Skip to content

feat: add AI agent capability catalog and ATR category mappings#428

Open
eeee2345 wants to merge 1 commit into
gemaraproj:mainfrom
eeee2345:ai-agent-capability-catalog
Open

feat: add AI agent capability catalog and ATR category mappings#428
eeee2345 wants to merge 1 commit into
gemaraproj:mainfrom
eeee2345:ai-agent-capability-catalog

Conversation

@eeee2345

Copy link
Copy Markdown

Follows up #422. Adds a first slice modeling AI agent threats
with Gemara: an AI Agent CapabilityCatalog plus a MappingDocument relating Agent
Threat Rules (ATR) detection categories to those capabilities.

Per the discussion in #422, Gemara defines the schema and ATR hosts the content.
These example artifacts are authored by ATR and validated here against the Gemara
schemas so the structure can be reviewed and iterated.

What is included

  • examples/ai-agent/ai-agent-capability-catalog.yaml: a CapabilityCatalog
    describing the agent features that create attack surface, including model
    inference over untrusted input, tool invocation, MCP and tool server
    connection, cross-agent message passing, skill and plugin loading, memory
    read and write, autonomous action, and privileged execution. Each entry
    describes a capability, not a threat, so threats can reference them.
  • examples/ai-agent/atr-categories-to-capabilities-mapping.yaml: a
    MappingDocument relating the nine ATR detection categories to those
    capabilities with per-target strength, confidence, and rationale.
  • test/schema_test.go: two positive validation cases for the artifacts.

Validation

  • cue vet -d '#CapabilityCatalog' and -d '#MappingDocument' both pass.
  • go test ./... passes, including the two new cases.

Open question for review: does this capability granularity match what you had
in mind, or would you scope finer or coarser? Happy to move the AI agent
Capability profile discussion (the #419 direction) into an ADR if useful.

Adds an AI Agent CapabilityCatalog describing the agent features that
create attack surface (model inference, tool invocation, MCP and tool
server connection, cross-agent messaging, skill loading, memory read and
write, autonomous action, privileged execution) and a MappingDocument
relating the nine Agent Threat Rules detection categories to those
capabilities.

Content is authored and hosted by the ATR project and validated against
the Gemara schemas. Capability ids are referenced from ATR threats; the
mapping uses relates-to for external cross-references.

Adds two positive schema-validation cases covering both artifacts.

Signed-off-by: Adam Lin <adam@agentthreatrule.org>
@eeee2345 eeee2345 requested a review from a team as a code owner June 28, 2026 12:08
type: CapabilityCatalog
gemara-version: "1.1.0"
version: "0.1.0"
description: >

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eeee2345 Capability set looks solid. I think the granularity hits the good level -- concrete enough to map distinct threat categories against, abstract enough to not couple to specific agent implementations.

metadata:
id: ATR-CAP-MAP-001
version: "0.1.0"
type: MappingDocument

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The mapping document makes sense as a first slice. An alternative structure to consider would be capability→threat and threat→control through the inline mappings of ThreatCatalogs and ControlCatalogs. That gives you more expressiveness (which specific threats bridge a capability to a detection rule) at the cost of more artifacts to maintain.

@jpower432

Copy link
Copy Markdown
Contributor

@eddie-knight I will leave these conversations open for a bit in case you have additional feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants