Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CapabilityMismatch ¶
type CapabilityMismatch struct{}
CapabilityMismatch is a SOFT check (FR-009, US2) that flags a gap between what a tool *declares* it does and what it *implies* it touches:
- Declared-vs-implied: a tool whose declared purpose is pure computation or string manipulation (name/lead like "add", "to_uppercase") that nevertheless references a sensitive resource it has no business touching (~/.ssh, /etc/passwd, an external URL, a shell). A calculator reading id_rsa is a classic capability-mismatch exfiltration tell.
- Unexplained data-sink param: a free-form input named like an exfiltration channel ("sidenote", "scratchpad") that the description never explains — the model is steered to stuff stolen data into it.
The declared category is taken from the tool NAME and its leading sentence, NOT the full description, so an attacker's benign cover sentence still anchors the declaration while the smuggled access in the rest of the text is treated as implied. Tools that legitimately declare file/network/system access are therefore NOT flagged for touching those resources (FR-009 MUST-NOT).
Being soft, a hit raises a finding for review and never auto-quarantines.
func (*CapabilityMismatch) Inspect ¶
func (c *CapabilityMismatch) Inspect(tool detect.ToolView, _ detect.RegistryView) []detect.Signal
Inspect implements detect.Check. It emits at most one signal per tool, preferring the capability-mismatch signal over an unexplained data-sink.
type DirectiveImperative ¶
type DirectiveImperative struct{}
DirectiveImperative is a SOFT check (FR-009, US2) that flags prompt-injection directives smuggled into a tool's description: hidden-instruction tags (<IMPORTANT>…), secrecy imperatives ("do not tell the user"), instruction overrides ("ignore previous instructions"), and tool-preamble injections ("before using this tool, first …").
It runs over the engine's NORMALIZED text (lowercased, contraction-expanded, format-rune-stripped) so "don't disclose" and "do not tell" collapse to one matchable form. Each hit is position-classified: a phrase quoted or illustrated ("detects prompts such as 'ignore previous instructions'") is example-position and discounted below the emit threshold, so legitimate security tooling that merely *describes* these phrases is not flagged. This is the core false-positive control for US2 (per detect.ClassifyPosition).
Being soft, it raises a finding for human review but never auto-quarantines.
func (*DirectiveImperative) ID ¶
func (*DirectiveImperative) ID() string
ID implements detect.Check.
func (*DirectiveImperative) Inspect ¶
func (c *DirectiveImperative) Inspect(tool detect.ToolView, _ detect.RegistryView) []detect.Signal
Inspect implements detect.Check. It emits at most one signal per tool: the highest-confidence directive match that clears directiveMinConfidence after position discounting.
type EmbeddedSecret ¶
type EmbeddedSecret struct{}
EmbeddedSecret is a SOFT check (FR-009, US2) that flags a live credential hardcoded into a tool's description or schema — an AWS key, a private key, a database password, a Luhn-valid card, etc. It wraps the shared internal/security/patterns matchers and carries each match's per-match confidence (Spec 076 T015): a validated card / live cloud key is high, a documented placeholder (AKIA…EXAMPLE) collapses to near-zero and is dropped.
It scans RAW text (not the engine's normalized text): secrets are case-sensitive and exact, and normalization would lowercase prefixes (AKIA…) and fold the very bytes the matchers key on.
Being soft, a hit raises a finding for review and never auto-quarantines — an embedded secret may be a careless example as easily as a planted one.
func (*EmbeddedSecret) Inspect ¶
func (c *EmbeddedSecret) Inspect(tool detect.ToolView, _ detect.RegistryView) []detect.Signal
Inspect implements detect.Check. It emits at most one signal per tool: the highest-confidence embedded secret found in the raw description + schema.
type PayloadDecoded ¶
type PayloadDecoded struct{}
PayloadDecoded is a HARD check (FR-008) that decodes base64/hex blobs embedded in a tool's description or schema and flags ONLY when the decoded bytes are a shell/exfiltration command — `curl … | sh`, `wget … | sh`, `chmod`, `rm -rf`, a pipe-to-shell, or a raw IP:port reverse-shell target. Benign encoded data (an icon, a JSON config) decodes to non-matching/non-printable bytes and is never flagged, so the false-positive rate stays near zero. Evidence is the decoded content, surfaced so an operator sees exactly what was hidden.
func (*PayloadDecoded) Inspect ¶
func (c *PayloadDecoded) Inspect(tool detect.ToolView, _ detect.RegistryView) []detect.Signal
Inspect implements detect.Check.
type Shadowing ¶
type Shadowing struct{}
Shadowing is a HARD check that flags cross-server tool impersonation and reference (FR — shadowing). Two distinct attack shapes:
- Name collision: a DISTINCTIVE tool name exposed by two different servers (one impersonating the other so an agent calls the wrong one).
- Cross-server reference: a tool whose description names a DISTINCTIVE tool that lives on a different server (steering the agent's tool selection).
To hold near-zero FP, both shapes require the name to be distinctive: generic verbs ("search", "get", "list") collide across servers all the time and are never flagged. A tool referencing its OWN name is also ignored.
type UnicodeHidden ¶
type UnicodeHidden struct{}
UnicodeHidden is a HARD check (FR-007) that flags invisible/format-control runes smuggled into a tool's RAW description or schema text: zero-width joiners/spaces, bidirectional controls, Unicode TAG-block characters, and Private-Use-Area code points. These never appear in a legitimate human-readable tool description, so a hit is near-zero false-positive.
It runs on the RAW text deliberately — detect.Normalize strips format runes to stabilize phrase matching, which would hide exactly the attack this check exists to catch.
Escalation (FR-007): a description carrying ≥3 distinct hidden classes, or TAG-block characters that decode to a printable ASCII message, is rated near-certain (critical); a single class is still hard but high.
func (*UnicodeHidden) Inspect ¶
func (c *UnicodeHidden) Inspect(tool detect.ToolView, _ detect.RegistryView) []detect.Signal
Inspect implements detect.Check. It scans the raw description plus raw schema bytes and emits at most one signal per tool.