Skip to content

Discovery Artifact Contract

aipostex.attack_surface is the file contract between aipostex discovery and the AIT toolchain. aipostex writes it. AIT imports and visualizes it. meshmapper fuses it into graph facts. Seam and Assay do not call aipostex directly.

Top-Level Shape

The canonical schema is agentic-redteam/schema/discovery-artifact.schema.json.

{
  "schema_version": "1.0",
  "kind": "aipostex.attack_surface",
  "artifact_id": "sha256:<canonical-content-hash>",
  "producer": {
    "tool": "aipostex",
    "version": "string",
    "command": ["string"],
    "started_at": "RFC3339",
    "completed_at": "RFC3339"
  },
  "scope": {
    "target": "string",
    "base_urls": ["string"],
    "notes": "string"
  },
  "observations": [],
  "candidates": []
}

Observation IDs should be deterministic from canonical observation JSON excluding timestamps. artifact_id should be a content hash over the canonical artifact excluding temporal fields and the artifact id itself.

Observations

Each observation requires id, kind, protocol, subject, source, and confidence.

Supported kind values:

endpoint, a2a_agent_card, a2a_skill, a2a_task_endpoint, a2a_registry, mcp_server, mcp_tool, mcp_tool_schema, mcp_prompt, mcp_resource, mcp_root, mcp_notification, memory_surface, session_surface, delegation_surface, credential_flow, probe_result.

Supported protocol values:

a2a, mcp, http, sse, websocket, stdio, unknown.

Useful optional blocks include auth, signing, schema, tool, resource, prompt, registry, session, memory, delegation, credential, raw_ref, and safe_summary.

Candidates

Candidates describe likely follow-up classes. They are not exploitation claims.

Supported technique_tag values:

tool_poisoning, schema_poisoning, prompt_leakage, resource_leakage, tool_shadowing, delegation_pivot, registry_trust, memory_exposure, session_exposure, credential_relay, agent_card_spoof, task_lifecycle_abuse.

Supported recommended_followup values:

observe_only, seam_rule, meshmapper_rank, assay_template.

AIT Usage

python3 -m ait.cli discover summarize --artifact tests/fixtures/discovery/mixed-a2a-mcp-attack-surface.json --json
python3 -m ait.cli discover import --artifact tests/fixtures/discovery/mixed-a2a-mcp-attack-surface.json --run /tmp/ait-discovery-run --json

After import, open the cockpit and use Discover to inspect candidates before graph fusion:

python3 -m ait.cli workbench serve --run /tmp/ait-discovery-run

Aipostex Agent Brief

Emit a saved aipostex.attack_surface JSON artifact, schema version 1.0. Do not call Seam, meshmapper, or Assay. Your job is discovery/probing only.

Required output:

  • observations[] for endpoints, Agent Cards, A2A skills/task endpoints/registries, MCP servers/tools/tool schemas/prompts/resources/roots/notifications, memory/session surfaces, delegation surfaces, credential-flow candidates, and probe results.
  • candidates[] that tag likely technique classes: tool poisoning, schema poisoning, prompt/resource leakage, tool shadowing, delegation pivot, registry trust, memory/session exposure, credential relay, Agent Card spoof, and task lifecycle abuse.
  • Every observation must include source refs, confidence, protocol, subject identity, and enough structured fields for AIT/meshmapper to act without parsing prose.
  • Do not claim exploitation or proof. The artifact describes attack surface and candidate follow-up only.
  • Use deterministic IDs from canonical observation/candidate content so repeated scans are comparable.

Tag-To-Follow-Up Mapping

Tag First AIT follow-up
tool_poisoning MCP tool-call argument merge or tool-result insertion.
schema_poisoning MCP tools/list schema/description merge.
tool_shadowing MCP tool insertion/shadowing or A2A Agent Card skill insertion.
registry_trust A2A Agent Card auth/skill manipulation.
delegation_pivot A2A content rewrite or task artifact/status manipulation.
prompt_leakage, resource_leakage Observe-first pack; complete result rewrites where available.
memory_exposure, session_exposure Memory/context propagation packs.
credential_relay JSON/body credential relay fixture; header-only relay remains observe-only.