Skip to content

v0.2.0 plan — detection & new surfaces

Status: Largely complete. All three workstreams (model-scan, BentoML/W&B probes, LiteLLM module) shipped in v0.2.0. Template count is now 123 (62 detection, 61 exploit) across 21 categories. See the CHANGELOG for details.

Scope: Roadmap v0.2.0 items that expand what the tool can see and fingerprint, without changing the core engagement/validate workflow.

Out of scope here: validate command, credchain auto-forwarding, campaign reporting (see v0.2.0-workflow-credchain-track.md).


Workstream A: Model supply chain (model-scan)

Step Task Notes
A1 Finalize CLI surface (aipostex model-scan or subcommands) Align with existing pkg/modelscan if already present
A2 File targeting: paths, globs, max size, skip vendor Match pkg/discover ergonomics where sensible
A3 Pickle / PyTorch / unsafe deserialization signals Tie findings to severity + remediation text
A4 Optional: hash compare against manifest / registry Roadmap mentions validation; scope MVP vs stretch
A5 Tests + JSON findings Same report.Finding shape as other modules
A6 Docs: docs/modules/ + builtin template list if templates added

Dependency: None blocking Track B in parallel.


Workstream B: BentoML + Weights & Biases probes and templates

Step Task Notes
B1 BentoML: confirm fingerprint probe coverage in pkg/fingerprint/fingerprint.go Add probes if gaps vs live BentoML versions
B2 BentoML: 2-3 YAML templates (detect unauth inference, metrics exposure, etc.) Under pkg/vulncheck/templates/ with tags for scan targets
B3 W&B: HTTP probe(s) for common UI/API ports Default ports in internal/config/config.go
B4 W&B: templates for unauthenticated API or exposed runs Severity/tags consistent with vectordb/mlflow style
B5 scan_network tag mapping Same pattern as cmd/aipostex/scan_network.go service->tags
B6 Docs + vuln template index docs/vuln-templates/builtin.md

Note: HANDOFF Task 2 describes deeper BentoML/Triton/TorchServe modules; this track is detection-first (fingerprint + templates). Full modules can land in the same release or follow.


Workstream C: LiteLLM exploitation

Step Task Notes
C1 Decide: extend openai-compat vs new top-level litellm cmd/aipostex/litellm.go may already exist — audit vs roadmap
C2 Config key / admin API enumeration Guard read-only vs --force-exploit
C3 Model alias resolution, proxy abuse proofs Findings with proof metadata
C4 Tests with httptest Mirror pkg/exploit/openaicompat patterns

Suggested order within this track

  1. B1-B2 and B3-B4 in parallel (independent files).
  2. A1-A3 (model-scan MVP) — highest differentiation for v0.2.0 messaging.
  3. C1-C4 after audit of existing LiteLLM command surface.

Exit criteria (detection track)

  • go test -race -tags=integration ./... green
  • New or updated fingerprints/templates documented for operators
  • Roadmap v0.2.0 "detection" bullets either shipped or explicitly deferred with reason
  • 123/123 embedded templates pass parse + validate (per-family test coverage added in review C-series)