Skip to content

meshmapper

meshmapper is the graph analyst and targeting layer. It ingests Seam transcripts, builds a typed trust-boundary graph, and emits unvalidated path hypotheses that help operators choose what to attack or validate next.

M5 is implemented: transcript-to-graph ingestion, deterministic graph serialization, stable graph_ref, multi-source ingestion from endpoint inventories, Agent Cards, MCP tools/list, and static configs, four unvalidated hypothesis classes, plus topology robustness scenarios.

Current classes:

  • privilege_laundering: low-trust entry can reach a high-privilege sink through implicit trust.
  • injection_propagation: untrusted content can reach a privileged action path without a sanitizer marker.
  • confused_deputy: an intermediary invokes a privileged sink with its own authority for a lower-trust caller.
  • trust_spoof: unsigned or unauthenticated Agent Card trust can steer a host toward a privileged advertised capability.
cd agentic-redteam/meshmapper
meshmapper \
  --transcript ../seam/transcript.json \
  --aipostex endpoints.json \
  --agent-card billing-card.json \
  --mcp-tools-list tools.json \
  --config mesh.yaml \
  --graph graph.json \
  --out paths.json \
  --schema ../schema

meshmapper does not validate findings. Every emitted path keeps proven: false; Seam owns live operation, and Assay owns optional impact validation with an out-of-band oracle.

  • CLI: repeatable command flags and outputs.
  • Ingestion: transcripts, discovery artifacts, Agent Cards, MCP tools, and configs.
  • Graph: node types, edge types, trust basis, and graph_ref.
  • Rules: M4 hypothesis classes and taxonomy mappings.
  • Hypotheses: output schema and proof boundary.