- id: AGT-001
  name: "AI agent instruction file contains hidden Unicode characters"
  description: "Hidden Unicode in AI agent instructions or skill files can conceal misleading prompts, hidden tool behavior, or review-evasion content."
  severity: medium
  category: ai-agent
  dry-run-support: full
  standards:
    owasp-ai-top-10:
      - "LLM05: Supply Chain Vulnerabilities"
      - "LLM03:2025 Supply Chain"
    nist-ai-rmf:
      - "Govern"
      - "Manage"
    nist-ssdf:
      - "Review and protect build and automation instructions"
  condition: |
    formulation.components[
      $prop($, 'cdx:agent:inventorySource') = 'agent-file'
      and $prop($, 'cdx:file:hasHiddenUnicode') = 'true'
    ]
  location: |
    {
      "bomRef": $."bom-ref",
      "file": $prop($, 'SrcFile')
    }
  message: "AI agent file '{{ name }}' contains hidden Unicode characters"
  mitigation: "Review the file with hidden-character rendering enabled, remove suspicious bidirectional or zero-width characters, and verify instruction blocks before merge."
  evidence: |
    {
      "codePoints": $prop($, 'cdx:file:hiddenUnicodeCodePoints'),
      "lineNumbers": $prop($, 'cdx:file:hiddenUnicodeLineNumbers'),
      "inComments": $prop($, 'cdx:file:hiddenUnicodeInComments')
    }

- id: AGT-002
  name: "AI agent instructions reference a public MCP endpoint without auth hints"
  description: "Public MCP endpoints referenced from agent or skill files deserve review when the instruction surface does not indicate any bearer, token, or OAuth controls."
  severity: high
  category: ai-agent
  dry-run-support: full
  attack:
    tactics: [TA0001]
    techniques: [T1190]
  standards:
    owasp-ai-top-10:
      - "LLM07: Insecure Plugin Design"
      - "LLM08: Excessive Agency"
      - "LLM06:2025 Excessive Agency"
    nist-ai-rmf:
      - "Map"
      - "Manage"
    nist-ssdf:
      - "Review externally reachable AI and automation interfaces"
  condition: |
    formulation.components[
      $prop($, 'cdx:agent:inventorySource') = 'agent-file'
      and $prop($, 'cdx:agent:hasPublicMcpEndpoint') = 'true'
      and $nullSafeProp($, 'cdx:agent:authHints') = ''
    ]
  location: |
    {
      "bomRef": $."bom-ref",
      "file": $prop($, 'SrcFile')
    }
  message: "AI agent file '{{ name }}' references a public MCP endpoint without any auth hints"
  mitigation: "Treat public MCP endpoints as untrusted until authentication, authorization, and endpoint provenance are documented explicitly."
  evidence: |
    {
      "hiddenMcpUrls": $prop($, 'cdx:agent:hiddenMcpUrls'),
      "hiddenMcpHosts": $prop($, 'cdx:agent:hiddenMcpHosts'),
      "providerNames": $prop($, 'cdx:agent:providerNames')
    }

- id: AGT-003
  name: "AI agent instructions reference MCP surfaces not declared elsewhere in the BOM"
  description: "Agent files that mention MCP servers, packages, or endpoints without corresponding MCP package inventory or source-derived MCP services can hide runtime trust dependencies from reviewers."
  severity: medium
  category: ai-agent
  dry-run-support: full
  standards:
    owasp-ai-top-10:
      - "LLM05: Supply Chain Vulnerabilities"
      - "LLM08: Excessive Agency"
      - "LLM03:2025 Supply Chain"
      - "LLM06:2025 Excessive Agency"
    nist-ai-rmf:
      - "Map"
      - "Govern"
    nist-ssdf:
      - "Maintain complete third-party and runtime dependency inventory"
  condition: |
    formulation.components[
      $prop($, 'cdx:agent:inventorySource') = 'agent-file'
      and $prop($, 'cdx:agent:hasMcpReferences') = 'true'
      and $count($$.components[$prop($, 'cdx:mcp:package') = 'true']) = 0
      and $count($auditServices($$)[$nullSafeProp($, 'cdx:mcp:inventorySource') = 'source-code-analysis']) = 0
    ]
  location: |
    {
      "bomRef": $."bom-ref",
      "file": $prop($, 'SrcFile')
    }
  message: "AI agent file '{{ name }}' references MCP surfaces that are not otherwise declared in the BOM"
  mitigation: "Inventory the referenced MCP packages, endpoints, and trust boundaries explicitly so reviewers can validate provenance and access controls."
  evidence: |
    {
      "mcpPackageRefs": $prop($, 'cdx:agent:mcpPackageRefs'),
      "hiddenMcpUrls": $prop($, 'cdx:agent:hiddenMcpUrls'),
      "hiddenComponentKinds": $prop($, 'cdx:agent:hiddenComponentKinds')
    }

- id: AGT-004
  name: "AI agent instructions reference tunneled or reverse-proxied MCP exposure"
  description: "Localhost tunneling and reverse-proxy references in agent files can turn development-only MCP servers into remotely reachable control surfaces."
  severity: high
  category: ai-agent
  dry-run-support: full
  attack:
    tactics: [TA0001, TA0011]
    techniques: [T1190, T1071]
  standards:
    owasp-ai-top-10:
      - "LLM07: Insecure Plugin Design"
      - "LLM08: Excessive Agency"
      - "LLM06:2025 Excessive Agency"
    nist-ai-rmf:
      - "Map"
      - "Manage"
    nist-ssdf:
      - "Review externally reachable development interfaces"
  condition: |
    formulation.components[
      $prop($, 'cdx:agent:inventorySource') = 'agent-file'
      and $prop($, 'cdx:agent:hasTunnelReference') = 'true'
    ]
  location: |
    {
      "bomRef": $."bom-ref",
      "file": $prop($, 'SrcFile')
    }
  message: "AI agent file '{{ name }}' references a tunneled or reverse-proxied MCP endpoint"
  mitigation: "Avoid exposing localhost MCP servers through ad-hoc tunnels; require reviewed ingress, authentication, and environment-specific controls."
  evidence: |
    {
      "hiddenMcpUrls": $prop($, 'cdx:agent:hiddenMcpUrls'),
      "hiddenMcpHosts": $prop($, 'cdx:agent:hiddenMcpHosts')
    }

- id: AGT-005
  name: "AI agent instructions reference non-official MCP packages or wrappers"
  description: "Non-official MCP wrappers referenced directly from agent instructions deserve extra review before they are trusted in developer tooling or automation flows."
  severity: medium
  category: ai-agent
  dry-run-support: full
  standards:
    owasp-ai-top-10:
      - "LLM05: Supply Chain Vulnerabilities"
      - "LLM07: Insecure Plugin Design"
      - "LLM03:2025 Supply Chain"
    nist-ai-rmf:
      - "Govern"
      - "Map"
    nist-ssdf:
      - "Verify provenance of third-party AI integrations"
  condition: |
    formulation.components[
      $prop($, 'cdx:agent:inventorySource') = 'agent-file'
      and $prop($, 'cdx:agent:hasNonOfficialMcpReference') = 'true'
    ]
  location: |
    {
      "bomRef": $."bom-ref",
      "file": $prop($, 'SrcFile')
    }
  message: "AI agent file '{{ name }}' references non-official MCP packages or wrappers"
  mitigation: "Prefer official MCP SDKs where possible and document provenance, version pinning, and trust assumptions for any wrapper packages."
  evidence: |
    {
      "mcpPackageRefs": $prop($, 'cdx:agent:mcpPackageRefs'),
      "hiddenComponentKinds": $prop($, 'cdx:agent:hiddenComponentKinds')
    }

- id: AGT-006
  name: "AI agent instructions contain inline credential patterns"
  description: "Agent or skill files that embed bearer tokens, API keys, or similar secrets create immediate review and credential-rotation risk."
  severity: critical
  category: ai-agent
  dry-run-support: full
  attack:
    tactics: [TA0006]
    techniques: [T1552]
  standards:
    owasp-ai-top-10:
      - "LLM05: Supply Chain Vulnerabilities"
      - "LLM07: Insecure Plugin Design"
      - "LLM03:2025 Supply Chain"
    nist-ai-rmf:
      - "Govern"
      - "Manage"
    nist-ssdf:
      - "Protect secrets used by AI automation and developer tooling"
  condition: |
    formulation.components[
      $prop($, 'cdx:agent:inventorySource') = 'agent-file'
      and $prop($, 'cdx:agent:credentialExposure') = 'true'
    ]
  location: |
    {
      "bomRef": $."bom-ref",
      "file": $prop($, 'SrcFile')
    }
  message: "AI agent file '{{ name }}' contains inline credential patterns"
  mitigation: "Remove embedded credentials from agent instructions and move them into reviewed secret-management flows before the file is shared or executed."
  evidence: |
    {
      "credentialRiskIndicators": $prop($, 'cdx:agent:credentialRiskIndicators'),
      "hiddenMcpUrls": $prop($, 'cdx:agent:hiddenMcpUrls'),
      "providerNames": $prop($, 'cdx:agent:providerNames')
    }

- id: AGT-007
  name: "AI agent or skill file is included in a build or post-build SBOM"
  description: "Shipped AI instruction and skill files deserve explicit review because they can alter developer tooling, release-time automation, and downstream runtime behavior."
  severity: medium
  category: ai-agent
  dry-run-support: full
  standards:
    owasp-ai-top-10:
      - "LLM05: Supply Chain Vulnerabilities"
      - "LLM08: Excessive Agency"
      - "LLM03:2025 Supply Chain"
      - "LLM06:2025 Excessive Agency"
    nist-ai-rmf:
      - "Govern"
      - "Map"
    nist-ssdf:
      - "Review build and release instructions before distribution"
  condition: |
    components[
      (
        $prop($, 'cdx:agent:inventorySource') = 'agent-file'
        or $prop($, 'cdx:agent:inventorySource') = 'community-config'
      )
      and (
        $prop($, 'cdx:file:kind') = 'skill-file'
        or $prop($, 'cdx:file:kind') = 'agent-instructions'
        or $prop($, 'cdx:file:kind') = 'copilot-instructions'
        or $prop($, 'cdx:file:kind') = 'copilot-setup-workflow'
        or $prop($, 'cdx:file:kind') = 'ai-agent-file'
      )
      and $count($$.metadata.lifecycles[phase = 'build' or phase = 'post-build']) > 0
    ]
  location: |
    {
      "bomRef": $."bom-ref",
      "file": $prop($, 'SrcFile')
    }
  message: "AI instruction or skill file '{{ name }}' is included in a build/post-build SBOM"
  mitigation: "If the file must ship, keep the BOM review-friendly with '--bom-audit --bom-audit-categories ai-agent' and consider '--tlp-classification AMBER'. If you want a package-only BOM, rerun with '--exclude-type ai-skill'."
  evidence: |
    {
      "inventorySource": $prop($, 'cdx:agent:inventorySource'),
      "fileKind": $prop($, 'cdx:file:kind'),
      "providerNames": $prop($, 'cdx:agent:providerNames')
    }