From 9b088bb431bfcadb9c21252a8190c5d66f93481e Mon Sep 17 00:00:00 2001 From: chaksaray Date: Fri, 17 Jul 2026 16:03:36 +0700 Subject: [PATCH] docs: replace PRODUCT.md with CONTEXT.md, remove vendor-strategy framing PRODUCT.md asserted AVE is "Layer 1 of the Bawbel five-layer architecture" whose open layers "drive adoption" for a "commercial moat," and carried a full adoption-strategy/roadmap section (Product Hunt targets, launch tactics). That framing asserts the standard exists to serve one implementer's product strategy, which cannot live in this repo at any register, per the framing discipline CONTEXT.md establishes explicitly. - Remove PRODUCT.md; add CONTEXT.md, which contains only what is true of the standard itself. Roadmap/adoption-tactics content lives in TRUST_STRATEGY.md, kept outside this repo (gitignored). - CLAUDE.md's Product context section pointed at PRODUCT.md and repeated the same five-layer/Product Hunt framing -- updated to point at CONTEXT.md and describe record growth as bounded by distinct behavioral classes, not an external target. - research-new-attack-classes SKILL.md listed "before a release or Product Hunt push" as a trigger -- dropped the launch-event framing. Two dated docs/agents/ session records also mention PRODUCT.md; left alone as historical record, same treatment as CHANGELOG.md elsewhere in this repo. --- .../research-new-attack-classes/SKILL.md | 2 +- .gitignore | 1 + CLAUDE.md | 11 +- CONTEXT.md | 113 +++++++++++++ PRODUCT.md | 149 ------------------ 5 files changed, 121 insertions(+), 155 deletions(-) create mode 100644 CONTEXT.md delete mode 100644 PRODUCT.md diff --git a/.claude/skills/research-new-attack-classes/SKILL.md b/.claude/skills/research-new-attack-classes/SKILL.md index 60cffea..31bad74 100644 --- a/.claude/skills/research-new-attack-classes/SKILL.md +++ b/.claude/skills/research-new-attack-classes/SKILL.md @@ -18,7 +18,7 @@ AVE already covers, it is logged as a variant, not a new record. - Monthly cadence (the field moves fast — set a recurring reminder) - After a major disclosure (a new CVE, a new OX/Invariant/HiddenLayer report) - After a new academic taxonomy or benchmark paper drops -- Before a release or Product Hunt push (close the gap deliberately) +- Before a release (close the gap deliberately) Do NOT run this to hit a record-count target. Run it to stay current. There is no quota. The right number of records equals the number of diff --git a/.gitignore b/.gitignore index 740c469..c786cb6 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ node_modules/ AVE_ORG_MOVE_CHECKLIST.md AVE_PROJECT_CLEANUP_TASKS.md AVE_V1.1.0_MIGRATION_BRIEF.md +TRUST_STRATEGY.md diff --git a/CLAUDE.md b/CLAUDE.md index 815caae..7221dd6 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -168,9 +168,10 @@ python scripts/check_fixtures.py # every rule has +/- fixtures ## Product context -Read PRODUCT.md. AVE is a standalone standard, Layer 1 of the Bawbel -five-layer architecture. Treat it as its own product. +Read CONTEXT.md. AVE is a standalone standard implemented by more than one +tool; no implementer, Bawbel's own tools included, owns it. -The records grow with research, not with quotas. Target ~60-65 high-quality -records by Product Hunt, reached deliberately. A new ave_id requires a -distinct behavioral class and a citable primary source. No padding. \ No newline at end of file +The records grow with research, not with quotas. Growth is bounded by +distinct behavioral classes, not by any external target or event. A new +ave_id requires a distinct behavioral class and a citable primary source. +No padding. \ No newline at end of file diff --git a/CONTEXT.md b/CONTEXT.md new file mode 100644 index 0000000..1d98bcc --- /dev/null +++ b/CONTEXT.md @@ -0,0 +1,113 @@ +# CONTEXT.md - aveproject/ave + +Internal context for anyone working on this repo, including Claude Code +sessions. Not a strategy document; that content lives with whoever operates a +given implementation, not with the standard. See the note at the end. + +--- + +## What AVE is + +The behavioral classification standard for agentic AI components: stable IDs, +behavioral fingerprints, AIVSS scoring, framework crosswalks, and detection +guidance for a class of vulnerability that package-oriented standards cannot +describe. + +Relates to existing frameworks the way CWE relates to OWASP Top 10: a Top 10 +names the categories that matter; AVE supplies the individually scored, +individually detectable records underneath them. + +**Framing discipline.** Do not describe AVE as "the CVE for AI agents" or "the +CWE for AI agents." Use AVE's own terms: "the behavioral classification +standard for agentic AI components." The comparison to CWE is useful as an +explanation of the shape of the artifact, not as a claim of identity or +inherited authority. + +AVE is implemented by more than one tool. Any implementer, Bawbel's own tools +included, is a consumer of this standard, not its owner. If a sentence in this +repo could be read as asserting that AVE exists to serve one implementer's +product strategy, it is wrong and should be rewritten, regardless of who wrote +it or how internal the document is. + +--- + +## Why it exists + +Existing vulnerability standards were built for conventional software. CVE +maps to CPE. OSV maps to package and version range. Neither can describe a +prompt injection hidden in an MCP tool description: there is no package, no +version, no vulnerable dependency. The threat is behavioral, and the same +malicious behavior appears in effectively unlimited textual forms. + +AVE fills that gap: stable IDs, behavioral fingerprints, AIVSS scoring, +framework mappings, and detection guidance for the attack surface the +package-oriented world cannot see. + +--- + +## Relationship to OSV.dev + +Complementary, not competing. OSV answers "does this package version have a +known vulnerability?" AVE answers "does this agent component behave +dangerously?" A full scan runs both: OSV for dependencies, AVE for agent +components. AVE originates net-new behavioral classes; OSV aggregates +existing package-level findings. + +Do not describe AVE as "OSV for AI agents." OSV is an aggregator. AVE is a +classification standard. Different problem, different mechanism. + +--- + +## Current status + +| | | +|---|---| +| Records published | 59 (schema_version 1.1.0) | +| Schema version | 1.1.0 | +| Registry and docs | aveproject.org | +| Repo | github.com/aveproject/ave | + +Third-party services that consume AVE, including any Bawbel-operated ones, are +implementations of the standard, not part of it, and are documented in their +own repos, not here. If a new resource needs listing in this table, confirm +first whether it is the standard itself or something built on top of it; only +the former belongs in this table. + +--- + +## Standards alignment + +| Standard | Field | Status | +|---|---|---| +| OWASP AIVSS v0.8 | `aivss` object | required once a record is active or deprecated | +| OWASP MCP Top 10 | `owasp_mcp` | required once active or deprecated, MCP01-MCP10 | +| OWASP Agentic Security Initiative Top 10 | `owasp_asi` | optional, ASI01-ASI10 | +| MITRE ATLAS | `mitre_atlas` | optional, AML.Txxxx | +| NIST AI RMF | `nist_ai_rmf` | optional | + +--- + +## Record count discipline + +Growth is bounded by distinct behavioral classes, not by any external target +or event. Do not pad the count. If a proposed record is a variant of an +existing class rather than a genuinely distinct one, it should be merged into +that record's `example_patterns` or `mutation_count`, not published separately. + +--- + +## How to work on AVE + +See CLAUDE.md for session rules and the current task queue. +See ARCHITECTURE.md for the record/rule/fixture model. +See CONTRIBUTING.md for the contributor-facing process. +See GOVERNANCE.md for decision process and the record proposal workflow. + +**Roadmap, launch planning, adoption tactics, and anything with a marketing or +fundraising deadline attached does not belong in this repo, including as an +internal-only file.** That content lives with whoever operates a given +implementation and tracks their own trust-building strategy; for the current +maintainer, that is `TRUST_STRATEGY.md`, kept outside this repo. This +separation is deliberate, not an oversight: this repo is what a second +implementer, an OWASP reviewer, or a future co-maintainer will read directly, +and it should contain only what is true of the standard itself. \ No newline at end of file diff --git a/PRODUCT.md b/PRODUCT.md deleted file mode 100644 index f905dd1..0000000 --- a/PRODUCT.md +++ /dev/null @@ -1,149 +0,0 @@ -# PRODUCT.md — aveproject/ave - -Internal product context for Claude Code sessions. Not published. - ---- - -## What AVE is - -The behavioral classification standard for agentic AI components. -Relates to AST10/ASI the way CWE relates to OWASP Top 10 — a Top 10 names the -categories that matter; AVE supplies the individually-scored, individually- -detectable records underneath them. An open standard that bawbel-scanner -implements as its reference implementation. Not a feature of the scanner; an -independent asset with its own schema, registry, and community. - -AVE is Layer 1 of the Bawbel five-layer architecture. The open layers -(AVE standard + scanner) drive adoption and community trust. The proprietary -layers (PiranhaDB, registry, web platform) are the commercial moat. - ---- - -## Why it exists - -Existing vulnerability standards were built for conventional software. -CVE maps to CPE. OSV maps to package and version range. Neither can describe -a prompt injection hidden in an MCP tool description — there is no package, -no version, no vulnerable dependency. The threat is behavioral. The same -malicious behavior appears in infinitely many textual forms. - -AVE fills that gap: stable IDs, behavioral fingerprints, AIVSS scoring, -framework mappings, and detection rules — for the attack surface that the -package world cannot see. - -Do not frame AVE as "the CVE for AI agents" or "the CWE for AI agents." -Use own-terms framing: "the behavioral classification standard for agentic -AI components." The comparison to CWE is useful as an explanation, not as -an identity. - ---- - -## Current status - -| | | -|---|---| -| Records published | 56 (schema_version 1.1.0) | -| Schema version | 1.1.0 (canonical, published) | -| Registry | aveproject.org (live) | -| Threat intel API | api.piranha.bawbel.io | -| Site repo | github.com/aveproject/ave-site | -| Latest release | v1.1.0 | - ---- - -## Standards alignment - -| Standard | Field | Status | -|---|---|---| -| OWASP AIVSS v0.8 | `aivss` object | required in every record | -| OWASP MCP Top 10 | `owasp_mcp` | required, MCP01-MCP10 | -| OWASP Agentic Security Initiative Top 10 | `owasp_asi` | optional, ASI01-ASI10 | -| MITRE ATLAS | `mitre_atlas` | optional, AML.Txxxx | -| NIST AI RMF | `nist_ai_rmf` | optional | -| OWASP AIBOM | planned via `bawbel abom` CycloneDX command | future | - ---- - -## Relationship to OSV.dev - -Complementary, not competing. OSV answers "does this package version have -a known vulnerability?" AVE answers "does this agent component behave -dangerously?" A full scan runs both: OSV for dependencies, AVE for agent -components. AVE originates net-new behavioral classes; OSV aggregates -existing package-level findings. - -Do not frame AVE as "OSV for AI agents" — OSV is an aggregator. AVE -is a classification standard. Different problem, different mechanism. - ---- - -## Adoption strategy - -The field has many scanners and no shared vocabulary. Independent studies -find different tools barely agree on what they flag — no pair overlaps more -than 10.4%, only 0.69% of skills are flagged by all three in the OpenClaw -study. That fragmentation is the AVE adoption argument: the field needs a -common reference, and AVE is it. - -The adoption path: -1. Crosswalks — map SkillSpector and ClawScan finding types to AVE ids - (unilateral, no ask required, positions AVE as neutral reference) -2. AVE-in-SARIF — AVE ids travel inside SARIF into GitHub Security tab - and CI for free (docs/specs/ave-in-sarif.md, shipped in v1.1.0) -3. Open data dump — full record set downloadable as one JSON file - (ave-records-v1.1.0.json, attached to the v1.1.0 GitHub release) -4. Second implementer — a non-Bawbel tool emitting or mapping AVE ids - (this is the most urgent gate; pursue before OWASP proposal) -5. Institutional backing — MITRE CWE AI Working Group contribution, - OWASP AST10 crosswalk PR, OWASP project proposal - (proposal only after second implementer is confirmed) - ---- - -## Roadmap - -**v1.2 (next)** -- GOVERNANCE.md — decision process, record proposal workflow, governance path -- CODE_OF_CONDUCT.md — Contributor Covenant v2.1 -- docs/specs/ave-implementer-guide.md — three consumption patterns: - runtime API, bundled offline (air-gapped), ID-only emission -- Offline release artifact: ave-records-v1.1.0.json attached to v1.1.0 release -- AST10 crosswalk PR — contribute crosswalks/ave-to-ast10.json to OWASP AST10 repo -- CWE AI Working Group outreach — gap-mapping issue on CWE-CAPEC/AI-Working-Group -- Second implementer outreach — contact scanner maintainers with crosswalk packages -- Resource exhaustion / agentic DoS record — one confirmed gap from benchmark-2026-06 - -**Trust-building (parallel)** -- Technical write-ups on priority records: 00001, 00002, 00042, 00045, 00048 -- Target 10 write-ups before Product Hunt -- Respond to the Reddit framing discussion — acknowledge behavioral classification - framing, link to updated docs - -**Later** -- OWASP project proposal — after second implementer is confirmed and - a second project leader candidate is identified -- OWASP AIBOM integration via `bawbel abom` CycloneDX command -- Advisory board (only when real reviewers exist — not decoration) - ---- - -## Record count discipline - -Target: ~60-65 high-quality records by Product Hunt, reached deliberately. -Do not push to 100. Research shows ~25-35 genuinely distinct behavioral -classes exist (MCPSecBench 17, Formal Security Framework 23, Hou et al 16, -MCP-SafetyBench 20, MCPTox 11 — heavy overlap). At 56 records we are likely -past the count of distinct classes already. - -Growth path: audit and merge variants, fill genuine gaps from the -research-new-attack-classes skill. Record count = distinct behavioral -classes, no padding. - ---- - -## How to work on AVE - -See CLAUDE.md for session rules and the current task queue. - -See ARCHITECTURE.md for the record/rule/fixture model. -See CONTRIBUTING.md for the contributor-facing process. \ No newline at end of file