[1.0.0] - 2026-06-25
The Trust Spine release. ptai now proves what it finds: a finding earns the VERIFIED badge only when a machine oracle re-runs the exploit and reproduces it N out of N times. No oracle, no badge, and no verdict from an LLM assertion.
Added
- Verifier + receipt contract. A verified verdict must name the machine oracle that earned it, enforced in code.
- Recipe-driven oracles: unescaped reflection, open redirect, IDOR/BOLA differential, error signature, MCP exposure, SQLi boolean and boolean-blind, SSTI (including error-based), sensitive data exposure, and HTTP request smuggling (CL.TE), plus an out-of-band OAST callback oracle for blind SSRF/XXE over a self-hosted loopback collaborator.
- Portable proof capsules and
ptai replay, plus multi-hop chain capsules, so a finding's proof travels and replays without trusting ptai. - Prove-or-kill gating: third-party scanner output (nuclei, nikto, zap) is held back until an oracle re-proves it.
- Verified-only SARIF export (
ptai export --sarif) with a frozen, versioned export-properties contract. - REST path-parameter injection in the SQLi/XSS/SSTI fuzzers, so injection in
/rest/products/<id>style routes is caught, not just query parameters. - Experimental CL.TE request-smuggling discovery probe, oracle-gated.
- CI gate (
--fail-on verified) with a composite action, and a bundledptai demo.
Changed
- Honest verdicts. An oracle miss now reads as
candidate(could not re-prove), neverrefuted;refutedis reserved for an oracle that can truly disprove a vulnerability. - Impact-honest severity: a bare out-of-band callback proves existence, not impact, so it is rated medium until impact is reproduced.
Verified
- 100% precision with zero false positives on the honeypot benchmark, and field-validated against live OWASP Juice Shop: a real broken-object-level-authorization bug verified end to end with a replayable proof capsule.