v0.2.0 plan — detection & new surfaces¶
Status: Largely complete. All three workstreams (model-scan, BentoML/W&B probes, LiteLLM module) shipped in v0.2.0. Template count is now 123 (62 detection, 61 exploit) across 21 categories. See the CHANGELOG for details.
Scope: Roadmap v0.2.0 items that expand what the tool can see and fingerprint, without changing the core engagement/validate workflow.
Out of scope here: validate command, credchain auto-forwarding, campaign reporting (see v0.2.0-workflow-credchain-track.md).
Workstream A: Model supply chain (model-scan)¶
| Step | Task | Notes |
|---|---|---|
| A1 | Finalize CLI surface (aipostex model-scan or subcommands) |
Align with existing pkg/modelscan if already present |
| A2 | File targeting: paths, globs, max size, skip vendor | Match pkg/discover ergonomics where sensible |
| A3 | Pickle / PyTorch / unsafe deserialization signals | Tie findings to severity + remediation text |
| A4 | Optional: hash compare against manifest / registry | Roadmap mentions validation; scope MVP vs stretch |
| A5 | Tests + JSON findings | Same report.Finding shape as other modules |
| A6 | Docs: docs/modules/ + builtin template list if templates added |
Dependency: None blocking Track B in parallel.
Workstream B: BentoML + Weights & Biases probes and templates¶
| Step | Task | Notes |
|---|---|---|
| B1 | BentoML: confirm fingerprint probe coverage in pkg/fingerprint/fingerprint.go | Add probes if gaps vs live BentoML versions |
| B2 | BentoML: 2-3 YAML templates (detect unauth inference, metrics exposure, etc.) | Under pkg/vulncheck/templates/ with tags for scan targets |
| B3 | W&B: HTTP probe(s) for common UI/API ports | Default ports in internal/config/config.go |
| B4 | W&B: templates for unauthenticated API or exposed runs | Severity/tags consistent with vectordb/mlflow style |
| B5 | scan_network tag mapping |
Same pattern as cmd/aipostex/scan_network.go service->tags |
| B6 | Docs + vuln template index | docs/vuln-templates/builtin.md |
Note: HANDOFF Task 2 describes deeper BentoML/Triton/TorchServe modules; this track is detection-first (fingerprint + templates). Full modules can land in the same release or follow.
Workstream C: LiteLLM exploitation¶
| Step | Task | Notes |
|---|---|---|
| C1 | Decide: extend openai-compat vs new top-level litellm |
cmd/aipostex/litellm.go may already exist — audit vs roadmap |
| C2 | Config key / admin API enumeration | Guard read-only vs --force-exploit |
| C3 | Model alias resolution, proxy abuse proofs | Findings with proof metadata |
| C4 | Tests with httptest | Mirror pkg/exploit/openaicompat patterns |
Suggested order within this track¶
- B1-B2 and B3-B4 in parallel (independent files).
- A1-A3 (model-scan MVP) — highest differentiation for v0.2.0 messaging.
- C1-C4 after audit of existing LiteLLM command surface.
Exit criteria (detection track)¶
-
go test -race -tags=integration ./...green - New or updated fingerprints/templates documented for operators
- Roadmap v0.2.0 "detection" bullets either shipped or explicitly deferred with reason
- 123/123 embedded templates pass parse + validate (per-family test coverage added in review C-series)