Skip to content

Workflow Metadata

Findings from discovery, enumeration, and scan commands carry structured workflow metadata that suggests concrete next steps. This metadata is preserved in JSON/JSONL output and rendered as next: lines in console output.

metadata.workflow

The workflow key in finding metadata contains a structured plan:

{
  "metadata": {
    "workflow": {
      "target": "http://10.0.0.5:11434",
      "stage": "discovery",
      "rationale": "Ollama service discovered via fingerprint",
      "proof_strength": "reachable",
      "chain_source": "discover network",
      "recommendations": [
        {
          "command": "aipostex ollama --target http://10.0.0.5:11434 enum",
          "rationale": "Enumerate models and version",
          "gated": false,
          "priority": 10,
          "stage": "correlation"
        },
        {
          "command": "aipostex ollama --target http://10.0.0.5:11434 poison --base-model llama3 --new-model llama3-backdoor --system-prompt \"...\" --force-exploit",
          "rationale": "Demonstrate model tampering",
          "gated": true,
          "priority": 50,
          "stage": "takeover"
        }
      ]
    }
  }
}

Workflow Fields

Field Description
target The target URL for follow-on commands
stage Current chain stage of this finding
rationale Why this finding triggered workflow generation
proof_strength Current proof level
chain_source What produced this finding (e.g., discover network, enum)
recommendations Ordered list of suggested next commands

Recommendation Fields

Field Description
command The exact aipostex command to run
rationale Why this step is useful
gated Whether the command requires --force-exploit
priority Ordering priority (lower = run first)
stage Which chain stage this command belongs to

Ordering

Recommendations are ordered by priority (ascending). Read-only commands always appear before gated commands, regardless of priority value.

When the originating fingerprint is suspected or ambiguous, workflow generation becomes more conservative:

  • a broad scan targets --target <url> command is prepended before module-specific follow-ons
  • module-specific recommendations keep read-only paths only
  • gated recommendations are suppressed until the service identity is confirmed

metadata.evidence

The evidence key contains display-safe evidence metadata:

{
  "metadata": {
    "evidence": {
      "preview": "3 models: llama3, mistral, codellama",
      "raw_length": 2048,
      "artifact_kind": "model-list",
      "sensitivity_hints": ["model-names"]
    }
  }
}
Field Description
preview Truncated, display-safe evidence string
raw_length Length of the full raw evidence
artifact_kind Classification of the evidence artifact
sensitivity_hints Tags indicating sensitivity level

Console output uses the preview string. JSON/JSONL output preserves the full raw evidence in the top-level evidence field.

Proof Stage Progression

Workflow metadata tracks findings through a staged chain:

flowchart LR
    Discovery["discovery\n(service detected)"] --> Correlation["correlation\n(assets mapped)"]
    Correlation --> Proof["proof\n(access validated)"]
    Proof --> Takeover["takeover\n(impact demonstrated)"]
Stage Description Example
discovery Service or artifact found discover network fingerprint match
correlation Assets mapped to exploit paths enum lists models/collections/tools
proof Read access validated extract, prompts, read-notebook
takeover State-changing impact demonstrated poison, exec, submit

Proof Strength Levels

Strength Meaning
reachable Service responds to probes
influenced Behavior was observably influenced
read-confirmed Data was successfully read
execution-confirmed Code or commands executed
takeover-capable Full control demonstrated

Console Rendering

In console output, workflow recommendations appear as next: lines:

 INFO  [fingerprint] AI service suspected: ollama
  target: http://10.0.0.5:11434
  context: service=ollama  port=11434  match_kind=suspected  confidence=medium  specificity=90
  next: [read] aipostex scan targets --target http://10.0.0.5:11434
  next: [read] aipostex ollama --target http://10.0.0.5:11434 enum

The [read] prefix indicates a read-only command. The [gated] prefix indicates a command requiring --force-exploit.

Using Workflow Metadata Programmatically

Extract next commands from JSONL output:

# Get all recommended commands
cat findings.jsonl | jq -r '.metadata.workflow.recommendations[]?.command'

# Get only read-only commands
cat findings.jsonl | jq -r '.metadata.workflow.recommendations[] | select(.gated == false) | .command'

# Get commands for a specific target
cat findings.jsonl | jq -r 'select(.target == "http://10.0.0.5:11434") | .metadata.workflow.recommendations[]?.command'