential exfiltration — CVSS C:High (0.56) × AV:Network (0.85)
383
+ # Compound: 0.56 × 0.85 × 63 (scale factor) ≈ 30
384
+ - source: "sensitive_read"
385
+ sink: "network"
386
+ escalation: 30
387
+ factor: "secrets_exfiltration"
388
+ mitre: "T1041"
389
+ # Credentials fed to execution — CVSS C:High × I:High locally
390
+ - source: "sensitive_read"
391
+ sink: "execution"
392
+ escalation: 22
393
+ factor: "secrets_to_exec"
394
+ mitre: "T1059.004"
395
+ # Encoded exfiltration — evasion + exfil compound
396
+ # Slightly lower confidence than direct sensitive_read→network
397
+ - source: "any_read"
398
+ sink: "network"
399
+ has_encoding: true
400
+ escalation: 22
401
+ factor: "encoded_exfiltration"
402
+ mitre: "T1132.001"
403
+ # Download-and-execute — CVSS initial access chain (T1204.002)
404
+ # Same severity as credential exfiltration (RCE equivalent)
405
+ - source: "network"
406
+ sink: "execution"
407
+ escalation: 30
408
+ factor: "download_and_exec"
409
+ mitre: "T1204.002"
410
+ # Generic read→exec — lower confidence of actual harm
411
+ - source: "any_read"
412
+ sink: "execution"
413
+ escalation: 12
414
+ factor: "read_to_exec"
415
+ mitre: "T1059.004"
416
+
417
+ # ═══════════════════════════════════════════════════════════════════════════
418
+ # Sensitive path patterns (glob-style)
419
+ # ═══════════════════════════════════════════════════════════════════════════
420
+ # Used for taint source classification and scope modifier escalation.
421
+ sensitive_paths:
422
+ secrets:
423
+ - ".env"
424
+ - ".env.*"
425
+ - "*.pem"
426
+ - "*.key"
427
+ - "*.p12"
428
+ - "id_rsa*"
429
+ - "id_ed25519*"
430
+ - ".ssh/*"
431
+ - ".aws/credentials"
432
+ - ".aws/config"
433
+ - ".kube/config"
434
+ - ".docker/config.json"
435
+ - ".gnupg/*"
436
+ - ".netrc"
437
+ - "terraform.tfstate"
438
+ - "*.tfvars"
439
+ system:
440
+ - "/etc/passwd"
441
+ - "/etc/shadow"
442
+ - "/etc/sudoers"
443
+ - "/etc/hosts"
444
+ - "/proc/*/environ"
445
+ - "/proc/self/*"
446
+
447
+ # ═══════════════════════════════════════════════════════════════════════════
448
+ # Encoding propagators (binaries that transform but preserve data)
449
+ # ═══════════════════════════════════════════════════════════════════════════
450
+ encoding_commands:
451
+ - "base64"
452
+ - "b64encode"
453
+ - "xxd"
454
+ - "od"
455
+ - "hexdump"
456
+ - "gzip"
457
+ - "gunzip"
458
+ - "bzip2"
459
+ - "xz"
460
+ - "openssl"
461
+ - "gpg"
462
+
463
+ # ═══════════════════════════════════════════════════════════════════════════
464
+ # GTFOBins subset: binaries with shell escape / reverse shell capability
465
+ # ═══════════════════════════════════════════════════════════════════════════
466
+ # Source: GTFOBins project (https://gtfobins.github.io/)
467
+ # Used as a modifier when these binaries appear with suspicious patterns.
468
+ gtfobins:
469
+ shell_escape:
470
+ - "vim"
471
+ - "vi"
472
+ - "less"
473
+ - "more"
474
+ - "man"
475
+ - "ftp"
476
+ - "gdb"
477
+ - "awk"
478
+ - "nawk"
479
+ - "mawk"
480
+ reverse_shell:
481
+ - "nc"
482
+ - "ncat"
483
+ - "socat"
484
+ - "telnet"
485
+ - "bash"
486
+ - "python"
487
+ - "python3"
488
+ - "perl"
489
+ - "ruby"
490
+ - "php"
491
+ - "node"
492
+ file_rw:
493
+ - "tar"
494
+ - "zip"
495
+ - "cpio"
496
+ - "rsync"
497
+ - "scp"
498
+ - "curl"
499
+ - "wget"
500
+
501
+ # GTFOBins modifier: applied when binary has a relevant capability AND
502
+ # the command has network or elevated-privilege intent.
503
+ # Grounding: CVSS v3.1 "existing conditions" modifier — known-capable
504
+ # binary in a risk-relevant context warrants escalation.
505
+ gtfobins_modifier: 10
506
+
507
+ # ═══════════════════════════════════════════════════════════════════════════
508
+ # Context adjustments
509
+ # ═══════════════════════════════════════════════════════════════════════════
510
+ # Grounded in CWSS Acquired Privilege Layer (AL) and CVSS Scope metric:
511
+ # inside_project: CWSS AL "Default installation" mitigator — sandboxed
512
+ # escapes_project: CVSS Scope:Changed — affects components beyond workspace
513
+ # no_context: NIST 800-30 "uncertain" → moderate assumption (§2.3)
514
+ context_adjustments:
515
+ inside_project: -8
516
+ inside_build_dir: -4
517
+ escapes_project: 15
518
+ no_context: 4
519
+
520
+ # ═══════════════════════════════════════════════════════════════════════════
521
+ # Score bands
522
+ # ═══════════════════════════════════════════════════════════════════════════
523
+ # Adapted from NIST 800-30 Rev.1 semi-quantitative risk levels
524
+ # (Table I-2: Very Low 0-4, Low 5-20, Moderate 21-79, High 80-95, VHigh 96-100)
525
+ # Compressed to 4 levels for agent observability context:
526
+ # safe = NIST Very-Low + Low (benign reads, simple listings)
527
+ # caution = NIST Low-Moderate (mutations, project-scoped writes)
528
+ # danger = NIST Moderate-High (system mutations, privilege use)
529
+ # critical = NIST High+ (irreversible, escalation, exfiltration chains)
530
+ levels:
531
+ safe: [0, 20]
532
+ caution: [21, 45]
533
+ danger: [46, 75]
534
+ critical: [76, 100]