Canonical system terms with evidence requirements, decision impact, and CRABS/DAD/CLAWS linkages.
chain_of_custody_evidence
Chain-of-Custody Evidence
Artifact-bound provenance, digests, and attestations that connect a disclosed artifact to its build/source lineage.
Evidence required: Artifact digests and build provenance statement; optional signature material, SBOM, and builder claims.
Decision impact: Invalid custody bindings freeze; missing or unverified custody warns or freezes by risk tier.
Aliases: SLSA provenance, SLSA attestations, Build provenance
CRABS Tags
CRABS-S80, CRABS-S81, CRABS-S82, CRABS-S83, CRABS-S84, CRABS-S85, CRABS-S86
DAD Rules
DAD-CRT-80, DAD-CRT-81, DAD-WRN-80, DAD-WRN-81
CLAWS Actions
PUBLISH_WITH_WARN, QUARANTINE
clawpath_risk
ClawPath Risk
Static structural score for path feasibility from untrusted input to sensitive access and exfil/action sinks.
Evidence required: Structured posture signals for trust boundaries, capability exposure, and sink channels.
Decision impact: High levels can trigger FREEZE; medium levels frequently publish with warning depending on co-signals.
Aliases: Toxic flows, Toxic Flow Analysis
CRABS Tags
CRABS-C70, CRABS-A70, CRABS-A71, CRABS-A73, CRABS-A72, CRABS-A74
DAD Rules
DAD-CRT-62, DAD-CRT-63, DAD-WRN-62
CLAWS Actions
PUBLISH_WITH_WARN, QUARANTINE
triad_condition
Triad Condition
Structural conjunction of untrusted input, sensitive access, and sink capability in the same posture snapshot.
Evidence required: Deterministic findings proving all three condition classes.
Decision impact: Warn by default; escalates to freeze when paired with autonomy/write or shadow-prompt triad rule hits.
Aliases: Lethal trifecta
CRABS Tags
CRABS-A72, CRABS-A77
DAD Rules
DAD-CRT-63, DAD-CRT-65, DAD-WRN-62
CLAWS Actions
PUBLISH_WITH_WARN, QUARANTINE
shadow_prompting
Shadow Prompting / Input Stack Integrity
Untrusted instruction channels that can compete with declared instruction hierarchy and policy intent.
Evidence required: Context source declarations and deterministic findings from instruction hierarchy analysis.
Decision impact: Escalates to freeze when shadow prompting is coupled with action channels or triad conditions.
Aliases: Indirect Prompt Injection
CRABS Tags
CRABS-C10, CRABS-C12, CRABS-C13, CRABS-C14, CRABS-A75, CRABS-A76, CRABS-A77
CLAWS Actions
PUBLISH_WITH_WARN, QUARANTINE
tool_contamination
Tool Contamination
Instruction-bearing metadata in tool definitions that can alter or redirect model behavior.
Evidence required: Structured tool metadata plus deterministic contamination signatures.
Decision impact: Warns by default, freezes when contamination is paired with sink availability.
Aliases: Tool Poisoning, Metadata-layer injection, Line-jumping
CRABS Tags
CRABS-C60, CRABS-C61
DAD Rules
DAD-CRT-61, DAD-CRT-64, DAD-WRN-60, DAD-WRN-63
CLAWS Actions
PUBLISH_WITH_WARN, QUARANTINE
definition_drift
Definition Drift
Hash-detectable posture mutation between submissions within the same identity scope.
Evidence required: MCP/tool snapshots and deterministic manifest hash comparisons.
Decision impact: Commonly triggers FREEZE because trust cannot be transferred across mutated definitions.
Aliases: Rug Pull, Post-consent mutation
DAD Rules
DAD-CRT-60, DAD-WRN-61
declared_tier
Declared Tier
Agent-reported or inferred privilege tier used as the declaration side of mismatch analysis.
Evidence required: Valid disclosure field or deterministic fallback from capability graph.
Decision impact: Feeds privilege delta and mismatch tags.
Aliases: Declared privilege tier
CLAWS Actions
PUBLISH, PUBLISH_WITH_WARN, QUARANTINE
required_tier
Required Tier
Deterministic privilege tier required by structured posture signals (scope/tool/MCP/autonomy).
Evidence required: Parseable structured posture inputs; otherwise required tier remains UNKNOWN.
Decision impact: Used to compute privilege delta and mismatch policy routing.
Aliases: Structural required privilege tier
CRABS Tags
CRABS-A20, CRABS-A21
DAD Rules
DAD-CRT-40, DAD-WRN-40
CLAWS Actions
PUBLISH, PUBLISH_WITH_WARN, QUARANTINE
privilege_delta
Privilege Delta
Difference between required tier and declared tier (required - declared).
Evidence required: Both declared and required tiers must be available.
Decision impact: Delta >= 2 freezes; delta == 1 warns.
Aliases: Least privilege mismatch, Capability mismatch
CRABS Tags
CRABS-A20, CRABS-A21
DAD Rules
DAD-CRT-40, DAD-WRN-40
CLAWS Actions
PUBLISH_WITH_WARN, QUARANTINE
evidence_grade
Evidence Grade
Posture evidence quality label with bounded values PRESENT, PARTIAL, or ABSENT.
Evidence required: Structured connectors/tools/MCP blocks and parser validity outcomes.
Decision impact: Affects warning policy and suppresses overconfident trust assertions.
Aliases: Evidence coverage
CRABS Tags
CRABS-S20, CRABS-S21, CRABS-S47
CLAWS Actions
PUBLISH_WITH_WARN
evidence_completeness
Evidence Completeness %
Percent score for how complete the required structural evidence set is for a submission.
Evidence required: Normalized completeness checklist from ABOM/MCP/version/schema posture inputs.
Decision impact: Below-threshold completeness contributes to warning-level publication labels.
Aliases: Assurance completeness
CLAWS Actions
PUBLISH_WITH_WARN
identity_integrity
Identity Integrity
Identity consistency state derived from cross-source identity claims when sufficient evidence exists.
Evidence required: At least two parseable identity sources with matching fields; conflicts mark INCONSISTENT.
Decision impact: Inconsistency is a high-confidence trust defect and can freeze under identity conflict rules.
Aliases: Identity consistency
CLAWS Actions
PUBLISH, PUBLISH_WITH_WARN, QUARANTINE
mcp_pinning_grade
MCP Pinning Grade
Pinning quality of MCP server and tool definitions: PRESENT, PARTIAL, or ABSENT.
Evidence required: Structured MCP inventory with hash or immutable references per server/tool definition.
Decision impact: Missing or partial pinning warns; combined collision/privilege patterns may freeze.
Aliases: Tool pinning posture, MCP hygiene
CRABS Tags
CRABS-S60, CRABS-S61
DAD Rules
DAD-WRN-60, DAD-WRN-61
CLAWS Actions
PUBLISH_WITH_WARN, QUARANTINE
mcp_drift_detected
MCP Drift Detected
Boolean drift signal indicating MCP definitions changed relative to prior snapshots.
Evidence required: Manifest hash comparisons across the same identity scope.
Decision impact: Drift commonly routes to review-required containment.
Aliases: Definition drift flag
mcp_collision_detected
MCP Collision Detected
Boolean collision signal indicating conflicting tool names or identities in MCP scope.
Evidence required: Deterministic keying of server/tool identity and duplicate name checks.
Decision impact: Combined with high-privilege connections can freeze.
Aliases: Tool namespace collision
campaign_meta_signals
Campaign Meta-Signals
Clinic-level behavioral patterns from hashed telemetry: burst, resubmit loop, and identity spray.
Evidence required: Hashed source telemetry, time-window counters, and content similarity fingerprints.
Decision impact: Defaults to FREEZE containment.
Aliases: Coordinated submission abuse detection
CRABS Tags
CRABS-B10, CRABS-B11, CRABS-B12
review_required
Review Required
Public-safe label for containment states where deterministic policy routes to QUARANTINE.
Evidence required: Any freeze condition with provable structural evidence.
Decision impact: Suppresses accusatory language while preserving deterministic containment decisions.
Aliases: Quarantine, Containment hold, Hold for review
DAD Rules
DAD-CRT-20, DAD-CRT-30, DAD-CRT-40, DAD-CRT-60, DAD-CRT-62
version_schema_posture
Version and Schema Posture
Version declaration quality across platform and schema signals, including missing/inferred/conflict/outdated states.
Evidence required: Version declarations plus parser-valid schema fields and deterministic version checks.
Decision impact: Missing/outdated posture generally warns and can escalate for higher-tier submissions.
Aliases: Version drift, Schema compliance posture
CRABS Tags
CRABS-S40, CRABS-S41, CRABS-S42, CRABS-S44, CRABS-S45, CRABS-S46
CLAWS Actions
PUBLISH_WITH_WARN, QUARANTINE
Deterministic finding and tag emission engine for structural risk and posture signals.
Evidence required: Static submission inputs only; no runtime execution.
Decision impact: Feeds DAD routing through emitted tags.
CLAWS Actions
PUBLISH, PUBLISH_WITH_WARN, QUARANTINE, BLOCK
Deterministic decision engine mapping CRABS signals to ALLOW, WARN, FREEZE, or KILL.
Evidence required: CRABS tags and policy version matrix.
Decision impact: Directly determines CLAWS action mapping.
CLAWS Actions
PUBLISH, PUBLISH_WITH_WARN, QUARANTINE, BLOCK
Action mapper from DAD decisions to publication outcomes.
Evidence required: DAD decision output.
Decision impact: Final action channel for card publication, warning, quarantine, or block.
CLAWS Actions
PUBLISH, PUBLISH_WITH_WARN, QUARANTINE, BLOCK