feat: add AI agent capability catalog and ATR category mappings#428
Open
eeee2345 wants to merge 1 commit into
Open
feat: add AI agent capability catalog and ATR category mappings#428eeee2345 wants to merge 1 commit into
eeee2345 wants to merge 1 commit into
Conversation
Adds an AI Agent CapabilityCatalog describing the agent features that create attack surface (model inference, tool invocation, MCP and tool server connection, cross-agent messaging, skill loading, memory read and write, autonomous action, privileged execution) and a MappingDocument relating the nine Agent Threat Rules detection categories to those capabilities. Content is authored and hosted by the ATR project and validated against the Gemara schemas. Capability ids are referenced from ATR threats; the mapping uses relates-to for external cross-references. Adds two positive schema-validation cases covering both artifacts. Signed-off-by: Adam Lin <adam@agentthreatrule.org>
jpower432
reviewed
Jul 1, 2026
| type: CapabilityCatalog | ||
| gemara-version: "1.1.0" | ||
| version: "0.1.0" | ||
| description: > |
Contributor
There was a problem hiding this comment.
@eeee2345 Capability set looks solid. I think the granularity hits the good level -- concrete enough to map distinct threat categories against, abstract enough to not couple to specific agent implementations.
jpower432
reviewed
Jul 1, 2026
| metadata: | ||
| id: ATR-CAP-MAP-001 | ||
| version: "0.1.0" | ||
| type: MappingDocument |
Contributor
There was a problem hiding this comment.
The mapping document makes sense as a first slice. An alternative structure to consider would be capability→threat and threat→control through the inline mappings of ThreatCatalogs and ControlCatalogs. That gives you more expressiveness (which specific threats bridge a capability to a detection rule) at the cost of more artifacts to maintain.
jpower432
approved these changes
Jul 1, 2026
Contributor
|
@eddie-knight I will leave these conversations open for a bit in case you have additional feedback. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follows up #422. Adds a first slice modeling AI agent threats
with Gemara: an AI Agent CapabilityCatalog plus a MappingDocument relating Agent
Threat Rules (ATR) detection categories to those capabilities.
Per the discussion in #422, Gemara defines the schema and ATR hosts the content.
These example artifacts are authored by ATR and validated here against the Gemara
schemas so the structure can be reviewed and iterated.
What is included
describing the agent features that create attack surface, including model
inference over untrusted input, tool invocation, MCP and tool server
connection, cross-agent message passing, skill and plugin loading, memory
read and write, autonomous action, and privileged execution. Each entry
describes a capability, not a threat, so threats can reference them.
MappingDocument relating the nine ATR detection categories to those
capabilities with per-target strength, confidence, and rationale.
Validation
Open question for review: does this capability granularity match what you had
in mind, or would you scope finer or coarser? Happy to move the AI agent
Capability profile discussion (the #419 direction) into an ADR if useful.