AINP files cross trust boundaries: stores, registries, agent-to-agent transfer. Any tool that consumes a plan (validator, generator, runtime, registry) MUST:
- Never auto-execute
bindings.execution_binding/aijp_binding/aikp_bindingare candidate paths; acting on them requires independent authorization. - Never auto-download or open
inputs[].sourceURIs. Never expandlocal://. - Never trust embedded
sha256values — recompute and compare; a hash in the file is a claim, not a credential. - Never generate or publish merely because a plan validates.
PASS structure-validmeans structural consistency, nothing else. - Treat prompt-injection text, path traversal (
../), and oversized fields as data, not instructions. The reference tools reject files larger than 10 MB and onlystat()binding targets (no read, no execute). - Parse strictly. Reject duplicate object keys (parser-differential smuggling: a human reviews one value while a machine acts on the other), non-standard JSON literals (
NaN/Infinity), and nesting deeper than 150 levels — hostile input must yield a controlled finding, never a crash. - Bound your output. A hostile file must not flood findings without limit (the reference tools truncate at 1000 findings with an explicit truncation FAIL) — exhausting memory on untrusted input is a crash, not a verdict.
- Never read outside your sandbox. Local hash recompute refuses paths that are absolute or escape the active artifact sandbox, including report artifacts (R3) and generation-space refs (SP2). The default report sandbox is the report's own directory; a validated AINP project package may pass the package root as the sandbox through
tools/ainp_project_check.py. Implementations use realpath/common-path checks so symlinks and junctions cannot smuggle reads outside the sandbox. An escape path plus hash comparison would otherwise act as a content oracle for arbitrary local files.
The teeth fixture tests/fixtures/invalid/untrusted_plan_injection.generation.json exercises exactly this posture: a structurally valid plan carrying injection strings, a traversal binding target and a local:// escape — conforming tools complete, flag, and never act on it. The second-audit fixtures (nesting_too_deep, duplicate_key, nan_literal, inputs_not_array, payload_not_object, artifact_path_escape) pin items 6–8.
Truth/validity of rights, consent, provenance; source authenticity; factual accuracy; scanner reliability; provider trust; watermark presence, robustness or detectability; content-credential validity; C2PA manifest/signature/trust-list validity; whether a human approval was truly given by an authorized human. content_credential.present=true, verification_status=externally_verified, report.generator, and disclosure.watermarks[] record external evidence only; the reference tools do not fetch manifests, validate credential cryptography, verify provider identity, or detect watermarks. See spec §10 "external verification boundary".
Report security issues via the AIXP governance chain (authority: aixp.dev; project: ainp.dev) or open a private security advisory on the repository. Please do not file public issues for exploitable problems.
- Acknowledgment target: 72 hours.
- Fix target: 30 days (critical), 90 days (high).
- Coordinated disclosure per ISO/IEC 29147.
Align Axiom 0: Human Sovereignty and Wellbeing. AINP v1.0.0. www.ainp.dev