Skip to content

apohara-compliance v2.1.0 — Representation-Aware Taint + Evasion Robustness

Choose a tag to compare

View all tags
@SuarezPM SuarezPM released this 09 Jun 21:09
v2.1.0
1b170e1

v2.1.0 — Representation-Aware Taint + Evasion Robustness + Cleanups (ADR-5)

Additive — the v2.0 trajectory pass is unchanged; representation + vocabulary +
a structural shell pass are added; the single-action engine is byte-identical
to v1.4 (AgentDojo recall 23 / 35 UNCHANGED). The gap closed: the v2.0
representation/vocab gap (AgentDojo's structured tool-call sinks did not
overlap the v2.0 taint_source / taint_sink vocab).

Added

  • Representation-aware taint (ADR-5): the parser now emits a reserved
    sink: action carrying a deterministic canonical role string
    (recipient= / amount= / url= / command=, with const SINK_GRAMMAR
    enforcing an authority boundary). The sink: channel is excluded from the
    single-action loop by a one-line starts_with("sink:") guard, so the new
    representation cannot produce a single-action false positive (proven by
    the C1 FP-safety + C2 grammar-disjointness tests).
  • Taxonomy-derived generic injection-marker vocabulary for AGT-TRJ (OWASP
    ASI02:2026 / AITG-APP-02 / documented IPI canary families — each marker
    cited in detection-rules.yaml).
  • Structural shlex shell pass → AGT-MIS-004 catches flag-reordered
    destructive commands a substring scan cannot (e.g. rm -r -f / rm -fr /
    quoted-arg variants); folded into AGT-MIS-004.
  • A3 session-only normalization (Unicode / casing / homoglyph) in the session
    value picker (relevant_input). Documented deferred gap: parse_repo
    builds actions directly and is NOT normalized — covers the session channel
    (30/101 gate paths, 0/56 repo-file). Repo-file normalization is a documented
    follow-up (ADR-5 M4).
  • Synthetic positive (trj-representation-aware-positive.jsonl) fires
    AGT-TRJ-001 + AGT-TRJ-003 via the real binary; the
    trj-structured-sink-benign-trap and the FinBot direct-injection fixture
    (negative control) fire zero.
  • Pre-registration: frozen rules SHA ac88825 (verified unchanged
    post-scan). Repo-file normalization deferred to a future PR.

Notes

  • Honesty invariants unchanged.
  • The synthetic positive is a constructive existence proof that the engine
    can fire on a structured representation — it is authored to fire, so it
    is not an independent measurement. Real-trace generalisation is
    UNPROVEN at v2.1 (stated plainly in ADR-5).
  • "Real-world efficacy is still UNPROVEN — stated plainly. v2.1 closes the
    gap in the engine's vocabulary and representation (structured sinks +
    generic markers now exist and fire on a synthetic trajectory), but there
    is no committed real trajectory corpus to exercise it: the AgentDojo
    corpus is flat bait (no trajectories) and v2.1 defers all live capture
    (A10). So the structured-sink representation is measured on the synthetic
    positive only    ; real-trace generalisation remains the deferred gap. A
    deterministic offline matcher will never catch a determined obfuscator
    (the documented ceiling)."

Build info

  • Target: x86_64-unknown-linux-gnu (Linux only)
  • Binary: apohara-compliance-scanner-x86_64-unknown-linux-gnu
  • Source commit: 1b170e19eeba8cf9fe06cbc5daacfeb4e9cee843
  • Built: 2026-06-09 via local cargo build --release --locked

Limitations of this local build

  • Linux x86_64 only. The other 3 release targets (aarch64-apple-darwin,
    x86_64-apple-darwin, x86_64-pc-windows-msvc) require cross-compile
    setup or macOS/Windows runners that aren't available in this local build.
  • No cosign signatures (keyless OIDC signing requires GH Actions).
  • No GH artifact attestations (build provenance requires GH Actions).

The canonical multi-target release workflow is at
.github/workflows/release.yml.

Assets 16
Loading