diff --git a/POLICY_INDEX.md b/POLICY_INDEX.md index 72551da..1ea7828 100644 --- a/POLICY_INDEX.md +++ b/POLICY_INDEX.md @@ -1,9 +1,10 @@ # Policy index -All shipped rules across every SDK. ID prefix denotes SDK: `CSDK-` Claude -Agent SDK, `OAI-` OpenAI Agents SDK, `ADK-` Google ADK. Within an SDK: `NNN` -tool-scope, `1NN` agent / subagent scope, `2NN` repo scope. +All shipped rules across every SDK. ID prefix denotes the rule family: +`CSDK-` Claude Agent SDK, `OAI-` OpenAI Agents SDK, `ADK-` Google ADK, +`MCP-` Model Context Protocol. Within a family: `NNN` tool-scope, `1NN` +agent / subagent scope, `2NN` repo scope. Risk score = `severity_weight × confidence × 100` (engine formula; weights: low=0.15, medium=0.40, high=0.70). Higher = worse. @@ -36,86 +37,117 @@ Users can contribute their own policies by: ## Totals -| SDK | Tool | Agent | Subagent | Repo | Total | Per-SDK index | -| ----------------- | ------ | ------ | -------- | ----- | ------ | -------------------------------------------------------- | -| Claude Agent SDK | 11 | 5 | 2 | 3 | 21 | [claude_sdk/POLICY_INDEX.md](claude_sdk/POLICY_INDEX.md) | -| OpenAI Agents SDK | 19 | 8 | 0 | 2 | 29 | [openai_sdk/POLICY_INDEX.md](openai_sdk/POLICY_INDEX.md) | -| Google ADK | 11 | 10 | 0 | 1 | 22 | [google_adk/POLICY_INDEX.md](google_adk/POLICY_INDEX.md) | -| **All** | **41** | **23** | **2** | **6** | **72** | | +| SDK | Tool | Agent | Subagent | Repo | Total | Per-SDK index | +| ---------------------- | ------ | ------ | -------- | ----- | ------- | -------------------------------------------------------- | +| Claude Agent SDK | 17 | 8 | 2 | 3 | 30 | [claude_sdk/POLICY_INDEX.md](claude_sdk/POLICY_INDEX.md) | +| OpenAI Agents SDK | 21 | 9 | 0 | 2 | 32 | [openai_sdk/POLICY_INDEX.md](openai_sdk/POLICY_INDEX.md) | +| Google ADK | 14 | 11 | 0 | 1 | 26 | [google_adk/POLICY_INDEX.md](google_adk/POLICY_INDEX.md) | +| Model Context Protocol | 14 | 0 | 0 | 0 | 14 | [mcp/POLICY_INDEX.md](mcp/POLICY_INDEX.md) | +| **All** | **66** | **28** | **2** | **6** | **102** | | ## All rules -| | Id | SDK/ADK | Scope | Applies To | Policy | Severity | Confidence | Risk | Source | -| -- | -------- | ---------- | -------- | ---------------------------------- | ------------------------------------------------------------------------------------- | -------- | ---------- | ---- | ------------------------------------------------------------------------------------------------------------------------- | -| 1 | CSDK-001 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Tool has no description | low | 0.95 | 14.3 | [claude_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | -| 2 | CSDK-002 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Tool parameters are not type-annotated | medium | 0.90 | 36.0 | [claude_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | -| 3 | CSDK-003 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Network call has no timeout | high | 0.85 | 59.5 | [claude_sdk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/network.yaml) | -| 4 | CSDK-004 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Path parameter used in I/O without validation | high | 0.70 | 49.0 | [claude_sdk/path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/path_safety.yaml) | -| 5 | CSDK-005 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Tool raises exceptions without a structured error contract | medium | 0.60 | 24.0 | [claude_sdk/error_handling.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/error_handling.yaml) | -| 6 | CSDK-006 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Mutating tool has no idempotency key | medium | 0.55 | 22.0 | [claude_sdk/idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/idempotency.yaml) | -| 7 | CSDK-007 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Ambiguous tool name | low | 0.90 | 13.5 | [claude_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | -| 8 | CSDK-008 | Claude SDK | tool | claude_sdk_tool | Tool exposes **kwargs without explicit input_schema | medium | 0.80 | 32.0 | [claude_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | -| 9 | CSDK-009 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [claude_sdk/ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/ssrf.yaml) | -| 10 | CSDK-101 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted the Bash tool | high | 0.80 | 56.0 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | -| 11 | CSDK-102 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted the WebSearch tool | high | 0.80 | 56.0 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | -| 12 | CSDK-103 | Claude SDK | agent | claude_agent_definition | AgentDefinition sets permissionMode to bypassPermissions | high | 0.90 | 63.0 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | -| 13 | CSDK-104 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted filesystem-write built-ins | high | 0.80 | 56.0 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | -| 14 | CSDK-105 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted the WebFetch tool | high | 0.75 | 52.5 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | -| 15 | CSDK-107 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.85 | 59.5 | [claude_sdk/code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/code_execution.yaml) | -| 16 | CSDK-108 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Tool body spawns a subprocess | high | 0.70 | 49.0 | [claude_sdk/shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/shell_safety.yaml) | -| 17 | CSDK-110 | Claude SDK | subagent | claude_subagent | Subagent granted the built-in Bash tool | high | 0.90 | 63.0 | [claude_sdk/subagent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/subagent_safety.yaml) | -| 18 | CSDK-111 | Claude SDK | subagent | claude_subagent | Subagent granted filesystem-write or web-fetch built-ins | high | 0.85 | 59.5 | [claude_sdk/subagent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/subagent_safety.yaml) | -| 19 | CSDK-201 | Claude SDK | repo | claude_sdk | Project default permission mode bypasses approvals | high | 0.90 | 63.0 | [claude_sdk/repo.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo.yaml) | -| 20 | CSDK-202 | Claude SDK | repo | claude_sdk | Session permission mode bypasses approvals | high | 0.90 | 63.0 | [claude_sdk/repo.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo.yaml) | -| 21 | CSDK-203 | Claude SDK | repo | claude_sdk | Repo ships Claude Agent SDK code without a CLAUDE.md | low | 0.90 | 13.5 | [claude_sdk/repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo_hygiene.yaml) | -| 22 | OAI-001 | OpenAI SDK | tool | openai_tool | Tool function has no docstring | low | 0.90 | 13.5 | [openai_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | -| 23 | OAI-002 | OpenAI SDK | tool | openai_tool | Tool function has no type-annotated parameters | medium | 0.85 | 34.0 | [openai_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | -| 24 | OAI-003 | OpenAI SDK | tool | openai_tool | Tool sets strict_mode=False | medium | 0.95 | 38.0 | [openai_sdk/decorator_config.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/decorator_config.yaml) | -| 25 | OAI-004 | OpenAI SDK | tool | openai_tool | Tool has no failure_error_function | medium | 0.70 | 28.0 | [openai_sdk/decorator_config.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/decorator_config.yaml) | -| 26 | OAI-005 | OpenAI SDK | tool | openai_tool | Network call has no timeout | high | 0.85 | 59.5 | [openai_sdk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | -| 27 | OAI-006 | OpenAI SDK | tool | openai_tool | Tool accepts path without normalization | high | 0.70 | 49.0 | [openai_sdk/path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/path_safety.yaml) | -| 28 | OAI-007 | OpenAI SDK | tool | openai_tool | Ambiguous tool name | low | 0.90 | 13.5 | [openai_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | -| 29 | OAI-008 | OpenAI SDK | tool | openai_tool | Tool raises exceptions without a structured error contract | medium | 0.60 | 24.0 | [openai_sdk/error_handling.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/error_handling.yaml) | -| 30 | OAI-009 | OpenAI SDK | tool | openai_tool | Mutating tool has no idempotency key | medium | 0.55 | 22.0 | [openai_sdk/idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/idempotency.yaml) | -| 31 | OAI-010 | OpenAI SDK | tool | openai_tool | Tool function prints to stdout for diagnostics | low | 0.65 | 9.8 | [openai_sdk/observability.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/observability.yaml) | -| 32 | OAI-011 | OpenAI SDK | tool | openai_tool | urllib network call has no timeout | high | 0.85 | 59.5 | [openai_sdk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | -| 33 | OAI-012 | OpenAI SDK | tool | openai_tool | Tool body spawns a subprocess | high | 0.90 | 63.0 | [openai_sdk/shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/shell_safety.yaml) | -| 34 | OAI-013 | OpenAI SDK | tool | openai_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.90 | 63.0 | [openai_sdk/code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/code_execution.yaml) | -| 35 | OAI-014 | OpenAI SDK | tool | openai_tool | Privileged tool has no needs_approval gate | high | 0.70 | 49.0 | [openai_sdk/approvals.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/approvals.yaml) | -| 36 | OAI-015 | OpenAI SDK | tool | openai_tool | Tool sets failure_error_function=None | high | 0.85 | 59.5 | [openai_sdk/decorator_config.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/decorator_config.yaml) | -| 37 | OAI-016 | OpenAI SDK | tool | openai_tool | TypeScript tool fetch call has no AbortSignal timeout | high | 0.60 | 42.0 | [openai_sdk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | -| 38 | OAI-017 | OpenAI SDK | tool | openai_tool | TypeScript tool body calls eval / new Function on dynamic input | high | 0.90 | 63.0 | [openai_sdk/code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/code_execution.yaml) | -| 39 | OAI-018 | OpenAI SDK | tool | openai_tool | Tool builds outbound URL from non-literal value | medium | 0.55 | 22.0 | [openai_sdk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | -| 40 | OAI-019 | OpenAI SDK | tool | openai_tool | TypeScript mutating tool has no idempotency key | medium | 0.50 | 20.0 | [openai_sdk/idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/idempotency.yaml) | -| 41 | OAI-101 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent has no input_guardrails AND wires shell or filesystem-touching tools | high | 0.85 | 59.5 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | -| 42 | OAI-102 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent uses tool_use_behavior="stop_on_first_tool" | high | 0.95 | 66.5 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | -| 43 | OAI-103 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | tool_choice="required" combined with reset_tool_choice=False | high | 0.95 | 66.5 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | -| 44 | OAI-104 | OpenAI SDK | agent | openai_agent | Raw Agent (not SandboxAgent) wires shell or filesystem-touching tools | medium | 0.75 | 30.0 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | -| 45 | OAI-106 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent wires MCP servers without input_guardrails | high | 0.90 | 63.0 | [openai_sdk/mcp_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/mcp_safety.yaml) | -| 46 | OAI-109 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent uses WebSearchTool without input_guardrails | high | 0.85 | 59.5 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | -| 47 | OAI-110 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent wires a content-fetching tool without output_guardrails | high | 0.60 | 42.0 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | -| 48 | OAI-111 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent wires a privileged hosted tool without needs_approval | high | 0.75 | 52.5 | [openai_sdk/approvals.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/approvals.yaml) | -| 49 | OAI-201 | OpenAI SDK | repo | openai_agents | Project uses default OpenAI tracing | medium | 0.80 | 32.0 | [openai_sdk/tracing.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tracing.yaml) | -| 50 | OAI-202 | OpenAI SDK | repo | openai_agents | OpenAI Agents project missing CLAUDE.md | low | 0.90 | 13.5 | [openai_sdk/repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/repo_hygiene.yaml) | -| 51 | ADK-001 | Google ADK | tool | adk_function_tool | FunctionTool-wrapped function has no docstring | low | 0.80 | 12.0 | [google_adk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/tool_definition.yaml) | -| 52 | ADK-002 | Google ADK | tool | adk_function_tool | FunctionTool-wrapped function has no type-annotated parameters | medium | 0.85 | 34.0 | [google_adk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/tool_definition.yaml) | -| 53 | ADK-003 | Google ADK | tool | adk_function_tool | Network call has no timeout | high | 0.85 | 59.5 | [google_adk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/network.yaml) | -| 54 | ADK-004 | Google ADK | tool | adk_function_tool | Path parameter used in I/O without normalization | high | 0.70 | 49.0 | [google_adk/path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/path_safety.yaml) | -| 55 | ADK-005 | Google ADK | tool | adk_function_tool | Tool raises exceptions without a structured error contract | medium | 0.60 | 24.0 | [google_adk/error_handling.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/error_handling.yaml) | -| 56 | ADK-006 | Google ADK | tool | adk_function_tool | Mutating tool has no idempotency key | medium | 0.55 | 22.0 | [google_adk/idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/idempotency.yaml) | -| 57 | ADK-007 | Google ADK | tool | adk_function_tool | Ambiguous tool name | low | 0.90 | 13.5 | [google_adk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/tool_definition.yaml) | -| 58 | ADK-008 | Google ADK | agent | adk_llm_agent | Agent grants BashTool with no restrictive command policy | high | 0.75 | 52.5 | [google_adk/builtin_tools.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/builtin_tools.yaml) | -| 59 | ADK-009 | Google ADK | tool | adk_function_tool | FunctionTool body prints to stdout | low | 0.70 | 10.5 | [google_adk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/tool_definition.yaml) | -| 60 | ADK-010 | Google ADK | tool | adk_function_tool | Tool body spawns a subprocess | high | 0.90 | 63.0 | [google_adk/shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/shell_safety.yaml) | -| 61 | ADK-011 | Google ADK | tool | adk_function_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.90 | 63.0 | [google_adk/code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/code_execution.yaml) | -| 62 | ADK-012 | Google ADK | tool | adk_function_tool | Tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [google_adk/ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/ssrf.yaml) | -| 63 | ADK-101 | Google ADK | agent | adk_llm_agent | LlmAgent has no description | medium | 0.85 | 34.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 64 | ADK-102 | Google ADK | agent | adk_llm_agent | Agent with BashTool has no before_tool_callback | high | 0.85 | 59.5 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 65 | ADK-103 | Google ADK | agent | adk_llm_agent | Sub-agent is granted BashTool | high | 0.90 | 63.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 66 | ADK-104 | Google ADK | agent | adk_llm_agent | Agent has no safety_settings | medium | 0.75 | 30.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 67 | ADK-105 | Google ADK | agent | adk_llm_agent | Agent uses web search built-in without before_tool_callback | high | 0.85 | 59.5 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 68 | ADK-106 | Google ADK | agent | adk_llm_agent | Agent has a code_executor but no before_model_callback | high | 0.80 | 56.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 69 | ADK-107 | Google ADK | agent | adk_llm_agent | Agent grants AgentTool but has no before_tool_callback | high | 0.70 | 49.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 70 | ADK-108 | Google ADK | agent | adk_loop_agent | LoopAgent has no max_iterations | medium | 0.70 | 28.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 71 | ADK-110 | Google ADK | agent | adk_llm_agent | Agent fetches web content via UrlContextTool/LoadWebPage without before_tool_callback | medium | 0.70 | 28.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 72 | ADK-201 | Google ADK | repo | google_adk | Google ADK project missing CLAUDE.md | low | 0.90 | 13.5 | [google_adk/repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/repo_hygiene.yaml) | +| | Id | SDK/ADK | Scope | Applies To | Policy | Severity | Confidence | Risk | Source | +| --- | -------- | ---------- | -------- | ---------------------------------- | ------------------------------------------------------------------------------------- | -------- | ---------- | ---- | ------------------------------------------------------------------------------------------------------------------------- | +| 1 | CSDK-001 | Claude SDK | tool | claude_sdk_tool | Tool has no description | low | 0.95 | 14.3 | [claude_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | +| 2 | CSDK-002 | Claude SDK | tool | claude_sdk_tool | Tool parameters are not type-annotated | medium | 0.90 | 36.0 | [claude_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | +| 3 | CSDK-003 | Claude SDK | tool | claude_sdk_tool | Network call has no timeout | high | 0.85 | 59.5 | [claude_sdk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/network.yaml) | +| 4 | CSDK-004 | Claude SDK | tool | claude_sdk_tool | Path parameter used in I/O without validation | high | 0.70 | 49.0 | [claude_sdk/path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/path_safety.yaml) | +| 5 | CSDK-005 | Claude SDK | tool | claude_sdk_tool | Tool raises exceptions without a structured error contract | medium | 0.60 | 24.0 | [claude_sdk/error_handling.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/error_handling.yaml) | +| 6 | CSDK-006 | Claude SDK | tool | claude_sdk_tool | Mutating tool has no idempotency key | medium | 0.55 | 22.0 | [claude_sdk/idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/idempotency.yaml) | +| 7 | CSDK-007 | Claude SDK | tool | claude_sdk_tool | Ambiguous tool name | low | 0.90 | 13.5 | [claude_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | +| 8 | CSDK-008 | Claude SDK | tool | claude_sdk_tool | Tool exposes **kwargs without explicit input_schema | medium | 0.80 | 32.0 | [claude_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | +| 9 | CSDK-009 | Claude SDK | tool | claude_sdk_tool | Tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [claude_sdk/ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/ssrf.yaml) | +| 10 | CSDK-010 | Claude SDK | tool | claude_sdk_tool | TypeScript Claude SDK tool shells out to the OS | high | 0.70 | 49.0 | [claude_sdk/shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/shell_safety.yaml) | +| 11 | CSDK-011 | Claude SDK | tool | claude_sdk_tool | TypeScript Claude SDK tool evaluates dynamic code | high | 0.90 | 63.0 | [claude_sdk/code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/code_execution.yaml) | +| 12 | CSDK-012 | Claude SDK | tool | claude_sdk_tool | TypeScript Claude SDK tool writes to the filesystem | medium | 0.50 | 20.0 | [claude_sdk/path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/path_safety.yaml) | +| 13 | CSDK-013 | Claude SDK | tool | claude_sdk_tool | TypeScript Claude SDK tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [claude_sdk/ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/ssrf.yaml) | +| 14 | CSDK-014 | Claude SDK | tool | claude_sdk_tool | TypeScript Claude SDK tool has no description | low | 0.90 | 13.5 | [claude_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | +| 15 | CSDK-016 | Claude SDK | tool | claude_sdk_tool | TypeScript Claude SDK mutating tool has no idempotency key | medium | 0.50 | 20.0 | [claude_sdk/idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/idempotency.yaml) | +| 16 | CSDK-101 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted the Bash tool | high | 0.80 | 56.0 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 17 | CSDK-102 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted the WebSearch tool | high | 0.80 | 56.0 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 18 | CSDK-103 | Claude SDK | agent | claude_agent_definition | AgentDefinition sets permissionMode to bypassPermissions | high | 0.90 | 63.0 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 19 | CSDK-104 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted filesystem-write built-ins | high | 0.80 | 56.0 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 20 | CSDK-105 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted the WebFetch tool | high | 0.75 | 52.5 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 21 | CSDK-107 | Claude SDK | tool | claude_sdk_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.85 | 59.5 | [claude_sdk/code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/code_execution.yaml) | +| 22 | CSDK-108 | Claude SDK | tool | claude_sdk_tool | Tool body spawns a subprocess | high | 0.70 | 49.0 | [claude_sdk/shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/shell_safety.yaml) | +| 23 | CSDK-110 | Claude SDK | subagent | claude_subagent | Subagent granted the built-in Bash tool | high | 0.90 | 63.0 | [claude_sdk/subagent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/subagent_safety.yaml) | +| 24 | CSDK-111 | Claude SDK | subagent | claude_subagent | Subagent granted filesystem-write or web-fetch built-ins | high | 0.85 | 59.5 | [claude_sdk/subagent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/subagent_safety.yaml) | +| 25 | CSDK-120 | Claude SDK | agent | claude_agent_definition | TypeScript AgentDefinition sets permissionMode to bypassPermissions | high | 0.90 | 63.0 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 26 | CSDK-130 | Claude SDK | agent | claude_query_main | TypeScript query() main agent is granted the Bash tool | high | 0.80 | 56.0 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 27 | CSDK-131 | Claude SDK | agent | claude_query_main | TypeScript query() main agent is granted filesystem-write or web-fetch built-ins | high | 0.75 | 52.5 | [claude_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 28 | CSDK-201 | Claude SDK | repo | claude_sdk | Project default permission mode bypasses approvals | high | 0.90 | 63.0 | [claude_sdk/repo.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo.yaml) | +| 29 | CSDK-202 | Claude SDK | repo | claude_sdk | Session permission mode bypasses approvals | high | 0.90 | 63.0 | [claude_sdk/repo.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo.yaml) | +| 30 | CSDK-203 | Claude SDK | repo | claude_sdk | Repo ships Claude Agent SDK code without an agent-guidance doc (AGENTS.md/CLAUDE.md) | low | 0.90 | 13.5 | [claude_sdk/repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo_hygiene.yaml) | +| 31 | OAI-001 | OpenAI SDK | tool | openai_tool | Tool function has no docstring | low | 0.90 | 13.5 | [openai_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | +| 32 | OAI-002 | OpenAI SDK | tool | openai_tool | Tool function has no type-annotated parameters | medium | 0.85 | 34.0 | [openai_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | +| 33 | OAI-003 | OpenAI SDK | tool | openai_tool | Tool sets strict_mode=False | medium | 0.95 | 38.0 | [openai_sdk/decorator_config.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/decorator_config.yaml) | +| 34 | OAI-004 | OpenAI SDK | tool | openai_tool | Tool has no failure_error_function | medium | 0.70 | 28.0 | [openai_sdk/decorator_config.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/decorator_config.yaml) | +| 35 | OAI-005 | OpenAI SDK | tool | openai_tool | Network call has no timeout | high | 0.85 | 59.5 | [openai_sdk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | +| 36 | OAI-006 | OpenAI SDK | tool | openai_tool | Tool accepts path without normalization | high | 0.70 | 49.0 | [openai_sdk/path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/path_safety.yaml) | +| 37 | OAI-007 | OpenAI SDK | tool | openai_tool | Ambiguous tool name | low | 0.90 | 13.5 | [openai_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | +| 38 | OAI-008 | OpenAI SDK | tool | openai_tool | Tool raises exceptions without a structured error contract | medium | 0.60 | 24.0 | [openai_sdk/error_handling.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/error_handling.yaml) | +| 39 | OAI-009 | OpenAI SDK | tool | openai_tool | Mutating tool has no idempotency key | medium | 0.55 | 22.0 | [openai_sdk/idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/idempotency.yaml) | +| 40 | OAI-010 | OpenAI SDK | tool | openai_tool | Tool function prints to stdout for diagnostics | low | 0.65 | 9.8 | [openai_sdk/observability.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/observability.yaml) | +| 41 | OAI-011 | OpenAI SDK | tool | openai_tool | urllib network call has no timeout | high | 0.85 | 59.5 | [openai_sdk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | +| 42 | OAI-012 | OpenAI SDK | tool | openai_tool | Tool body spawns a subprocess | high | 0.90 | 63.0 | [openai_sdk/shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/shell_safety.yaml) | +| 43 | OAI-013 | OpenAI SDK | tool | openai_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.90 | 63.0 | [openai_sdk/code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/code_execution.yaml) | +| 44 | OAI-014 | OpenAI SDK | tool | openai_tool | Privileged tool has no needs_approval gate | high | 0.70 | 49.0 | [openai_sdk/approvals.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/approvals.yaml) | +| 45 | OAI-015 | OpenAI SDK | tool | openai_tool | Tool sets failure_error_function=None | high | 0.85 | 59.5 | [openai_sdk/decorator_config.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/decorator_config.yaml) | +| 46 | OAI-016 | OpenAI SDK | tool | openai_tool | TypeScript tool fetch call has no AbortSignal timeout | high | 0.60 | 42.0 | [openai_sdk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | +| 47 | OAI-017 | OpenAI SDK | tool | openai_tool | TypeScript tool body calls eval / new Function on dynamic input | high | 0.90 | 63.0 | [openai_sdk/code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/code_execution.yaml) | +| 48 | OAI-018 | OpenAI SDK | tool | openai_tool | Tool builds outbound URL from non-literal value | medium | 0.55 | 22.0 | [openai_sdk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | +| 49 | OAI-019 | OpenAI SDK | tool | openai_tool | TypeScript mutating tool has no idempotency key | medium | 0.50 | 20.0 | [openai_sdk/idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/idempotency.yaml) | +| 50 | OAI-022 | OpenAI SDK | tool | openai_tool | TypeScript tool has no description | low | 0.85 | 12.8 | [openai_sdk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | +| 51 | OAI-024 | OpenAI SDK | tool | openai_tool | TypeScript tool builds outbound URL from a non-literal value | medium | 0.60 | 24.0 | [openai_sdk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | +| 52 | OAI-101 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent has no input_guardrails AND wires shell or filesystem-touching tools | high | 0.85 | 59.5 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 53 | OAI-102 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent uses tool_use_behavior="stop_on_first_tool" | high | 0.95 | 66.5 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 54 | OAI-103 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | tool_choice="required" combined with reset_tool_choice=False | high | 0.95 | 66.5 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 55 | OAI-104 | OpenAI SDK | agent | openai_agent | Raw Agent (not SandboxAgent) wires shell or filesystem-touching tools | medium | 0.75 | 30.0 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 56 | OAI-105 | OpenAI SDK | agent | openai_agent | TypeScript agent wires a content-fetching hosted tool without inputGuardrails | high | 0.80 | 56.0 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 57 | OAI-106 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent wires MCP servers without input_guardrails | high | 0.90 | 63.0 | [openai_sdk/mcp_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/mcp_safety.yaml) | +| 58 | OAI-109 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent uses WebSearchTool without input_guardrails | high | 0.85 | 59.5 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 59 | OAI-110 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent wires a content-fetching tool without output_guardrails | high | 0.60 | 42.0 | [openai_sdk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 60 | OAI-111 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent wires a privileged hosted tool without needs_approval | high | 0.75 | 52.5 | [openai_sdk/approvals.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/approvals.yaml) | +| 61 | OAI-201 | OpenAI SDK | repo | openai_agents | Project uses default OpenAI tracing | medium | 0.80 | 32.0 | [openai_sdk/tracing.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tracing.yaml) | +| 62 | OAI-202 | OpenAI SDK | repo | openai_agents | OpenAI Agents project ships no agent-guidance doc (AGENTS.md/CLAUDE.md) | low | 0.90 | 13.5 | [openai_sdk/repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/repo_hygiene.yaml) | +| 63 | ADK-001 | Google ADK | tool | adk_function_tool | FunctionTool-wrapped function has no docstring | low | 0.80 | 12.0 | [google_adk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/tool_definition.yaml) | +| 64 | ADK-002 | Google ADK | tool | adk_function_tool | FunctionTool-wrapped function has no type-annotated parameters | medium | 0.85 | 34.0 | [google_adk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/tool_definition.yaml) | +| 65 | ADK-003 | Google ADK | tool | adk_function_tool | Network call has no timeout | high | 0.85 | 59.5 | [google_adk/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/network.yaml) | +| 66 | ADK-004 | Google ADK | tool | adk_function_tool | Path parameter used in I/O without normalization | high | 0.70 | 49.0 | [google_adk/path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/path_safety.yaml) | +| 67 | ADK-005 | Google ADK | tool | adk_function_tool | Tool raises exceptions without a structured error contract | medium | 0.60 | 24.0 | [google_adk/error_handling.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/error_handling.yaml) | +| 68 | ADK-006 | Google ADK | tool | adk_function_tool | Mutating tool has no idempotency key | medium | 0.55 | 22.0 | [google_adk/idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/idempotency.yaml) | +| 69 | ADK-007 | Google ADK | tool | adk_function_tool | Ambiguous tool name | low | 0.90 | 13.5 | [google_adk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/tool_definition.yaml) | +| 70 | ADK-008 | Google ADK | agent | adk_llm_agent | Agent grants BashTool with no restrictive command policy | high | 0.75 | 52.5 | [google_adk/builtin_tools.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/builtin_tools.yaml) | +| 71 | ADK-009 | Google ADK | tool | adk_function_tool | FunctionTool body prints to stdout | low | 0.70 | 10.5 | [google_adk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/tool_definition.yaml) | +| 72 | ADK-010 | Google ADK | tool | adk_function_tool | Tool body spawns a subprocess | high | 0.90 | 63.0 | [google_adk/shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/shell_safety.yaml) | +| 73 | ADK-011 | Google ADK | tool | adk_function_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.90 | 63.0 | [google_adk/code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/code_execution.yaml) | +| 74 | ADK-012 | Google ADK | tool | adk_function_tool | Tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [google_adk/ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/ssrf.yaml) | +| 75 | ADK-013 | Google ADK | tool | adk_function_tool | TypeScript FunctionTool has no description | low | 0.80 | 12.0 | [google_adk/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/tool_definition.yaml) | +| 76 | ADK-015 | Google ADK | tool | adk_function_tool | TypeScript FunctionTool body evaluates dynamic code | high | 0.90 | 63.0 | [google_adk/code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/code_execution.yaml) | +| 77 | ADK-016 | Google ADK | tool | adk_function_tool | TypeScript FunctionTool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [google_adk/ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/ssrf.yaml) | +| 78 | ADK-101 | Google ADK | agent | adk_llm_agent | LlmAgent has no description | medium | 0.85 | 34.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 79 | ADK-102 | Google ADK | agent | adk_llm_agent | Agent with BashTool has no before_tool_callback | high | 0.85 | 59.5 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 80 | ADK-103 | Google ADK | agent | adk_llm_agent | Sub-agent is granted BashTool | high | 0.90 | 63.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 81 | ADK-104 | Google ADK | agent | adk_llm_agent | Agent has no safety_settings | medium | 0.75 | 30.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 82 | ADK-105 | Google ADK | agent | adk_llm_agent | Agent uses web search built-in without before_tool_callback | high | 0.85 | 59.5 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 83 | ADK-106 | Google ADK | agent | adk_llm_agent | Agent has a code_executor but no before_model_callback | high | 0.80 | 56.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 84 | ADK-107 | Google ADK | agent | adk_llm_agent | Agent grants AgentTool but has no before_tool_callback | high | 0.70 | 49.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 85 | ADK-108 | Google ADK | agent | adk_loop_agent | LoopAgent has no max_iterations | medium | 0.70 | 28.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 86 | ADK-109 | Google ADK | agent | adk_llm_agent | TypeScript LlmAgent has no description | medium | 0.85 | 34.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 87 | ADK-110 | Google ADK | agent | adk_llm_agent | Agent fetches web content via UrlContextTool/LoadWebPage without before_tool_callback | medium | 0.70 | 28.0 | [google_adk/agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 88 | ADK-201 | Google ADK | repo | google_adk | Google ADK project ships no agent-guidance doc (AGENTS.md/CLAUDE.md) | low | 0.90 | 13.5 | [google_adk/repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/repo_hygiene.yaml) | +| 89 | MCP-001 | MCP | tool | mcp_tool | Tool has no description | low | 0.90 | 13.5 | [mcp/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/tool_definition.yaml) | +| 90 | MCP-002 | MCP | tool | mcp_tool | Tool has no type-annotated parameters | medium | 0.85 | 34.0 | [mcp/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/tool_definition.yaml) | +| 91 | MCP-003 | MCP | tool | mcp_tool | Ambiguous tool name | low | 0.85 | 12.8 | [mcp/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/tool_definition.yaml) | +| 92 | MCP-004 | MCP | tool | mcp_tool | Network call has no timeout | high | 0.85 | 59.5 | [mcp/network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/network.yaml) | +| 93 | MCP-005 | MCP | tool | mcp_tool | Path parameter used in I/O without validation | high | 0.70 | 49.0 | [mcp/path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/path_safety.yaml) | +| 94 | MCP-006 | MCP | tool | mcp_tool | Tool raises exceptions without a structured error contract | medium | 0.60 | 24.0 | [mcp/error_handling.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/error_handling.yaml) | +| 95 | MCP-007 | MCP | tool | mcp_tool | Mutating tool has no idempotency key | medium | 0.55 | 22.0 | [mcp/idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/idempotency.yaml) | +| 96 | MCP-008 | MCP | tool | mcp_tool | Tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [mcp/ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/ssrf.yaml) | +| 97 | MCP-009 | MCP | tool | mcp_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.85 | 59.5 | [mcp/code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/code_execution.yaml) | +| 98 | MCP-010 | MCP | tool | mcp_tool | Tool body spawns a subprocess | high | 0.70 | 49.0 | [mcp/shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/shell_safety.yaml) | +| 99 | MCP-011 | MCP | tool | mcp_tool | TypeScript MCP tool has no description | low | 0.85 | 12.8 | [mcp/tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/tool_definition.yaml) | +| 100 | MCP-012 | MCP | tool | mcp_tool | TypeScript MCP tool spawns a subprocess | high | 0.70 | 49.0 | [mcp/shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/shell_safety.yaml) | +| 101 | MCP-013 | MCP | tool | mcp_tool | TypeScript MCP tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [mcp/ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/ssrf.yaml) | +| 102 | MCP-014 | MCP | tool | mcp_tool | TypeScript MCP tool evaluates dynamic code | high | 0.90 | 63.0 | [mcp/code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/code_execution.yaml) | diff --git a/README.md b/README.md index 08f1d5c..e0c93d2 100644 --- a/README.md +++ b/README.md @@ -5,11 +5,13 @@ static analyzer's policy ruleset. Canonical YAML rules live in [trustabl/trustabl-rules](https://github.com/trustabl/trustabl-rules) — this repo links into them and explains the threat model behind each rule. -Coverage spans three agent SDKs: +Coverage spans three agent SDKs plus a protocol-level rule family for the +Model Context Protocol: - **Claude Agent SDK** (`CSDK-*`) — [claude_sdk/](claude_sdk/) - **OpenAI Agents SDK** (`OAI-*`) — [openai_sdk/](openai_sdk/) - **Google ADK** (`ADK-*`) — [google_adk/](google_adk/) +- **Model Context Protocol** (`MCP-*`) — [mcp/](mcp/) (rules ship; rationale docs not yet authored — see [coverage](#current-totals) below) ## What lives here @@ -35,12 +37,27 @@ Risk score = `severity_weight × confidence × 100`. Weights: `low=0.15`, ## Current totals -| SDK | Tool | Agent | Subagent | Repo | Total | -| ------------------- | ------ | ------ | -------- | ----- | ------ | -| Claude Agent SDK | 7 | 2 | 1 | 0 | 10 | -| OpenAI Agents SDK | 13 | 6 | 0 | 1 | 20 | -| Google ADK | 8 | 5 | 0 | 0 | 13 | -| **All** | **28** | **13** | **1** | **1** | **43** | +The engine ships **102 rules across 45 files** in +[trustabl-rules](https://github.com/trustabl/trustabl-rules). This rulebook +documents **88 of them across 37 rationale docs** — full rationale coverage of +the three agent SDKs (Claude Agent SDK, OpenAI Agents SDK, Google ADK). The +breakdown below counts **shipped rules per family**; the rightmost column flags +where rationale docs are still missing. + +| Family | Tool | Agent | Subagent | Repo | Shipped | Rationale docs | +| ---------------------- | ------ | ------ | -------- | ----- | ------- | -------------- | +| Claude Agent SDK | 17 | 8 | 2 | 3 | 30 | 30 ✓ | +| OpenAI Agents SDK | 21 | 9 | 0 | 2 | 32 | 32 ✓ | +| Google ADK | 14 | 11 | 0 | 1 | 26 | 26 ✓ | +| Model Context Protocol | 14 | 0 | 0 | 0 | 14 | 0 — see gap | +| **All** | **66** | **28** | **2** | **6** | **102** | **88** | + +**Coverage gap (honest):** the `mcp/` pack — 14 rules, `MCP-001`–`MCP-014`, all +tool-scope — ships in `trustabl-rules` and now appears in +[POLICY_INDEX.md](POLICY_INDEX.md), but **has no rationale docs yet** (no +`docs/Policy/mcp/` directory). Until those are authored, `tools/check_rulebook.py` +fails on the 14 missing-doc errors. Authoring them (threat models + OWASP +citations) is tracked separately. Full breakdown: [POLICY_INDEX.md](POLICY_INDEX.md). diff --git a/claude_sdk/POLICY_INDEX.md b/claude_sdk/POLICY_INDEX.md index efc429d..71eb52f 100644 --- a/claude_sdk/POLICY_INDEX.md +++ b/claude_sdk/POLICY_INDEX.md @@ -1,30 +1,39 @@ # Claude Agent SDK policy index -21 rules — 11 tool · 5 agent · 2 subagent · 3 repo +30 rules — 17 tool · 8 agent · 2 subagent · 3 repo Risk score = `severity_weight × confidence × 100` (engine formula; weights: low=0.15, medium=0.40, high=0.70). Higher = worse. -| | Id | SDK/ADK | Scope | Applies To | Policy | Severity | Confidence | Risk | Source | -| -- | -------- | ---------- | -------- | ------------------------- | ---------------------------------------------------------- | -------- | ---------- | ---- | ------------------------------------------------------------------------------------------------------------ | -| 1 | CSDK-001 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Tool has no description | low | 0.95 | 14.3 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | -| 2 | CSDK-002 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Tool parameters are not type-annotated | medium | 0.90 | 36.0 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | -| 3 | CSDK-003 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Network call has no timeout | high | 0.85 | 59.5 | [network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/network.yaml) | -| 4 | CSDK-004 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Path parameter used in I/O without validation | high | 0.70 | 49.0 | [path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/path_safety.yaml) | -| 5 | CSDK-005 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Tool raises exceptions without a structured error contract | medium | 0.60 | 24.0 | [error_handling.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/error_handling.yaml) | -| 6 | CSDK-006 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Mutating tool has no idempotency key | medium | 0.55 | 22.0 | [idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/idempotency.yaml) | -| 7 | CSDK-007 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Ambiguous tool name | low | 0.90 | 13.5 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | -| 8 | CSDK-008 | Claude SDK | tool | claude_sdk_tool | Tool exposes **kwargs without explicit input_schema | medium | 0.80 | 32.0 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | -| 9 | CSDK-009 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/ssrf.yaml) | -| 10 | CSDK-101 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted the Bash tool | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | -| 11 | CSDK-102 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted the WebSearch tool | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | -| 12 | CSDK-103 | Claude SDK | agent | claude_agent_definition | AgentDefinition sets permissionMode to bypassPermissions | high | 0.90 | 63.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | -| 13 | CSDK-104 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted filesystem-write built-ins | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | -| 14 | CSDK-105 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted the WebFetch tool | high | 0.75 | 52.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | -| 15 | CSDK-107 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.85 | 59.5 | [code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/code_execution.yaml) | -| 16 | CSDK-108 | Claude SDK | tool | claude_sdk_tool, mcp_tool | Tool body spawns a subprocess | high | 0.70 | 49.0 | [shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/shell_safety.yaml) | -| 17 | CSDK-110 | Claude SDK | subagent | claude_subagent | Subagent granted the built-in Bash tool | high | 0.90 | 63.0 | [subagent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/subagent_safety.yaml) | -| 18 | CSDK-111 | Claude SDK | subagent | claude_subagent | Subagent granted filesystem-write or web-fetch built-ins | high | 0.85 | 59.5 | [subagent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/subagent_safety.yaml) | -| 19 | CSDK-201 | Claude SDK | repo | claude_sdk | Project default permission mode bypasses approvals | high | 0.90 | 63.0 | [repo.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo.yaml) | -| 20 | CSDK-202 | Claude SDK | repo | claude_sdk | Session permission mode bypasses approvals | high | 0.90 | 63.0 | [repo.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo.yaml) | -| 21 | CSDK-203 | Claude SDK | repo | claude_sdk | Repo ships Claude Agent SDK code without a CLAUDE.md | low | 0.90 | 13.5 | [repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo_hygiene.yaml) | +| | Id | SDK/ADK | Scope | Applies To | Policy | Severity | Confidence | Risk | Source | +| -- | -------- | ---------- | -------- | ----------------------- | ------------------------------------------------------------------------------------ | -------- | ---------- | ---- | ------------------------------------------------------------------------------------------------------------ | +| 1 | CSDK-001 | Claude SDK | tool | claude_sdk_tool | Tool has no description | low | 0.95 | 14.3 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | +| 2 | CSDK-002 | Claude SDK | tool | claude_sdk_tool | Tool parameters are not type-annotated | medium | 0.90 | 36.0 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | +| 3 | CSDK-003 | Claude SDK | tool | claude_sdk_tool | Network call has no timeout | high | 0.85 | 59.5 | [network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/network.yaml) | +| 4 | CSDK-004 | Claude SDK | tool | claude_sdk_tool | Path parameter used in I/O without validation | high | 0.70 | 49.0 | [path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/path_safety.yaml) | +| 5 | CSDK-005 | Claude SDK | tool | claude_sdk_tool | Tool raises exceptions without a structured error contract | medium | 0.60 | 24.0 | [error_handling.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/error_handling.yaml) | +| 6 | CSDK-006 | Claude SDK | tool | claude_sdk_tool | Mutating tool has no idempotency key | medium | 0.55 | 22.0 | [idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/idempotency.yaml) | +| 7 | CSDK-007 | Claude SDK | tool | claude_sdk_tool | Ambiguous tool name | low | 0.90 | 13.5 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | +| 8 | CSDK-008 | Claude SDK | tool | claude_sdk_tool | Tool exposes **kwargs without explicit input_schema | medium | 0.80 | 32.0 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | +| 9 | CSDK-009 | Claude SDK | tool | claude_sdk_tool | Tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/ssrf.yaml) | +| 10 | CSDK-010 | Claude SDK | tool | claude_sdk_tool | TypeScript Claude SDK tool shells out to the OS | high | 0.70 | 49.0 | [shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/shell_safety.yaml) | +| 11 | CSDK-011 | Claude SDK | tool | claude_sdk_tool | TypeScript Claude SDK tool evaluates dynamic code | high | 0.90 | 63.0 | [code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/code_execution.yaml) | +| 12 | CSDK-012 | Claude SDK | tool | claude_sdk_tool | TypeScript Claude SDK tool writes to the filesystem | medium | 0.50 | 20.0 | [path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/path_safety.yaml) | +| 13 | CSDK-013 | Claude SDK | tool | claude_sdk_tool | TypeScript Claude SDK tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/ssrf.yaml) | +| 14 | CSDK-014 | Claude SDK | tool | claude_sdk_tool | TypeScript Claude SDK tool has no description | low | 0.90 | 13.5 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/tool_definition.yaml) | +| 15 | CSDK-016 | Claude SDK | tool | claude_sdk_tool | TypeScript Claude SDK mutating tool has no idempotency key | medium | 0.50 | 20.0 | [idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/idempotency.yaml) | +| 16 | CSDK-101 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted the Bash tool | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 17 | CSDK-102 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted the WebSearch tool | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 18 | CSDK-103 | Claude SDK | agent | claude_agent_definition | AgentDefinition sets permissionMode to bypassPermissions | high | 0.90 | 63.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 19 | CSDK-104 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted filesystem-write built-ins | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 20 | CSDK-105 | Claude SDK | agent | claude_agent_definition | Claude subagent is granted the WebFetch tool | high | 0.75 | 52.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 21 | CSDK-107 | Claude SDK | tool | claude_sdk_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.85 | 59.5 | [code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/code_execution.yaml) | +| 22 | CSDK-108 | Claude SDK | tool | claude_sdk_tool | Tool body spawns a subprocess | high | 0.70 | 49.0 | [shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/shell_safety.yaml) | +| 23 | CSDK-110 | Claude SDK | subagent | claude_subagent | Subagent granted the built-in Bash tool | high | 0.90 | 63.0 | [subagent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/subagent_safety.yaml) | +| 24 | CSDK-111 | Claude SDK | subagent | claude_subagent | Subagent granted filesystem-write or web-fetch built-ins | high | 0.85 | 59.5 | [subagent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/subagent_safety.yaml) | +| 25 | CSDK-120 | Claude SDK | agent | claude_agent_definition | TypeScript AgentDefinition sets permissionMode to bypassPermissions | high | 0.90 | 63.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 26 | CSDK-130 | Claude SDK | agent | claude_query_main | TypeScript query() main agent is granted the Bash tool | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 27 | CSDK-131 | Claude SDK | agent | claude_query_main | TypeScript query() main agent is granted filesystem-write or web-fetch built-ins | high | 0.75 | 52.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/agent_safety.yaml) | +| 28 | CSDK-201 | Claude SDK | repo | claude_sdk | Project default permission mode bypasses approvals | high | 0.90 | 63.0 | [repo.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo.yaml) | +| 29 | CSDK-202 | Claude SDK | repo | claude_sdk | Session permission mode bypasses approvals | high | 0.90 | 63.0 | [repo.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo.yaml) | +| 30 | CSDK-203 | Claude SDK | repo | claude_sdk | Repo ships Claude Agent SDK code without an agent-guidance doc (AGENTS.md/CLAUDE.md) | low | 0.90 | 13.5 | [repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/claude_sdk/repo_hygiene.yaml) | diff --git a/docs/policy-rationale-doc-template-guide.md b/docs/policy-rationale-doc-template-guide.md index 7927471..45fc8fd 100644 --- a/docs/policy-rationale-doc-template-guide.md +++ b/docs/policy-rationale-doc-template-guide.md @@ -217,7 +217,7 @@ rule's detection scope. | `claude_sdk/network.yaml` | `docs/Policy/claude_sdk/network.md` | | `openai_sdk/agent_safety.yaml` | `docs/Policy/openai_sdk/agent_safety.md` | | `google_adk/tool_definition.yaml` | `docs/Policy/google_adk/tool_definition.md` | -| `mcp/injection.yaml` | `docs/Policy/mcp/injection.md` | +| `mcp/tool_definition.yaml` | `docs/Policy/mcp/tool_definition.md` | Category subdirectories under `docs/Policy/` mirror the repo root exactly. If a new category directory is created, create the matching directory in `docs/Policy/`. @@ -245,8 +245,8 @@ These docs are the canonical format examples. Read one before writing a new doc. | Best for | Doc | |---|---| -| Security rule (Critical) | [Policy/mcp/injection.md](Policy/mcp/injection.md) | +| Security rule (high severity) | [Policy/claude_sdk/code_execution.md](Policy/claude_sdk/code_execution.md) | | Reliability rule with low confidence | [Policy/claude_sdk/idempotency.md](Policy/claude_sdk/idempotency.md) | -| Cross-framework rule | [Policy/catalog/capability_class.md](Policy/catalog/capability_class.md) | +| Capability-class rule shared across SDKs | [Policy/google_adk/shell_safety.md](Policy/google_adk/shell_safety.md) | | Agent-scope rule | [Policy/openai_sdk/agent_safety.md](Policy/openai_sdk/agent_safety.md) | | Cross-reference pattern | [Policy/openai_sdk/tool_definition.md](Policy/openai_sdk/tool_definition.md) | diff --git a/google_adk/POLICY_INDEX.md b/google_adk/POLICY_INDEX.md index 1284c1f..5567496 100644 --- a/google_adk/POLICY_INDEX.md +++ b/google_adk/POLICY_INDEX.md @@ -1,7 +1,7 @@ # Google ADK policy index -22 rules — 11 tool · 10 agent · 1 repo +26 rules — 14 tool · 11 agent · 1 repo Risk score = `severity_weight × confidence × 100` (engine formula; weights: low=0.15, medium=0.40, high=0.70). Higher = worse. @@ -19,13 +19,17 @@ Risk score = `severity_weight × confidence × 100` (engine formula; weights: lo | 10 | ADK-010 | Google ADK | tool | adk_function_tool | Tool body spawns a subprocess | high | 0.90 | 63.0 | [shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/shell_safety.yaml) | | 11 | ADK-011 | Google ADK | tool | adk_function_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.90 | 63.0 | [code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/code_execution.yaml) | | 12 | ADK-012 | Google ADK | tool | adk_function_tool | Tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/ssrf.yaml) | -| 13 | ADK-101 | Google ADK | agent | adk_llm_agent | LlmAgent has no description | medium | 0.85 | 34.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 14 | ADK-102 | Google ADK | agent | adk_llm_agent | Agent with BashTool has no before_tool_callback | high | 0.85 | 59.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 15 | ADK-103 | Google ADK | agent | adk_llm_agent | Sub-agent is granted BashTool | high | 0.90 | 63.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 16 | ADK-104 | Google ADK | agent | adk_llm_agent | Agent has no safety_settings | medium | 0.75 | 30.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 17 | ADK-105 | Google ADK | agent | adk_llm_agent | Agent uses web search built-in without before_tool_callback | high | 0.85 | 59.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 18 | ADK-106 | Google ADK | agent | adk_llm_agent | Agent has a code_executor but no before_model_callback | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 19 | ADK-107 | Google ADK | agent | adk_llm_agent | Agent grants AgentTool but has no before_tool_callback | high | 0.70 | 49.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 20 | ADK-108 | Google ADK | agent | adk_loop_agent | LoopAgent has no max_iterations | medium | 0.70 | 28.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 21 | ADK-110 | Google ADK | agent | adk_llm_agent | Agent fetches web content via UrlContextTool/LoadWebPage without before_tool_callback | medium | 0.70 | 28.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | -| 22 | ADK-201 | Google ADK | repo | google_adk | Google ADK project missing CLAUDE.md | low | 0.90 | 13.5 | [repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/repo_hygiene.yaml) | +| 13 | ADK-013 | Google ADK | tool | adk_function_tool | TypeScript FunctionTool has no description | low | 0.80 | 12.0 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/tool_definition.yaml) | +| 14 | ADK-015 | Google ADK | tool | adk_function_tool | TypeScript FunctionTool body evaluates dynamic code | high | 0.90 | 63.0 | [code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/code_execution.yaml) | +| 15 | ADK-016 | Google ADK | tool | adk_function_tool | TypeScript FunctionTool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/ssrf.yaml) | +| 16 | ADK-101 | Google ADK | agent | adk_llm_agent | LlmAgent has no description | medium | 0.85 | 34.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 17 | ADK-102 | Google ADK | agent | adk_llm_agent | Agent with BashTool has no before_tool_callback | high | 0.85 | 59.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 18 | ADK-103 | Google ADK | agent | adk_llm_agent | Sub-agent is granted BashTool | high | 0.90 | 63.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 19 | ADK-104 | Google ADK | agent | adk_llm_agent | Agent has no safety_settings | medium | 0.75 | 30.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 20 | ADK-105 | Google ADK | agent | adk_llm_agent | Agent uses web search built-in without before_tool_callback | high | 0.85 | 59.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 21 | ADK-106 | Google ADK | agent | adk_llm_agent | Agent has a code_executor but no before_model_callback | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 22 | ADK-107 | Google ADK | agent | adk_llm_agent | Agent grants AgentTool but has no before_tool_callback | high | 0.70 | 49.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 23 | ADK-108 | Google ADK | agent | adk_loop_agent | LoopAgent has no max_iterations | medium | 0.70 | 28.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 24 | ADK-109 | Google ADK | agent | adk_llm_agent | TypeScript LlmAgent has no description | medium | 0.85 | 34.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 25 | ADK-110 | Google ADK | agent | adk_llm_agent | Agent fetches web content via UrlContextTool/LoadWebPage without before_tool_callback | medium | 0.70 | 28.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/agent_safety.yaml) | +| 26 | ADK-201 | Google ADK | repo | google_adk | Google ADK project ships no agent-guidance doc (AGENTS.md/CLAUDE.md) | low | 0.90 | 13.5 | [repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/google_adk/repo_hygiene.yaml) | diff --git a/mcp/POLICY_INDEX.md b/mcp/POLICY_INDEX.md new file mode 100644 index 0000000..86bec7d --- /dev/null +++ b/mcp/POLICY_INDEX.md @@ -0,0 +1,23 @@ + +# Model Context Protocol policy index + +14 rules — 14 tool + +Risk score = `severity_weight × confidence × 100` (engine formula; weights: low=0.15, medium=0.40, high=0.70). Higher = worse. + +| | Id | SDK/ADK | Scope | Applies To | Policy | Severity | Confidence | Risk | Source | +| -- | ------- | ------- | ----- | ---------- | ---------------------------------------------------------- | -------- | ---------- | ---- | ----------------------------------------------------------------------------------------------------- | +| 1 | MCP-001 | MCP | tool | mcp_tool | Tool has no description | low | 0.90 | 13.5 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/tool_definition.yaml) | +| 2 | MCP-002 | MCP | tool | mcp_tool | Tool has no type-annotated parameters | medium | 0.85 | 34.0 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/tool_definition.yaml) | +| 3 | MCP-003 | MCP | tool | mcp_tool | Ambiguous tool name | low | 0.85 | 12.8 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/tool_definition.yaml) | +| 4 | MCP-004 | MCP | tool | mcp_tool | Network call has no timeout | high | 0.85 | 59.5 | [network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/network.yaml) | +| 5 | MCP-005 | MCP | tool | mcp_tool | Path parameter used in I/O without validation | high | 0.70 | 49.0 | [path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/path_safety.yaml) | +| 6 | MCP-006 | MCP | tool | mcp_tool | Tool raises exceptions without a structured error contract | medium | 0.60 | 24.0 | [error_handling.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/error_handling.yaml) | +| 7 | MCP-007 | MCP | tool | mcp_tool | Mutating tool has no idempotency key | medium | 0.55 | 22.0 | [idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/idempotency.yaml) | +| 8 | MCP-008 | MCP | tool | mcp_tool | Tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/ssrf.yaml) | +| 9 | MCP-009 | MCP | tool | mcp_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.85 | 59.5 | [code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/code_execution.yaml) | +| 10 | MCP-010 | MCP | tool | mcp_tool | Tool body spawns a subprocess | high | 0.70 | 49.0 | [shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/shell_safety.yaml) | +| 11 | MCP-011 | MCP | tool | mcp_tool | TypeScript MCP tool has no description | low | 0.85 | 12.8 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/tool_definition.yaml) | +| 12 | MCP-012 | MCP | tool | mcp_tool | TypeScript MCP tool spawns a subprocess | high | 0.70 | 49.0 | [shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/shell_safety.yaml) | +| 13 | MCP-013 | MCP | tool | mcp_tool | TypeScript MCP tool fetches a caller-controlled URL (SSRF) | high | 0.60 | 42.0 | [ssrf.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/ssrf.yaml) | +| 14 | MCP-014 | MCP | tool | mcp_tool | TypeScript MCP tool evaluates dynamic code | high | 0.90 | 63.0 | [code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/mcp/code_execution.yaml) | diff --git a/openai_sdk/POLICY_INDEX.md b/openai_sdk/POLICY_INDEX.md index 6896204..3c7b9b5 100644 --- a/openai_sdk/POLICY_INDEX.md +++ b/openai_sdk/POLICY_INDEX.md @@ -1,38 +1,41 @@ # OpenAI Agents SDK policy index -29 rules — 19 tool · 8 agent · 2 repo +32 rules — 21 tool · 9 agent · 2 repo Risk score = `severity_weight × confidence × 100` (engine formula; weights: low=0.15, medium=0.40, high=0.70). Higher = worse. -| | Id | SDK/ADK | Scope | Applies To | Policy | Severity | Confidence | Risk | Source | -| -- | ------- | ---------- | ----- | ---------------------------------- | -------------------------------------------------------------------------- | -------- | ---------- | ---- | -------------------------------------------------------------------------------------------------------------- | -| 1 | OAI-001 | OpenAI SDK | tool | openai_tool | Tool function has no docstring | low | 0.90 | 13.5 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | -| 2 | OAI-002 | OpenAI SDK | tool | openai_tool | Tool function has no type-annotated parameters | medium | 0.85 | 34.0 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | -| 3 | OAI-003 | OpenAI SDK | tool | openai_tool | Tool sets strict_mode=False | medium | 0.95 | 38.0 | [decorator_config.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/decorator_config.yaml) | -| 4 | OAI-004 | OpenAI SDK | tool | openai_tool | Tool has no failure_error_function | medium | 0.70 | 28.0 | [decorator_config.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/decorator_config.yaml) | -| 5 | OAI-005 | OpenAI SDK | tool | openai_tool | Network call has no timeout | high | 0.85 | 59.5 | [network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | -| 6 | OAI-006 | OpenAI SDK | tool | openai_tool | Tool accepts path without normalization | high | 0.70 | 49.0 | [path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/path_safety.yaml) | -| 7 | OAI-007 | OpenAI SDK | tool | openai_tool | Ambiguous tool name | low | 0.90 | 13.5 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | -| 8 | OAI-008 | OpenAI SDK | tool | openai_tool | Tool raises exceptions without a structured error contract | medium | 0.60 | 24.0 | [error_handling.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/error_handling.yaml) | -| 9 | OAI-009 | OpenAI SDK | tool | openai_tool | Mutating tool has no idempotency key | medium | 0.55 | 22.0 | [idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/idempotency.yaml) | -| 10 | OAI-010 | OpenAI SDK | tool | openai_tool | Tool function prints to stdout for diagnostics | low | 0.65 | 9.8 | [observability.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/observability.yaml) | -| 11 | OAI-011 | OpenAI SDK | tool | openai_tool | urllib network call has no timeout | high | 0.85 | 59.5 | [network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | -| 12 | OAI-012 | OpenAI SDK | tool | openai_tool | Tool body spawns a subprocess | high | 0.90 | 63.0 | [shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/shell_safety.yaml) | -| 13 | OAI-013 | OpenAI SDK | tool | openai_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.90 | 63.0 | [code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/code_execution.yaml) | -| 14 | OAI-014 | OpenAI SDK | tool | openai_tool | Privileged tool has no needs_approval gate | high | 0.70 | 49.0 | [approvals.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/approvals.yaml) | -| 15 | OAI-015 | OpenAI SDK | tool | openai_tool | Tool sets failure_error_function=None | high | 0.85 | 59.5 | [decorator_config.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/decorator_config.yaml) | -| 16 | OAI-016 | OpenAI SDK | tool | openai_tool | TypeScript tool fetch call has no AbortSignal timeout | high | 0.60 | 42.0 | [network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | -| 17 | OAI-017 | OpenAI SDK | tool | openai_tool | TypeScript tool body calls eval / new Function on dynamic input | high | 0.90 | 63.0 | [code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/code_execution.yaml) | -| 18 | OAI-018 | OpenAI SDK | tool | openai_tool | Tool builds outbound URL from non-literal value | medium | 0.55 | 22.0 | [network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | -| 19 | OAI-019 | OpenAI SDK | tool | openai_tool | TypeScript mutating tool has no idempotency key | medium | 0.50 | 20.0 | [idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/idempotency.yaml) | -| 20 | OAI-101 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent has no input_guardrails AND wires shell or filesystem-touching tools | high | 0.85 | 59.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | -| 21 | OAI-102 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent uses tool_use_behavior="stop_on_first_tool" | high | 0.95 | 66.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | -| 22 | OAI-103 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | tool_choice="required" combined with reset_tool_choice=False | high | 0.95 | 66.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | -| 23 | OAI-104 | OpenAI SDK | agent | openai_agent | Raw Agent (not SandboxAgent) wires shell or filesystem-touching tools | medium | 0.75 | 30.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | -| 24 | OAI-106 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent wires MCP servers without input_guardrails | high | 0.90 | 63.0 | [mcp_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/mcp_safety.yaml) | -| 25 | OAI-109 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent uses WebSearchTool without input_guardrails | high | 0.85 | 59.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | -| 26 | OAI-110 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent wires a content-fetching tool without output_guardrails | high | 0.60 | 42.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | -| 27 | OAI-111 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent wires a privileged hosted tool without needs_approval | high | 0.75 | 52.5 | [approvals.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/approvals.yaml) | -| 28 | OAI-201 | OpenAI SDK | repo | openai_agents | Project uses default OpenAI tracing | medium | 0.80 | 32.0 | [tracing.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tracing.yaml) | -| 29 | OAI-202 | OpenAI SDK | repo | openai_agents | OpenAI Agents project missing CLAUDE.md | low | 0.90 | 13.5 | [repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/repo_hygiene.yaml) | +| | Id | SDK/ADK | Scope | Applies To | Policy | Severity | Confidence | Risk | Source | +| -- | ------- | ---------- | ----- | ---------------------------------- | ----------------------------------------------------------------------------- | -------- | ---------- | ---- | -------------------------------------------------------------------------------------------------------------- | +| 1 | OAI-001 | OpenAI SDK | tool | openai_tool | Tool function has no docstring | low | 0.90 | 13.5 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | +| 2 | OAI-002 | OpenAI SDK | tool | openai_tool | Tool function has no type-annotated parameters | medium | 0.85 | 34.0 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | +| 3 | OAI-003 | OpenAI SDK | tool | openai_tool | Tool sets strict_mode=False | medium | 0.95 | 38.0 | [decorator_config.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/decorator_config.yaml) | +| 4 | OAI-004 | OpenAI SDK | tool | openai_tool | Tool has no failure_error_function | medium | 0.70 | 28.0 | [decorator_config.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/decorator_config.yaml) | +| 5 | OAI-005 | OpenAI SDK | tool | openai_tool | Network call has no timeout | high | 0.85 | 59.5 | [network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | +| 6 | OAI-006 | OpenAI SDK | tool | openai_tool | Tool accepts path without normalization | high | 0.70 | 49.0 | [path_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/path_safety.yaml) | +| 7 | OAI-007 | OpenAI SDK | tool | openai_tool | Ambiguous tool name | low | 0.90 | 13.5 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | +| 8 | OAI-008 | OpenAI SDK | tool | openai_tool | Tool raises exceptions without a structured error contract | medium | 0.60 | 24.0 | [error_handling.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/error_handling.yaml) | +| 9 | OAI-009 | OpenAI SDK | tool | openai_tool | Mutating tool has no idempotency key | medium | 0.55 | 22.0 | [idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/idempotency.yaml) | +| 10 | OAI-010 | OpenAI SDK | tool | openai_tool | Tool function prints to stdout for diagnostics | low | 0.65 | 9.8 | [observability.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/observability.yaml) | +| 11 | OAI-011 | OpenAI SDK | tool | openai_tool | urllib network call has no timeout | high | 0.85 | 59.5 | [network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | +| 12 | OAI-012 | OpenAI SDK | tool | openai_tool | Tool body spawns a subprocess | high | 0.90 | 63.0 | [shell_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/shell_safety.yaml) | +| 13 | OAI-013 | OpenAI SDK | tool | openai_tool | Tool body calls eval/exec/compile on dynamic input | high | 0.90 | 63.0 | [code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/code_execution.yaml) | +| 14 | OAI-014 | OpenAI SDK | tool | openai_tool | Privileged tool has no needs_approval gate | high | 0.70 | 49.0 | [approvals.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/approvals.yaml) | +| 15 | OAI-015 | OpenAI SDK | tool | openai_tool | Tool sets failure_error_function=None | high | 0.85 | 59.5 | [decorator_config.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/decorator_config.yaml) | +| 16 | OAI-016 | OpenAI SDK | tool | openai_tool | TypeScript tool fetch call has no AbortSignal timeout | high | 0.60 | 42.0 | [network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | +| 17 | OAI-017 | OpenAI SDK | tool | openai_tool | TypeScript tool body calls eval / new Function on dynamic input | high | 0.90 | 63.0 | [code_execution.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/code_execution.yaml) | +| 18 | OAI-018 | OpenAI SDK | tool | openai_tool | Tool builds outbound URL from non-literal value | medium | 0.55 | 22.0 | [network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | +| 19 | OAI-019 | OpenAI SDK | tool | openai_tool | TypeScript mutating tool has no idempotency key | medium | 0.50 | 20.0 | [idempotency.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/idempotency.yaml) | +| 20 | OAI-022 | OpenAI SDK | tool | openai_tool | TypeScript tool has no description | low | 0.85 | 12.8 | [tool_definition.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tool_definition.yaml) | +| 21 | OAI-024 | OpenAI SDK | tool | openai_tool | TypeScript tool builds outbound URL from a non-literal value | medium | 0.60 | 24.0 | [network.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/network.yaml) | +| 22 | OAI-101 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent has no input_guardrails AND wires shell or filesystem-touching tools | high | 0.85 | 59.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 23 | OAI-102 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent uses tool_use_behavior="stop_on_first_tool" | high | 0.95 | 66.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 24 | OAI-103 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | tool_choice="required" combined with reset_tool_choice=False | high | 0.95 | 66.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 25 | OAI-104 | OpenAI SDK | agent | openai_agent | Raw Agent (not SandboxAgent) wires shell or filesystem-touching tools | medium | 0.75 | 30.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 26 | OAI-105 | OpenAI SDK | agent | openai_agent | TypeScript agent wires a content-fetching hosted tool without inputGuardrails | high | 0.80 | 56.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 27 | OAI-106 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent wires MCP servers without input_guardrails | high | 0.90 | 63.0 | [mcp_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/mcp_safety.yaml) | +| 28 | OAI-109 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent uses WebSearchTool without input_guardrails | high | 0.85 | 59.5 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 29 | OAI-110 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent wires a content-fetching tool without output_guardrails | high | 0.60 | 42.0 | [agent_safety.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/agent_safety.yaml) | +| 30 | OAI-111 | OpenAI SDK | agent | openai_agent, openai_sandbox_agent | Agent wires a privileged hosted tool without needs_approval | high | 0.75 | 52.5 | [approvals.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/approvals.yaml) | +| 31 | OAI-201 | OpenAI SDK | repo | openai_agents | Project uses default OpenAI tracing | medium | 0.80 | 32.0 | [tracing.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/tracing.yaml) | +| 32 | OAI-202 | OpenAI SDK | repo | openai_agents | OpenAI Agents project ships no agent-guidance doc (AGENTS.md/CLAUDE.md) | low | 0.90 | 13.5 | [repo_hygiene.yaml](https://github.com/trustabl/trustabl-rules/blob/main/openai_sdk/repo_hygiene.yaml) | diff --git a/tools/gen_index.py b/tools/gen_index.py index f188bca..6b10aea 100644 --- a/tools/gen_index.py +++ b/tools/gen_index.py @@ -32,12 +32,13 @@ GH_BASE = "https://github.com/trustabl/trustabl-rules/blob/main/" GENERATED_MARKER = "" -SDK_ORDER = ["claude_sdk", "openai_sdk", "google_adk"] -SDK_LABEL = {"claude_sdk": "Claude SDK", "openai_sdk": "OpenAI SDK", "google_adk": "Google ADK"} +SDK_ORDER = ["claude_sdk", "openai_sdk", "google_adk", "mcp"] +SDK_LABEL = {"claude_sdk": "Claude SDK", "openai_sdk": "OpenAI SDK", "google_adk": "Google ADK", "mcp": "MCP"} SDK_FULL = { "claude_sdk": "Claude Agent SDK", "openai_sdk": "OpenAI Agents SDK", "google_adk": "Google ADK", + "mcp": "Model Context Protocol", } SCOPE_ORDER = ["tool", "agent", "subagent", "repo"] @@ -56,9 +57,10 @@ MASTER_PREAMBLE = """# Policy index -All shipped rules across every SDK. ID prefix denotes SDK: `CSDK-` Claude -Agent SDK, `OAI-` OpenAI Agents SDK, `ADK-` Google ADK. Within an SDK: `NNN` -tool-scope, `1NN` agent / subagent scope, `2NN` repo scope. +All shipped rules across every SDK. ID prefix denotes the rule family: +`CSDK-` Claude Agent SDK, `OAI-` OpenAI Agents SDK, `ADK-` Google ADK, +`MCP-` Model Context Protocol. Within a family: `NNN` tool-scope, `1NN` +agent / subagent scope, `2NN` repo scope. {risk}