Discovery Artifact Contract¶
aipostex.attack_surface is the file contract between aipostex discovery and the AIT toolchain. aipostex writes it. AIT imports and visualizes it. meshmapper fuses it into graph facts. Seam and Assay do not call aipostex directly.
Top-Level Shape¶
The canonical schema is agentic-redteam/schema/discovery-artifact.schema.json.
{
"schema_version": "1.0",
"kind": "aipostex.attack_surface",
"artifact_id": "sha256:<canonical-content-hash>",
"producer": {
"tool": "aipostex",
"version": "string",
"command": ["string"],
"started_at": "RFC3339",
"completed_at": "RFC3339"
},
"scope": {
"target": "string",
"base_urls": ["string"],
"notes": "string"
},
"observations": [],
"candidates": []
}
Observation IDs should be deterministic from canonical observation JSON excluding timestamps. artifact_id should be a content hash over the canonical artifact excluding temporal fields and the artifact id itself.
Observations¶
Each observation requires id, kind, protocol, subject, source, and confidence.
Supported kind values:
endpoint, a2a_agent_card, a2a_skill, a2a_task_endpoint, a2a_registry, mcp_server, mcp_tool, mcp_tool_schema, mcp_prompt, mcp_resource, mcp_root, mcp_notification, memory_surface, session_surface, delegation_surface, credential_flow, probe_result.
Supported protocol values:
a2a, mcp, http, sse, websocket, stdio, unknown.
Useful optional blocks include auth, signing, schema, tool, resource, prompt, registry, session, memory, delegation, credential, raw_ref, and safe_summary.
Candidates¶
Candidates describe likely follow-up classes. They are not exploitation claims.
Supported technique_tag values:
tool_poisoning, schema_poisoning, prompt_leakage, resource_leakage, tool_shadowing, delegation_pivot, registry_trust, memory_exposure, session_exposure, credential_relay, agent_card_spoof, task_lifecycle_abuse.
Supported recommended_followup values:
observe_only, seam_rule, meshmapper_rank, assay_template.
AIT Usage¶
python3 -m ait.cli discover summarize --artifact tests/fixtures/discovery/mixed-a2a-mcp-attack-surface.json --json
python3 -m ait.cli discover import --artifact tests/fixtures/discovery/mixed-a2a-mcp-attack-surface.json --run /tmp/ait-discovery-run --json
After import, open the cockpit and use Discover to inspect candidates before graph fusion:
python3 -m ait.cli workbench serve --run /tmp/ait-discovery-run
Aipostex Agent Brief¶
Emit a saved aipostex.attack_surface JSON artifact, schema version 1.0. Do not call Seam, meshmapper, or Assay. Your job is discovery/probing only.
Required output:
observations[]for endpoints, Agent Cards, A2A skills/task endpoints/registries, MCP servers/tools/tool schemas/prompts/resources/roots/notifications, memory/session surfaces, delegation surfaces, credential-flow candidates, and probe results.candidates[]that tag likely technique classes: tool poisoning, schema poisoning, prompt/resource leakage, tool shadowing, delegation pivot, registry trust, memory/session exposure, credential relay, Agent Card spoof, and task lifecycle abuse.- Every observation must include source refs, confidence, protocol, subject identity, and enough structured fields for AIT/meshmapper to act without parsing prose.
- Do not claim exploitation or proof. The artifact describes attack surface and candidate follow-up only.
- Use deterministic IDs from canonical observation/candidate content so repeated scans are comparable.
Tag-To-Follow-Up Mapping¶
| Tag | First AIT follow-up |
|---|---|
tool_poisoning |
MCP tool-call argument merge or tool-result insertion. |
schema_poisoning |
MCP tools/list schema/description merge. |
tool_shadowing |
MCP tool insertion/shadowing or A2A Agent Card skill insertion. |
registry_trust |
A2A Agent Card auth/skill manipulation. |
delegation_pivot |
A2A content rewrite or task artifact/status manipulation. |
prompt_leakage, resource_leakage |
Observe-first pack; complete result rewrites where available. |
memory_exposure, session_exposure |
Memory/context propagation packs. |
credential_relay |
JSON/body credential relay fixture; header-only relay remains observe-only. |