oatf 0.4.0

Rust SDK for the Open Agent Threat Format (OATF)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230

//! Closed enumerations used throughout the OATF type system.
//!
//! These are "closed" enums — only the defined variants are valid. Open enums
//! (mode, protocol) are represented as strings and validated by regex pattern.

use serde::{Deserialize, Serialize};

/// Severity classification.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum SeverityLevel {
    /// Advisory or informational finding.
    Informational,
    /// Low-severity finding.
    Low,
    /// Medium-severity finding.
    Medium,
    /// High-severity finding.
    High,
    /// Critical-severity finding requiring immediate attention.
    Critical,
}

/// Categories of harm.
#[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum Impact {
    /// Agent behavior is manipulated by an adversary.
    BehaviorManipulation,
    /// Sensitive data is exfiltrated through agent actions.
    DataExfiltration,
    /// Data integrity is compromised through unauthorized modifications.
    DataTampering,
    /// Agent performs actions without proper authorization.
    UnauthorizedActions,
    /// Sensitive information is disclosed to unauthorized parties.
    InformationDisclosure,
    /// Credentials or authentication tokens are stolen.
    CredentialTheft,
    /// Agent or service availability is disrupted.
    ServiceDisruption,
    /// Attacker gains elevated privileges.
    PrivilegeEscalation,
}

/// OATF taxonomy category.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum Category {
    /// Manipulation of agent capabilities or tool definitions.
    CapabilityPoisoning,
    /// Fabrication of responses to mislead the agent.
    ResponseFabrication,
    /// Manipulation of the agent's context or conversation state.
    ContextManipulation,
    /// Bypassing human oversight or approval mechanisms.
    OversightBypass,
    /// Exploiting timing or ordering of operations.
    TemporalManipulation,
    /// Disrupting service availability.
    AvailabilityDisruption,
    /// Chaining attacks across multiple protocols.
    CrossProtocolChain,
}

/// Document lifecycle status.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum Status {
    /// Work in progress, not yet validated.
    Draft,
    /// Under evaluation, may change.
    Experimental,
    /// Validated and stable.
    Stable,
    /// No longer recommended for use.
    Deprecated,
}

/// How indicator verdicts combine into an attack-level result.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum CorrelationLogic {
    /// Any matched indicator produces an `exploited` verdict.
    Any,
    /// All indicators must match for an `exploited` verdict.
    All,
}

/// Individual indicator evaluation result.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum IndicatorResult {
    /// The indicator matched the observed data.
    Matched,
    /// The indicator did not match.
    NotMatched,
    /// An error occurred during evaluation.
    Error,
    /// Evaluation was skipped (e.g., no evaluator available).
    Skipped,
}

/// Attack-level verdict result.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AttackResult {
    /// The attack was successfully exploited.
    Exploited,
    /// The attack was not exploited.
    NotExploited,
    /// Some but not all indicators matched (`all` correlation only).
    Partial,
    /// An error occurred during verdict computation.
    Error,
}

/// Extractor source direction.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum ExtractorSource {
    /// Extract from the protocol request message.
    Request,
    /// Extract from the protocol response message.
    Response,
}

/// Extractor type.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum ExtractorType {
    /// Extract values using a JSONPath expression.
    JsonPath,
    /// Extract values using a regular expression.
    Regex,
}

/// Semantic intent classification hint.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum SemanticIntentClass {
    /// Attempt to inject instructions into the agent's prompt.
    PromptInjection,
    /// Attempt to exfiltrate data through the agent.
    DataExfiltration,
    /// Attempt to escalate privileges.
    PrivilegeEscalation,
    /// Attempt to manipulate through social engineering.
    SocialEngineering,
    /// Attempt to override the agent's instructions.
    InstructionOverride,
}

/// Framework mapping relationship type.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum Relationship {
    /// Direct primary mapping to the framework entry.
    Primary,
    /// Related but not primary mapping.
    Related,
}

/// Log level for log actions.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum LogLevel {
    /// Informational log message.
    Info,
    /// Warning log message.
    Warn,
    /// Error log message.
    Error,
}

/// Elicitation mode for user interaction.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum ElicitationMode {
    /// Display an interactive form to the user.
    Form,
    /// Redirect the user to a URL.
    Url,
}

/// Reason a trigger advanced to the next phase.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AdvanceReason {
    /// The trigger's event condition was matched.
    EventMatched,
    /// The trigger's timeout elapsed.
    Timeout,
}

/// Direction of a protocol message for indicator matching.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum Direction {
    /// Match against the protocol request.
    Request,
    /// Match against the protocol response.
    Response,
}

/// Detection method an indicator uses.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum IndicatorMethod {
    /// Pattern-based detection.
    Pattern,
    /// CEL expression-based detection.
    Expression,
    /// Semantic/intent-based detection.
    Semantic,
}

/// Outcome tier classifying how far an attack progressed (§6.5).
///
/// Variants are ordered by severity: `Ingested < LocalAction < BoundaryBreach`.
#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum Tier {
    /// T1: payload entered the model's context but no tool was weaponized.
    Ingested,
    /// T2: model weaponized a tool but blast radius remained internal.
    LocalAction,
    /// T3: data, control, or traffic crossed a trust boundary.
    BoundaryBreach,
}