Offensive Demo Packs¶
Demo packs are operator descriptors for showing one offensive technique end to end. Proof-backed packs run a lab and produce Seam transcripts, meshmapper paths, an Assay finding, a report, and cockpit data. Seam-focused packs demonstrate a rewrite or trace pattern and call out the target-specific oracle work still needed.
python3 -m ait.cli demo list
python3 -m ait.cli demo show a2a-content-rewrite
Verify a pack before a live demo. Verification checks the descriptor, rule,
fixture, payload files, expected rule id, touched decoded paths, and
negative-control pairing. Seam-focused packs also run a fixture-backed
seam rules test and store the result under
workbench/demo-verifications/.
python3 -m ait.cli demo verify a2a-agent-card-spoof
Primary Packs¶
| Pack | Scenario | Expected rule | What to inspect |
|---|---|---|---|
a2a-content-rewrite |
Lab L6 content_rewrite |
l6_content_rewrite_authorized_refund |
A2A message/send text before/after, then Assay oracle delta. |
mcp-tool-result-injection |
Lab L6 tool_result_injection |
l6_mcp_tool_result_policy_injection |
MCP tool result rewrite, planner decision, tripwire proof. |
memory-context-propagation |
Lab L6 memory_context |
l6_memory_context_injection |
Memory write/read flow, injection path, vulnerable vs safe outcome. |
Run a proof-backed pack:
python3 -m ait.cli demo run a2a-content-rewrite --trials 1 --serve-live
The cockpit opens with the run artifacts. Start in Traffic, select the rewritten row, move to Message for before/after decoded bodies, then inspect Seam, meshmapper, and Assay.
Secondary Packs¶
| Pack | Proof status | Expected rule | Notes |
|---|---|---|---|
a2a-agent-card-spoof |
Seam evidence only | a2a_card_spoof |
Shows Agent Card capability/auth manipulation. |
a2a-task-artifact-status |
Target-specific oracle required | a2a_task_status_override or a2a_task_artifact_injection |
Useful for task lifecycle consumers. |
mcp-tool-call-argument |
Target-specific oracle required | mcp_tool_call_argument_rewrite |
Shows MCP request-side argument rewriting. |
mcp-stdio-argument |
Target-specific oracle required | mcp_stdio_argument_spoof |
Shows local MCP stdio wrapping and rewrite. |
mcp-schema-poisoning |
Target-specific oracle required | mcp_schema_poisoning_merge |
Shows MCP tools/list schema and description poisoning. |
mcp-tool-shadowing |
Target-specific oracle required | mcp_tool_shadow_insert |
Inserts a shadow tool into a tools/list result. |
prompt-resource-leakage |
Observe-first | mcp_prompt_resource_leakage_marker |
Marks prompt/resource result content for downstream leakage testing. |
credential-relay-observe |
Observe-first | credential_relay_json_marker |
Marks credential-like JSON body context crossing an agent boundary. |
negative-control |
Negative control | negative_control_no_match |
Confirms a no-match control stays quiet. |
Show a descriptor before running:
python3 -m ait.cli demo show mcp-tool-result-injection --json
Descriptors include the fields an operator needs before presenting or adapting a pack:
- proof status:
proof-backed,operate-only, or negative control; - rule file, expected rule id, and fixture path;
- payload files used by insert/merge/replace rules;
- touched decoded paths and expected transcript shape;
- target decision marker and expected meshmapper class;
- cockpit walkthrough hints.
That metadata also feeds ait demo run and the cockpit, so the demo view can
show exactly which decoded field should change instead of only linking to raw
artifacts.
Presenter Checklist¶
- Run
ait demo verify <demo-id>before presenting a Seam-focused pack. - Confirm the expected rule id appears in the Seam tab.
- Confirm the Traffic row has a rewrite badge when the pack is rewrite-backed.
- Confirm the Message tab shows the exact decoded field before and after.
- Confirm meshmapper shows the expected hypothesis class.
- For proof-backed packs, confirm Assay reports
delta_confirmed: trueand links to oracle evidence.
Negative Controls¶
Every offensive pack should name a negative-control pair. The negative control is expected to stay quiet against the same fixture family. Use it when you want to show that a rule is matching the intended decoded shape, not every similar message.
python3 -m ait.cli demo verify negative-control