traceforge-toolkit 0.1.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- traceforge/__init__.py +72 -0
- traceforge/__main__.py +5 -0
- traceforge/_generated.py +254 -0
- traceforge/adapters/__init__.py +12 -0
- traceforge/adapters/base.py +82 -0
- traceforge/adapters/genai_otel.py +164 -0
- traceforge/adapters/mapped_json.py +297 -0
- traceforge/adapters/otel.py +220 -0
- traceforge/boundary/__init__.py +46 -0
- traceforge/boundary/data/boundary-model.joblib +0 -0
- traceforge/boundary/decode.py +87 -0
- traceforge/boundary/features.py +137 -0
- traceforge/boundary/inference.py +267 -0
- traceforge/boundary/inferencer.py +146 -0
- traceforge/classify/__init__.py +95 -0
- traceforge/classify/cmd.py +109 -0
- traceforge/classify/coding.py +213 -0
- traceforge/classify/config.py +554 -0
- traceforge/classify/core.py +266 -0
- traceforge/classify/data/binary_info.yaml +358 -0
- traceforge/classify/data/canonical_tools.yaml +251 -0
- traceforge/classify/data/effect_overrides.yaml +480 -0
- traceforge/classify/data/mcp_profiles.yaml +711 -0
- traceforge/classify/data/recommendation_rules.yaml +111 -0
- traceforge/classify/data/risk.yaml +534 -0
- traceforge/classify/data/shell_defaults.yaml +95 -0
- traceforge/classify/data/shell_rules.yaml +1192 -0
- traceforge/classify/data/tool_classifications.yaml +215 -0
- traceforge/classify/data/verb_inference.yaml +218 -0
- traceforge/classify/mcp.py +181 -0
- traceforge/classify/phases.py +75 -0
- traceforge/classify/powershell.py +93 -0
- traceforge/classify/registry.py +138 -0
- traceforge/classify/risk.py +553 -0
- traceforge/classify/rules.py +215 -0
- traceforge/classify/schema.yaml +282 -0
- traceforge/classify/shell.py +503 -0
- traceforge/classify/tools.py +91 -0
- traceforge/classify/workflow.py +32 -0
- traceforge/cli/__init__.py +42 -0
- traceforge/cli/config_cmd.py +130 -0
- traceforge/cli/detect.py +46 -0
- traceforge/cli/download_cmd.py +74 -0
- traceforge/cli/factory.py +60 -0
- traceforge/cli/gate_cmd.py +30 -0
- traceforge/cli/init_cmd.py +86 -0
- traceforge/cli/replay.py +130 -0
- traceforge/cli/runner.py +181 -0
- traceforge/cli/score.py +217 -0
- traceforge/cli/status.py +65 -0
- traceforge/cli/watch.py +297 -0
- traceforge/config/__init__.py +80 -0
- traceforge/config/defaults.py +149 -0
- traceforge/config/loader.py +239 -0
- traceforge/config/mappings.py +104 -0
- traceforge/config/models.py +579 -0
- traceforge/enricher.py +576 -0
- traceforge/formatting/__init__.py +12 -0
- traceforge/formatting/budget.py +92 -0
- traceforge/formatting/density.py +154 -0
- traceforge/gate/__init__.py +17 -0
- traceforge/gate/client.py +145 -0
- traceforge/gate/external.py +305 -0
- traceforge/gate/registry.py +108 -0
- traceforge/gate/server.py +174 -0
- traceforge/gates/__init__.py +8 -0
- traceforge/gates/pii.py +352 -0
- traceforge/gates/pii_patterns.yaml +228 -0
- traceforge/governance/__init__.py +121 -0
- traceforge/governance/assessor.py +441 -0
- traceforge/governance/budget.py +59 -0
- traceforge/governance/canonical.py +56 -0
- traceforge/governance/codec.py +414 -0
- traceforge/governance/context.py +249 -0
- traceforge/governance/drift.py +196 -0
- traceforge/governance/emitter.py +234 -0
- traceforge/governance/envelope.py +138 -0
- traceforge/governance/ifc.py +364 -0
- traceforge/governance/integrity.py +162 -0
- traceforge/governance/labeler.py +250 -0
- traceforge/governance/mcp_drift.py +328 -0
- traceforge/governance/monitor.py +539 -0
- traceforge/governance/observer.py +276 -0
- traceforge/governance/persistence.py +401 -0
- traceforge/governance/phase1.py +77 -0
- traceforge/governance/pii.py +276 -0
- traceforge/governance/pipeline.py +840 -0
- traceforge/governance/registry.py +110 -0
- traceforge/governance/results.py +183 -0
- traceforge/governance/risk_wrapper.py +113 -0
- traceforge/governance/rules.py +368 -0
- traceforge/governance/scorer.py +262 -0
- traceforge/governance/shield.py +318 -0
- traceforge/governance/state.py +466 -0
- traceforge/governance/types.py +176 -0
- traceforge/mappings/__init__.py +1 -0
- traceforge/mappings/aider.yaml +216 -0
- traceforge/mappings/aider_markdown.yaml +113 -0
- traceforge/mappings/amazonq.yaml +56 -0
- traceforge/mappings/antigravity.yaml +88 -0
- traceforge/mappings/claude.yaml +93 -0
- traceforge/mappings/cline.yaml +286 -0
- traceforge/mappings/codex.yaml +158 -0
- traceforge/mappings/continue_dev.yaml +57 -0
- traceforge/mappings/copilot.yaml +266 -0
- traceforge/mappings/copilot_markdown.yaml +72 -0
- traceforge/mappings/copilot_vscode.yaml +181 -0
- traceforge/mappings/crewai.yaml +592 -0
- traceforge/mappings/goose.yaml +128 -0
- traceforge/mappings/langgraph.yaml +165 -0
- traceforge/mappings/maf.yaml +90 -0
- traceforge/mappings/maf_transcript.yaml +99 -0
- traceforge/mappings/openai_agents.yaml +144 -0
- traceforge/mappings/opencode.yaml +473 -0
- traceforge/mappings/openhands.yaml +320 -0
- traceforge/mappings/pydantic_ai.yaml +183 -0
- traceforge/mappings/smolagents.yaml +89 -0
- traceforge/mappings/sweagent.yaml +82 -0
- traceforge/migrations/__init__.py +1 -0
- traceforge/migrations/env.py +60 -0
- traceforge/migrations/models.py +145 -0
- traceforge/migrations/runner.py +44 -0
- traceforge/migrations/script.py.mako +25 -0
- traceforge/migrations/versions/0001_initial.py +176 -0
- traceforge/migrations/versions/__init__.py +4 -0
- traceforge/models.py +29 -0
- traceforge/parsers/__init__.py +21 -0
- traceforge/parsers/aider.py +416 -0
- traceforge/parsers/base.py +226 -0
- traceforge/parsers/copilot.py +314 -0
- traceforge/phase/__init__.py +50 -0
- traceforge/phase/data/phase-model.joblib +0 -0
- traceforge/phase/data/potion-base-8M/README.md +99 -0
- traceforge/phase/data/potion-base-8M/config.json +13 -0
- traceforge/phase/data/potion-base-8M/model.safetensors +0 -0
- traceforge/phase/data/potion-base-8M/modules.json +14 -0
- traceforge/phase/data/potion-base-8M/tokenizer.json +1 -0
- traceforge/phase/event_rows.py +107 -0
- traceforge/phase/features.py +468 -0
- traceforge/phase/inference.py +279 -0
- traceforge/phase/inferencer.py +171 -0
- traceforge/phase/segmentation.py +258 -0
- traceforge/pipeline.py +891 -0
- traceforge/preprocessors/__init__.py +34 -0
- traceforge/preprocessors/amazonq.py +224 -0
- traceforge/preprocessors/antigravity.py +116 -0
- traceforge/preprocessors/claude.py +95 -0
- traceforge/preprocessors/cline.py +36 -0
- traceforge/preprocessors/codex.py +311 -0
- traceforge/preprocessors/continue_dev.py +119 -0
- traceforge/preprocessors/copilot_vscode.py +171 -0
- traceforge/preprocessors/goose.py +156 -0
- traceforge/preprocessors/maf_transcript.py +84 -0
- traceforge/preprocessors/openai_agents.py +86 -0
- traceforge/preprocessors/opencode.py +85 -0
- traceforge/preprocessors/openhands.py +36 -0
- traceforge/preprocessors/pydantic_ai.py +62 -0
- traceforge/preprocessors/registry.py +24 -0
- traceforge/preprocessors/smolagents.py +90 -0
- traceforge/py.typed +0 -0
- traceforge/sdk/__init__.py +59 -0
- traceforge/sdk/gate_policy.py +63 -0
- traceforge/sdk/gate_types.py +140 -0
- traceforge/sdk/pipeline.py +265 -0
- traceforge/sdk/verdict.py +81 -0
- traceforge/sinks/__init__.py +23 -0
- traceforge/sinks/base.py +95 -0
- traceforge/sinks/callback.py +132 -0
- traceforge/sinks/console.py +112 -0
- traceforge/sinks/factory.py +94 -0
- traceforge/sinks/jsonl.py +125 -0
- traceforge/sinks/otel_exporter.py +212 -0
- traceforge/sinks/parquet.py +260 -0
- traceforge/sinks/s3.py +206 -0
- traceforge/sinks/sqlite_output.py +234 -0
- traceforge/sinks/webhook.py +136 -0
- traceforge/sources/__init__.py +18 -0
- traceforge/sources/auto_detect.py +173 -0
- traceforge/sources/base.py +45 -0
- traceforge/sources/file_poll.py +136 -0
- traceforge/sources/file_watch.py +221 -0
- traceforge/sources/http_poll.py +141 -0
- traceforge/sources/replay.py +63 -0
- traceforge/sources/sqlite.py +187 -0
- traceforge/sources/sse.py +198 -0
- traceforge/telemetry/__init__.py +192 -0
- traceforge/title/__init__.py +23 -0
- traceforge/title/_resolve.py +79 -0
- traceforge/title/context.py +295 -0
- traceforge/title/data/boilerplate_files.json +14 -0
- traceforge/title/heuristics.py +429 -0
- traceforge/title/hygiene.py +90 -0
- traceforge/title/inference.py +314 -0
- traceforge/title/inferencer.py +477 -0
- traceforge/title/naming.py +398 -0
- traceforge/trace.py +291 -0
- traceforge/tracking/__init__.py +30 -0
- traceforge/tracking/models.py +115 -0
- traceforge/tracking/phase_tracker.py +288 -0
- traceforge/types.py +315 -0
- traceforge_toolkit-0.1.0.dist-info/METADATA +188 -0
- traceforge_toolkit-0.1.0.dist-info/RECORD +205 -0
- traceforge_toolkit-0.1.0.dist-info/WHEEL +4 -0
- traceforge_toolkit-0.1.0.dist-info/entry_points.txt +2 -0
- traceforge_toolkit-0.1.0.dist-info/licenses/LICENSE +21 -0
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
# Governance recommendation rules — first match wins (top-to-bottom).
|
|
2
|
+
# All `recommend` values are classification labels, not enforcement actions.
|
|
3
|
+
|
|
4
|
+
recommendation_rules:
|
|
5
|
+
# Critical: destructive at host/network scope
|
|
6
|
+
- id: destructive_host_network
|
|
7
|
+
when:
|
|
8
|
+
effect: destructive
|
|
9
|
+
scope: [host, network]
|
|
10
|
+
recommend: deny
|
|
11
|
+
reason: destructive_host_or_network
|
|
12
|
+
|
|
13
|
+
# Dangerous: destructive at repo/project scope
|
|
14
|
+
- id: destructive_repo_scope
|
|
15
|
+
when:
|
|
16
|
+
effect: destructive
|
|
17
|
+
scope: [repository, project]
|
|
18
|
+
recommend: escalate
|
|
19
|
+
reason: destructive_repo_scope
|
|
20
|
+
|
|
21
|
+
# Network exfiltration with mutation
|
|
22
|
+
- id: mutating_network
|
|
23
|
+
when:
|
|
24
|
+
effect: mutating
|
|
25
|
+
capability: [network_outbound]
|
|
26
|
+
recommend: escalate
|
|
27
|
+
reason: mutating_with_network
|
|
28
|
+
|
|
29
|
+
# Piped download-execute pattern
|
|
30
|
+
- id: piped_download_execute
|
|
31
|
+
when:
|
|
32
|
+
structure: [piped]
|
|
33
|
+
capability: { all_of: [network_outbound, arbitrary_execution] }
|
|
34
|
+
recommend: deny
|
|
35
|
+
reason: piped_download_execute
|
|
36
|
+
|
|
37
|
+
# Phase drift combined with destructive action
|
|
38
|
+
- id: drift_destructive
|
|
39
|
+
when:
|
|
40
|
+
structure: [phase_anomaly]
|
|
41
|
+
effect: destructive
|
|
42
|
+
recommend: deny
|
|
43
|
+
reason: drift_plus_destructive
|
|
44
|
+
|
|
45
|
+
# Budget pressure escalation
|
|
46
|
+
- id: budget_exceeded
|
|
47
|
+
when:
|
|
48
|
+
capability: [budget_pressure]
|
|
49
|
+
recommend: escalate
|
|
50
|
+
reason: budget_exceeded
|
|
51
|
+
|
|
52
|
+
# Credential exposure
|
|
53
|
+
- id: credential_exposure
|
|
54
|
+
when:
|
|
55
|
+
capability: [credential_exposure]
|
|
56
|
+
recommend: escalate
|
|
57
|
+
reason: credential_exposure
|
|
58
|
+
|
|
59
|
+
# PII with network — requires BOTH capabilities simultaneously
|
|
60
|
+
- id: pii_network
|
|
61
|
+
when:
|
|
62
|
+
capability: { all_of: [pii_exposure, network_outbound] }
|
|
63
|
+
recommend: deny
|
|
64
|
+
reason: pii_network_exfiltration
|
|
65
|
+
|
|
66
|
+
# MCP tool drift
|
|
67
|
+
- id: mcp_drift
|
|
68
|
+
when:
|
|
69
|
+
capability: [mcp_drift]
|
|
70
|
+
recommend: warn
|
|
71
|
+
reason: mcp_tool_fingerprint_changed
|
|
72
|
+
|
|
73
|
+
# IFC violation
|
|
74
|
+
- id: ifc_violation
|
|
75
|
+
when:
|
|
76
|
+
structure: [ifc_violation]
|
|
77
|
+
recommend: escalate
|
|
78
|
+
reason: ifc_clearance_violation
|
|
79
|
+
|
|
80
|
+
# Tainted flow
|
|
81
|
+
- id: tainted_flow
|
|
82
|
+
when:
|
|
83
|
+
structure: [tainted_flow]
|
|
84
|
+
recommend: warn
|
|
85
|
+
reason: tainted_data_flow
|
|
86
|
+
|
|
87
|
+
# Integrity verification failure
|
|
88
|
+
- id: integrity_unverified
|
|
89
|
+
when:
|
|
90
|
+
capability: [integrity_unverified]
|
|
91
|
+
recommend: warn
|
|
92
|
+
reason: content_integrity_mismatch
|
|
93
|
+
|
|
94
|
+
# Fallback risk score thresholds
|
|
95
|
+
- id: risk_critical
|
|
96
|
+
when:
|
|
97
|
+
risk_score: ">=85"
|
|
98
|
+
recommend: deny
|
|
99
|
+
reason: risk_score_critical
|
|
100
|
+
|
|
101
|
+
- id: risk_danger
|
|
102
|
+
when:
|
|
103
|
+
risk_score: ">=65"
|
|
104
|
+
recommend: escalate
|
|
105
|
+
reason: risk_score_danger
|
|
106
|
+
|
|
107
|
+
- id: risk_caution
|
|
108
|
+
when:
|
|
109
|
+
risk_score: ">=40"
|
|
110
|
+
recommend: warn
|
|
111
|
+
reason: risk_score_caution
|
|
@@ -0,0 +1,534 @@
|
|
|
1
|
+
# Risk scoring configuration for shell command enrichment.
|
|
2
|
+
# Produces a 0-100 score as analytics metadata — no blocking semantics.
|
|
3
|
+
#
|
|
4
|
+
# Weights are calibrated using CVSS v3.1, CWSS v1.0.1, NIST 800-30, and
|
|
5
|
+
# ToolEmu (Ruan et al. 2023) risk concepts as qualitative anchors. The
|
|
6
|
+
# resulting values are adapted to an additive 0-100 command-risk scale and
|
|
7
|
+
# are NOT CVSS/CWSS scores themselves.
|
|
8
|
+
#
|
|
9
|
+
# Scoring version: risk-v2
|
|
10
|
+
# Algorithm: structural + flag_bonus + min(patterns, cap) + taint + context_adj
|
|
11
|
+
|
|
12
|
+
version: "risk-v2"
|
|
13
|
+
|
|
14
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
15
|
+
# Layer 1: Intent weights — Impact Severity dimension (0-42)
|
|
16
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
17
|
+
# Grounded in CWSS Technical Impact (TI) factor:
|
|
18
|
+
# TI: Low=0.3, Medium=0.6, High=0.9, Critical=1.0
|
|
19
|
+
# (MITRE CWE/CWSS v1.0.1, §3.1 — Technical Impact)
|
|
20
|
+
# Mapped to 0-42 impact sub-band (50% of total score budget for impact):
|
|
21
|
+
# read_only → TI:Low (0.3 × 42 ≈ 12.6, discounted to 8: agent reads rarely harm)
|
|
22
|
+
# mutating → TI:Medium (0.6 × 42 ≈ 25.2, rounded to 24)
|
|
23
|
+
# destructive→ TI:High (0.9 × 42 ≈ 37.8, ceiling of band: irreversible local harm)
|
|
24
|
+
# unknown → TI:Medium (same as mutating; escalated by scope/flags/patterns)
|
|
25
|
+
# Rationale for unknown=24: NIST 800-30 Rev.1 §2.3 recommends "moderate"
|
|
26
|
+
# as default when threat characterization is uncertain; evidence-based
|
|
27
|
+
# dimensions (scope, flags, patterns) provide escalation.
|
|
28
|
+
intent_weights:
|
|
29
|
+
read_only: 8
|
|
30
|
+
mutating: 24
|
|
31
|
+
destructive: 42
|
|
32
|
+
unknown: 24
|
|
33
|
+
|
|
34
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
35
|
+
# Layer 1: Scope modifiers — Scope/Privilege dimension (0-18)
|
|
36
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
37
|
+
# Grounded in CVSS v3.1 Scope metric (Changed vs Unchanged adds 1.08×) and
|
|
38
|
+
# CWSS Acquired Privilege (AP) factor:
|
|
39
|
+
# AP: Administrator=1.0, Partially-privileged=0.9, Regular-user=0.7,
|
|
40
|
+
# Limited/Guest=0.6, None=0.1
|
|
41
|
+
# (MITRE CWE/CWSS v1.0.1, §3.2 — Acquired Privilege)
|
|
42
|
+
# Scaled to 0-18 (budget: ~18% of total score):
|
|
43
|
+
# source_code = 0 (own workspace, no scope change)
|
|
44
|
+
# config = 3 (AP:None→Limited, may affect runtime behavior)
|
|
45
|
+
# dependency = 4 (supply chain — downstream build impact)
|
|
46
|
+
# build_output = 0 (ephemeral, no persistent scope change)
|
|
47
|
+
# system.os = 14 (CVSS Scope:Changed — affects kernel/system-level)
|
|
48
|
+
# system.secrets= 18 (max: credential compromise affects OTHER systems)
|
|
49
|
+
# system.network= 14 (AV:Network-adjacent — CVSS v3.1 AV:A=0.62 scaled)
|
|
50
|
+
# external.service=10 (affects external parties — CVSS Scope:Changed partial)
|
|
51
|
+
# external.api = 6 (scoped API, limited blast radius)
|
|
52
|
+
scope_modifiers:
|
|
53
|
+
"artifact.source_code": 0
|
|
54
|
+
"artifact.config": 3
|
|
55
|
+
"artifact.dependency": 4
|
|
56
|
+
"artifact.build_output": 0
|
|
57
|
+
"system.os": 14
|
|
58
|
+
"system.secrets": 18
|
|
59
|
+
"system.network": 14
|
|
60
|
+
"external.service": 10
|
|
61
|
+
"external.api": 6
|
|
62
|
+
|
|
63
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
64
|
+
# Layer 1: Sensitive path bonuses
|
|
65
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
66
|
+
# Applied when file targets match known-sensitive path patterns.
|
|
67
|
+
# Overrides scope_modifiers if higher — represents confirmed sensitivity.
|
|
68
|
+
# Grounded in CWSS AP factor scaled to 0-20 (AP:Admin=1.0 → 20):
|
|
69
|
+
# secrets: AP:Administrator (1.0 × 20 = 20) — credential access
|
|
70
|
+
# system: AP:Regular-user (0.7 × 20 = 14) — system file access
|
|
71
|
+
sensitive_path_bonuses:
|
|
72
|
+
secrets: 20
|
|
73
|
+
system: 14
|
|
74
|
+
|
|
75
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
76
|
+
# Capability escalation weights (used for native/MCP tool risk scoring)
|
|
77
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
78
|
+
# Grounded in CVSS v3.1 Attack Vector (AV) and Privileges Required (PR):
|
|
79
|
+
# AV: Network=0.85, Adjacent=0.62, Local=0.55, Physical=0.20
|
|
80
|
+
# PR: None=0.85, Low=0.62, High=0.27
|
|
81
|
+
# Applied as additive bonus when a tool's Classification includes these
|
|
82
|
+
# capabilities. Only relevant for native/MCP tools (shell tools use
|
|
83
|
+
# flag/pattern analysis instead).
|
|
84
|
+
capability_weights:
|
|
85
|
+
# Network access increases blast radius — CVSS AV:Network (0.85)
|
|
86
|
+
network_outbound: 10
|
|
87
|
+
network_inbound: 8
|
|
88
|
+
# Subprocess spawning — potential for uncontrolled execution
|
|
89
|
+
subprocess: 12
|
|
90
|
+
# Credential access — CVSS C:High (0.56) for confidentiality impact
|
|
91
|
+
uses_credentials: 15
|
|
92
|
+
# Privilege escalation — CVSS PR:None (0.85) vs PR:High (0.27)
|
|
93
|
+
elevated_privilege: 18
|
|
94
|
+
|
|
95
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
96
|
+
# Layer 2: Per-binary flag risk modifiers
|
|
97
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
98
|
+
# Grounded in CVSS v3.1 Privileges Required (PR) ratio and ToolEmu
|
|
99
|
+
# reversibility categorization:
|
|
100
|
+
# CVSS PR: None=0.85, Low=0.62, High=0.27 (FIRST SIG empirical weights)
|
|
101
|
+
# Ratio PR:None / PR:High = 3.15× — privilege escalation is ~3× riskier
|
|
102
|
+
# ToolEmu: Reversible < Partially-reversible < Irreversible
|
|
103
|
+
#
|
|
104
|
+
# Modifier design principle: each flag rule adds risk proportional to how
|
|
105
|
+
# much it increases impact scope or reduces reversibility.
|
|
106
|
+
flag_modifiers:
|
|
107
|
+
rm:
|
|
108
|
+
# -r increases blast radius (scope escalation)
|
|
109
|
+
# Grounding: CVSS Scope:Changed (1.08×) applied to destructive base
|
|
110
|
+
- flags: ["-r", "--recursive"]
|
|
111
|
+
requires_all: false
|
|
112
|
+
modifier: 12
|
|
113
|
+
factor: "recursive_flag"
|
|
114
|
+
# -f removes interactive safety prompt (reduces reversibility)
|
|
115
|
+
# Grounding: ToolEmu "partially-reversible → irreversible" transition
|
|
116
|
+
- flags: ["-f", "--force"]
|
|
117
|
+
requires_all: false
|
|
118
|
+
modifier: 8
|
|
119
|
+
factor: "force_flag"
|
|
120
|
+
# --no-preserve-root: irreversible system-wide destruction
|
|
121
|
+
# Grounding: ToolEmu "catastrophic" + DREAD Reproducibility=0
|
|
122
|
+
- flags: ["--no-preserve-root"]
|
|
123
|
+
requires_all: false
|
|
124
|
+
modifier: 20
|
|
125
|
+
factor: "root_deletion"
|
|
126
|
+
mitre: "T1485"
|
|
127
|
+
docker:
|
|
128
|
+
# --privileged: full host root access from container
|
|
129
|
+
# Grounding: CVSS PR:None (0.85) — effectively no privilege barrier
|
|
130
|
+
- flags: ["--privileged"]
|
|
131
|
+
requires_all: false
|
|
132
|
+
modifier: 25
|
|
133
|
+
factor: "privileged_container"
|
|
134
|
+
mitre: "T1610"
|
|
135
|
+
# --cap-add: partial privilege escalation
|
|
136
|
+
# Grounding: CWSS AP:Partially-privileged (0.9) vs Regular (0.7) → ~1.3×
|
|
137
|
+
- flags: ["--cap-add"]
|
|
138
|
+
requires_all: false
|
|
139
|
+
modifier: 15
|
|
140
|
+
factor: "added_capability"
|
|
141
|
+
curl:
|
|
142
|
+
# Data upload flags: potential exfiltration channel
|
|
143
|
+
# Grounding: CVSS C:High (0.56) — confidentiality impact
|
|
144
|
+
- flags: ["-X", "--request", "-d", "--data", "--data-raw", "--upload-file", "-T"]
|
|
145
|
+
requires_all: false
|
|
146
|
+
modifier: 12
|
|
147
|
+
factor: "data_upload"
|
|
148
|
+
mitre: "T1041"
|
|
149
|
+
chmod:
|
|
150
|
+
# setuid: direct privilege escalation
|
|
151
|
+
# Grounding: CVSS PR:None (0.85) — any user can exploit setuid binary
|
|
152
|
+
- flags: ["+s", "u+s", "g+s"]
|
|
153
|
+
requires_all: false
|
|
154
|
+
modifier: 25
|
|
155
|
+
factor: "setuid"
|
|
156
|
+
mitre: "T1548.001"
|
|
157
|
+
- flags: ["4755", "4775", "2755"]
|
|
158
|
+
requires_all: false
|
|
159
|
+
modifier: 25
|
|
160
|
+
factor: "setuid_numeric"
|
|
161
|
+
mitre: "T1548.001"
|
|
162
|
+
sudo:
|
|
163
|
+
# Privilege escalation: intended but still high-risk
|
|
164
|
+
# Grounding: CVSS PR:None/PR:Low boundary (0.85 vs 0.62 → ~1.37×)
|
|
165
|
+
# Lower than chmod +s because sudo is an audited, intended mechanism
|
|
166
|
+
- flags: []
|
|
167
|
+
requires_all: false
|
|
168
|
+
modifier: 18
|
|
169
|
+
factor: "privilege_escalation"
|
|
170
|
+
mitre: "T1548.001"
|
|
171
|
+
dd:
|
|
172
|
+
# Raw disk access: potentially irreversible
|
|
173
|
+
# Grounding: ToolEmu "catastrophic" category — raw block device I/O
|
|
174
|
+
- flags: []
|
|
175
|
+
requires_all: false
|
|
176
|
+
modifier: 15
|
|
177
|
+
factor: "raw_disk_access"
|
|
178
|
+
kubectl:
|
|
179
|
+
# Cluster-wide scope: affects all namespaces
|
|
180
|
+
# Grounding: CVSS Scope:Changed — blast radius extends beyond workspace
|
|
181
|
+
- flags: ["--all-namespaces", "-A"]
|
|
182
|
+
requires_all: false
|
|
183
|
+
modifier: 8
|
|
184
|
+
factor: "cluster_wide"
|
|
185
|
+
# Container exec: lateral movement
|
|
186
|
+
# Grounding: CVSS AV:Adjacent (0.62) — network-adjacent access
|
|
187
|
+
- flags: ["exec"]
|
|
188
|
+
requires_all: false
|
|
189
|
+
modifier: 12
|
|
190
|
+
factor: "container_exec"
|
|
191
|
+
find:
|
|
192
|
+
# find -delete: filesystem-wide destruction without rm
|
|
193
|
+
# Grounding: ToolEmu "irreversible" — recursive delete with no undo
|
|
194
|
+
- flags: ["-delete"]
|
|
195
|
+
requires_all: false
|
|
196
|
+
modifier: 18
|
|
197
|
+
factor: "find_delete"
|
|
198
|
+
mitre: "T1485"
|
|
199
|
+
# find -exec: arbitrary command execution on matched files
|
|
200
|
+
# Grounding: CVSS AC:Low — execution on potentially many targets
|
|
201
|
+
- flags: ["-exec", "-execdir"]
|
|
202
|
+
requires_all: false
|
|
203
|
+
modifier: 12
|
|
204
|
+
factor: "find_exec"
|
|
205
|
+
mitre: "T1059.004"
|
|
206
|
+
mkfs:
|
|
207
|
+
# Disk formatting: catastrophic irreversible operation
|
|
208
|
+
# Grounding: ToolEmu "catastrophic" + DREAD Reproducibility=0
|
|
209
|
+
- flags: []
|
|
210
|
+
requires_all: false
|
|
211
|
+
modifier: 25
|
|
212
|
+
factor: "disk_format"
|
|
213
|
+
mitre: "T1485"
|
|
214
|
+
kill:
|
|
215
|
+
# kill -9 / SIGKILL: no graceful shutdown, potential data loss
|
|
216
|
+
# Grounding: ToolEmu "partially-reversible" — processes lost
|
|
217
|
+
- flags: ["-9", "-KILL", "--signal=9", "--signal=KILL"]
|
|
218
|
+
requires_all: false
|
|
219
|
+
modifier: 10
|
|
220
|
+
factor: "forced_kill"
|
|
221
|
+
systemctl:
|
|
222
|
+
# Service control: system-wide availability impact
|
|
223
|
+
# Grounding: CVSS A:High (0.56) — service disruption
|
|
224
|
+
- flags: ["stop", "disable", "mask"]
|
|
225
|
+
requires_all: false
|
|
226
|
+
modifier: 12
|
|
227
|
+
factor: "service_disruption"
|
|
228
|
+
iptables:
|
|
229
|
+
# Firewall mutation: network security boundary change
|
|
230
|
+
# Grounding: CVSS Scope:Changed + I:High — affects network security posture
|
|
231
|
+
- flags: ["-F", "--flush", "-X", "-D"]
|
|
232
|
+
requires_all: false
|
|
233
|
+
modifier: 18
|
|
234
|
+
factor: "firewall_mutation"
|
|
235
|
+
mitre: "T1562.004"
|
|
236
|
+
truncate:
|
|
237
|
+
# File truncation: data destruction
|
|
238
|
+
# Grounding: ToolEmu "partially-reversible" — data lost
|
|
239
|
+
- flags: []
|
|
240
|
+
requires_all: false
|
|
241
|
+
modifier: 12
|
|
242
|
+
factor: "file_truncation"
|
|
243
|
+
aws:
|
|
244
|
+
# --force: skip confirmation prompts on destructive operations
|
|
245
|
+
# Grounding: ToolEmu "partially-reversible → irreversible" — bypasses safety
|
|
246
|
+
- flags: ["--force"]
|
|
247
|
+
requires_all: false
|
|
248
|
+
modifier: 10
|
|
249
|
+
factor: "force_flag"
|
|
250
|
+
# --recursive: scope escalation for S3 and IAM operations
|
|
251
|
+
# Grounding: CVSS Scope:Changed (1.08×) — affects multiple resources
|
|
252
|
+
- flags: ["--recursive"]
|
|
253
|
+
requires_all: false
|
|
254
|
+
modifier: 10
|
|
255
|
+
factor: "recursive_flag"
|
|
256
|
+
# --no-verify-ssl: disables TLS verification (MITM risk)
|
|
257
|
+
# Grounding: CVSS AV:Network + weakened confidentiality
|
|
258
|
+
- flags: ["--no-verify-ssl"]
|
|
259
|
+
requires_all: false
|
|
260
|
+
modifier: 15
|
|
261
|
+
factor: "tls_bypass"
|
|
262
|
+
mitre: "T1557"
|
|
263
|
+
az:
|
|
264
|
+
# --yes / -y: skip confirmation prompts
|
|
265
|
+
# Grounding: ToolEmu — removes human-in-the-loop safety check
|
|
266
|
+
- flags: ["--yes", "-y"]
|
|
267
|
+
requires_all: false
|
|
268
|
+
modifier: 8
|
|
269
|
+
factor: "skip_confirmation"
|
|
270
|
+
# --force-string: bypass template validation
|
|
271
|
+
- flags: ["--force-string"]
|
|
272
|
+
requires_all: false
|
|
273
|
+
modifier: 6
|
|
274
|
+
factor: "force_string"
|
|
275
|
+
# --no-wait: fire-and-forget mode for destructive operations
|
|
276
|
+
# Grounding: reduces observability of impact
|
|
277
|
+
- flags: ["--no-wait"]
|
|
278
|
+
requires_all: false
|
|
279
|
+
modifier: 4
|
|
280
|
+
factor: "async_unmonitored"
|
|
281
|
+
gcloud:
|
|
282
|
+
# --quiet / -q: suppresses all interactive prompts
|
|
283
|
+
# Grounding: ToolEmu — removes human-in-the-loop safety check
|
|
284
|
+
- flags: ["--quiet", "-q"]
|
|
285
|
+
requires_all: false
|
|
286
|
+
modifier: 8
|
|
287
|
+
factor: "quiet_mode"
|
|
288
|
+
# --force: skip confirmation on destructive operations
|
|
289
|
+
- flags: ["--force"]
|
|
290
|
+
requires_all: false
|
|
291
|
+
modifier: 10
|
|
292
|
+
factor: "force_flag"
|
|
293
|
+
# --delete-all-versions: version-level destruction
|
|
294
|
+
# Grounding: CVSS Scope:Changed — affects all versions, not just current
|
|
295
|
+
- flags: ["--delete-all-versions"]
|
|
296
|
+
requires_all: false
|
|
297
|
+
modifier: 12
|
|
298
|
+
factor: "all_versions_delete"
|
|
299
|
+
|
|
300
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
301
|
+
# Layer 3: Injection/evasion patterns (regex on raw command text)
|
|
302
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
303
|
+
# Grounded in CVSS v3.1 User Interaction (UI) metric:
|
|
304
|
+
# UI:None = 0.85, UI:Required = 0.62
|
|
305
|
+
# Injection removes the need for user interaction → max exploitability.
|
|
306
|
+
# Additive, capped at max_pattern_bonus to prevent overflow from
|
|
307
|
+
# multi-signal commands (defense-in-depth scoring).
|
|
308
|
+
max_pattern_bonus: 25
|
|
309
|
+
|
|
310
|
+
injection_patterns:
|
|
311
|
+
# Direct code execution — CVSS AC:Low (0.77) + UI:None (0.85)
|
|
312
|
+
- pattern: '\beval\s'
|
|
313
|
+
score: 20
|
|
314
|
+
factor: "eval_usage"
|
|
315
|
+
mitre: "T1059.004"
|
|
316
|
+
# Pipe to interpreter — equivalent to eval for risk purposes
|
|
317
|
+
- pattern: '\|\s*(?:bash|sh|zsh|fish|dash|ksh|python[23]?|perl|ruby|node)\b'
|
|
318
|
+
score: 20
|
|
319
|
+
factor: "pipe_to_shell"
|
|
320
|
+
mitre: "T1204.002"
|
|
321
|
+
# Interpreter with -c/-e flag: inline code execution
|
|
322
|
+
# Grounding: same as eval — arbitrary code from string argument
|
|
323
|
+
- pattern: '\b(?:bash|sh|zsh|dash|ksh)\s+-c\s'
|
|
324
|
+
score: 18
|
|
325
|
+
factor: "shell_inline_exec"
|
|
326
|
+
mitre: "T1059.004"
|
|
327
|
+
- pattern: '\b(?:python[23]?|perl|ruby|node)\s+-[ce]\s'
|
|
328
|
+
score: 18
|
|
329
|
+
factor: "interpreter_inline_exec"
|
|
330
|
+
mitre: "T1059"
|
|
331
|
+
# xargs piping to shell — indirect execution on iterated input
|
|
332
|
+
- pattern: '\bxargs\b.*\b(?:sh|bash|zsh)\s+-c'
|
|
333
|
+
score: 18
|
|
334
|
+
factor: "xargs_shell_exec"
|
|
335
|
+
mitre: "T1059.004"
|
|
336
|
+
# Command substitution via $() or backticks — dynamic code generation
|
|
337
|
+
- pattern: '\$\([^)]+\)|`[^`]+`'
|
|
338
|
+
score: 10
|
|
339
|
+
factor: "command_substitution"
|
|
340
|
+
mitre: "T1059.004"
|
|
341
|
+
# Library injection — CVSS PR:Low (0.62), requires local access
|
|
342
|
+
- pattern: 'LD_PRELOAD'
|
|
343
|
+
score: 20
|
|
344
|
+
factor: "ld_preload"
|
|
345
|
+
mitre: "T1574.006"
|
|
346
|
+
# Bash network redirection — CVSS AV:Network (0.85)
|
|
347
|
+
- pattern: '/dev/(?:tcp|udp)/'
|
|
348
|
+
score: 20
|
|
349
|
+
factor: "dev_tcp_udp"
|
|
350
|
+
mitre: "T1071.001"
|
|
351
|
+
# Recursive permission broadening — system-wide security degradation
|
|
352
|
+
# Grounding: CVSS I:High + Scope:Changed — weakens all file protections
|
|
353
|
+
- pattern: 'chmod\s+(-R\s+)?[0-7]*7[0-7]{2}\s'
|
|
354
|
+
score: 15
|
|
355
|
+
factor: "permission_broadening"
|
|
356
|
+
mitre: "T1222.002"
|
|
357
|
+
# Defense evasion — reduces detectability, not direct harm
|
|
358
|
+
# Lower score: CVSS impact is on Availability of audit trail only
|
|
359
|
+
- pattern: 'HISTFILE|HISTSIZE=0|unset\s+HISTFILE'
|
|
360
|
+
score: 12
|
|
361
|
+
factor: "history_manipulation"
|
|
362
|
+
mitre: "T1070.003"
|
|
363
|
+
# Info disclosure — CVSS C:High but no I/A impact
|
|
364
|
+
- pattern: '/proc/self/environ'
|
|
365
|
+
score: 15
|
|
366
|
+
factor: "proc_environ"
|
|
367
|
+
mitre: "T1082"
|
|
368
|
+
# Obfuscation indicator — CVSS: no direct impact, signals evasion intent
|
|
369
|
+
- pattern: '\\x[0-9a-fA-F]{2}'
|
|
370
|
+
score: 10
|
|
371
|
+
factor: "hex_escape"
|
|
372
|
+
mitre: "T1027"
|
|
373
|
+
|
|
374
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
375
|
+
# Pipeline taint rules
|
|
376
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
377
|
+
# Applied only when commands are connected by | (pipe), not ;/&&/||.
|
|
378
|
+
# Grounded in CVSS attack chain composition — multi-step attacks compound:
|
|
379
|
+
# CVSS v3.1 §7.4: chained vulnerabilities score via highest-impact link.
|
|
380
|
+
# Source/sink determined by effect + path sensitivity of pipe segments.
|
|
381
|
+
taint_rules:
|
|
382
|
+
# Credential exfiltration — CVSS C:High (0.56) × AV:Network (0.85)
|
|
383
|
+
# Compound: 0.56 × 0.85 × 63 (scale factor) ≈ 30
|
|
384
|
+
- source: "sensitive_read"
|
|
385
|
+
sink: "network"
|
|
386
|
+
escalation: 30
|
|
387
|
+
factor: "secrets_exfiltration"
|
|
388
|
+
mitre: "T1041"
|
|
389
|
+
# Credentials fed to execution — CVSS C:High × I:High locally
|
|
390
|
+
- source: "sensitive_read"
|
|
391
|
+
sink: "execution"
|
|
392
|
+
escalation: 22
|
|
393
|
+
factor: "secrets_to_exec"
|
|
394
|
+
mitre: "T1059.004"
|
|
395
|
+
# Encoded exfiltration — evasion + exfil compound
|
|
396
|
+
# Slightly lower confidence than direct sensitive_read→network
|
|
397
|
+
- source: "any_read"
|
|
398
|
+
sink: "network"
|
|
399
|
+
has_encoding: true
|
|
400
|
+
escalation: 22
|
|
401
|
+
factor: "encoded_exfiltration"
|
|
402
|
+
mitre: "T1132.001"
|
|
403
|
+
# Download-and-execute — CVSS initial access chain (T1204.002)
|
|
404
|
+
# Same severity as credential exfiltration (RCE equivalent)
|
|
405
|
+
- source: "network"
|
|
406
|
+
sink: "execution"
|
|
407
|
+
escalation: 30
|
|
408
|
+
factor: "download_and_exec"
|
|
409
|
+
mitre: "T1204.002"
|
|
410
|
+
# Generic read→exec — lower confidence of actual harm
|
|
411
|
+
- source: "any_read"
|
|
412
|
+
sink: "execution"
|
|
413
|
+
escalation: 12
|
|
414
|
+
factor: "read_to_exec"
|
|
415
|
+
mitre: "T1059.004"
|
|
416
|
+
|
|
417
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
418
|
+
# Sensitive path patterns (glob-style)
|
|
419
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
420
|
+
# Used for taint source classification and scope modifier escalation.
|
|
421
|
+
sensitive_paths:
|
|
422
|
+
secrets:
|
|
423
|
+
- ".env"
|
|
424
|
+
- ".env.*"
|
|
425
|
+
- "*.pem"
|
|
426
|
+
- "*.key"
|
|
427
|
+
- "*.p12"
|
|
428
|
+
- "id_rsa*"
|
|
429
|
+
- "id_ed25519*"
|
|
430
|
+
- ".ssh/*"
|
|
431
|
+
- ".aws/credentials"
|
|
432
|
+
- ".aws/config"
|
|
433
|
+
- ".kube/config"
|
|
434
|
+
- ".docker/config.json"
|
|
435
|
+
- ".gnupg/*"
|
|
436
|
+
- ".netrc"
|
|
437
|
+
- "terraform.tfstate"
|
|
438
|
+
- "*.tfvars"
|
|
439
|
+
system:
|
|
440
|
+
- "/etc/passwd"
|
|
441
|
+
- "/etc/shadow"
|
|
442
|
+
- "/etc/sudoers"
|
|
443
|
+
- "/etc/hosts"
|
|
444
|
+
- "/proc/*/environ"
|
|
445
|
+
- "/proc/self/*"
|
|
446
|
+
|
|
447
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
448
|
+
# Encoding propagators (binaries that transform but preserve data)
|
|
449
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
450
|
+
encoding_commands:
|
|
451
|
+
- "base64"
|
|
452
|
+
- "b64encode"
|
|
453
|
+
- "xxd"
|
|
454
|
+
- "od"
|
|
455
|
+
- "hexdump"
|
|
456
|
+
- "gzip"
|
|
457
|
+
- "gunzip"
|
|
458
|
+
- "bzip2"
|
|
459
|
+
- "xz"
|
|
460
|
+
- "openssl"
|
|
461
|
+
- "gpg"
|
|
462
|
+
|
|
463
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
464
|
+
# GTFOBins subset: binaries with shell escape / reverse shell capability
|
|
465
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
466
|
+
# Source: GTFOBins project (https://gtfobins.github.io/)
|
|
467
|
+
# Used as a modifier when these binaries appear with suspicious patterns.
|
|
468
|
+
gtfobins:
|
|
469
|
+
shell_escape:
|
|
470
|
+
- "vim"
|
|
471
|
+
- "vi"
|
|
472
|
+
- "less"
|
|
473
|
+
- "more"
|
|
474
|
+
- "man"
|
|
475
|
+
- "ftp"
|
|
476
|
+
- "gdb"
|
|
477
|
+
- "awk"
|
|
478
|
+
- "nawk"
|
|
479
|
+
- "mawk"
|
|
480
|
+
reverse_shell:
|
|
481
|
+
- "nc"
|
|
482
|
+
- "ncat"
|
|
483
|
+
- "socat"
|
|
484
|
+
- "telnet"
|
|
485
|
+
- "bash"
|
|
486
|
+
- "python"
|
|
487
|
+
- "python3"
|
|
488
|
+
- "perl"
|
|
489
|
+
- "ruby"
|
|
490
|
+
- "php"
|
|
491
|
+
- "node"
|
|
492
|
+
file_rw:
|
|
493
|
+
- "tar"
|
|
494
|
+
- "zip"
|
|
495
|
+
- "cpio"
|
|
496
|
+
- "rsync"
|
|
497
|
+
- "scp"
|
|
498
|
+
- "curl"
|
|
499
|
+
- "wget"
|
|
500
|
+
|
|
501
|
+
# GTFOBins modifier: applied when binary has a relevant capability AND
|
|
502
|
+
# the command has network or elevated-privilege intent.
|
|
503
|
+
# Grounding: CVSS v3.1 "existing conditions" modifier — known-capable
|
|
504
|
+
# binary in a risk-relevant context warrants escalation.
|
|
505
|
+
gtfobins_modifier: 10
|
|
506
|
+
|
|
507
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
508
|
+
# Context adjustments
|
|
509
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
510
|
+
# Grounded in CWSS Acquired Privilege Layer (AL) and CVSS Scope metric:
|
|
511
|
+
# inside_project: CWSS AL "Default installation" mitigator — sandboxed
|
|
512
|
+
# escapes_project: CVSS Scope:Changed — affects components beyond workspace
|
|
513
|
+
# no_context: NIST 800-30 "uncertain" → moderate assumption (§2.3)
|
|
514
|
+
context_adjustments:
|
|
515
|
+
inside_project: -8
|
|
516
|
+
inside_build_dir: -4
|
|
517
|
+
escapes_project: 15
|
|
518
|
+
no_context: 4
|
|
519
|
+
|
|
520
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
521
|
+
# Score bands
|
|
522
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
523
|
+
# Adapted from NIST 800-30 Rev.1 semi-quantitative risk levels
|
|
524
|
+
# (Table I-2: Very Low 0-4, Low 5-20, Moderate 21-79, High 80-95, VHigh 96-100)
|
|
525
|
+
# Compressed to 4 levels for agent observability context:
|
|
526
|
+
# safe = NIST Very-Low + Low (benign reads, simple listings)
|
|
527
|
+
# caution = NIST Low-Moderate (mutations, project-scoped writes)
|
|
528
|
+
# danger = NIST Moderate-High (system mutations, privilege use)
|
|
529
|
+
# critical = NIST High+ (irreversible, escalation, exfiltration chains)
|
|
530
|
+
levels:
|
|
531
|
+
safe: [0, 20]
|
|
532
|
+
caution: [21, 45]
|
|
533
|
+
danger: [46, 75]
|
|
534
|
+
critical: [76, 100]
|