Abstract
This whitepaper defines CLAWLINE as a static structural trust clinic for agent compositions. It specifies analysis boundaries, deterministic CRABS->DAD->CLAWS policy routing, evidence-grade constraints, MCP posture integrity controls, and campaign containment signals. The document emphasizes auditable claims: each major assertion maps to deterministic signals, policy paths, and validation artifacts.
Scope and Boundaries
- Static structural analysis of submitted disclosure artifacts and structured posture.
- Deterministic finding emission and policy routing with versioned receipts.
- Public trust labels constrained to neutral, evidence-grounded language.
- MCP posture inventory, pinning quality, drift/collision checks.
- Clinic-wide campaign meta-signals from privacy-preserving telemetry.
- Runtime exploit verification or active penetration testing.
- Source-code execution, sandbox replay, or external URL retrieval during analysis.
- Behavioral or intent attribution beyond deterministic structural evidence.
- Legal/compliance certification claims.
- Boundary A: Submission ingress and payload validation.
- Boundary B: Structured parsing and deterministic normalization.
- Boundary C: Policy engine routing and action mapping.
- Boundary D: Public publication surfaces and neutral language contract.
Method Summary
Ingress Guardrails
Reject oversized/unsafe submissions before policy analysis.
Structured Parsing
Normalize connectors, tools, MCP posture, custody evidence, versions, and schema signals.
Posture and Mismatch Scoring
Compute declared/required tiers, privilege delta, and clawpath structural risk.
Clinic Meta-Signal Detection
Detect campaign patterns without evaluating payload intent text.
CRABS -> DAD -> CLAWS
Route deterministic findings to final publish action.
Threat Model
Artifact Custody Gaps
Artifact trust decays when digests and provenance are missing, unbound, or unverifiable against local trust roots.
Input Stack Manipulation
Untrusted context paths can carry instruction-bearing content that competes with declared policy intent.
Tool-Plane Contamination and Drift
MCP or tool metadata can inject hidden control language and mutate definitions after trust is granted.
Privilege Understatement
Self-reported privilege posture can understate structural capability requirements and distort trust decisions.
Composite Path Risk
Risk emerges when untrusted input, sensitive capability access, and sink channels coexist in one composition.
Clinic Abuse Campaigns
Coordinated submission bursts, loops, or identity spray can degrade registry trust without payload-level indicators.
Claims
Execution-Safe Analysis Boundary
CLAWLINE analysis is static and deterministic; submitted code is not executed and external URLs are not fetched.
Why it matters: This boundary constrains analyzer-induced runtime risk and keeps outputs reproducible from submitted artifacts only.
Evidence-Bound Integrity Prevents Overclaim
Integrity and posture confidence states are bounded by evidence quality and remain UNKNOWN/PARTIAL/ABSENT when incomplete.
Why it matters: Prevents false certainty in trust labels and keeps public outputs aligned with observed evidence.
Least-Privilege Mismatch is Deterministically Gated
Declared vs Required tier mismatch is computed from structural posture and routed through explicit policy thresholds.
Why it matters: Privilege understatement is visible, queryable, and policy-enforceable before trust publication.
MCP Posture Integrity is Tracked Over Time
MCP inventory, pinning, drift, and collisions are represented as deterministic posture signals and mapped into policy.
Why it matters: Tool-plane trust degrades when definitions drift or remain unpinned; explicit signals preserve auditability.
ClawPath and Triad are Structural Conditions, not Intent Claims
ClawPath Risk and Triad Condition are composition signals derived from capability conjunctions, not behavioral accusations.
Why it matters: Supports defensible risk gating without over-interpreting intent from text alone.
Campaign Signals Enable Containment without Payload Accusation
Burst, resubmit-loop, and identity-spray detection use hashed telemetry and similarity to trigger containment.
Why it matters: Protects registry trust from coordinated abuse while preserving neutral public language.
Chain-of-Custody Evidence is Artifact-Bound and Verification-Bounded
Custody assertions are attached to artifact digests and remain VERIFIED only when local trust roots can validate provenance signatures.
Why it matters: This prevents release-level hand waving and keeps trust outputs bounded by deterministic evidence.
Public Output Language is Constrained by Policy
Public status and explanation text are constrained to neutral, provable labels (e.g., Review Required, Drift Detected).
Why it matters: Maintains public trust language discipline and prevents speculative or accusatory publication.
Claim-Evidence Matrix
Evaluation Plan
Validate canonicalization and deterministic hash stability.
Method: Submit equivalent payload permutations and compare canonical SHA outputs.
Expected outcome: Equivalent semantic payloads produce stable canonical hashes.
Validate least-privilege mismatch routing.
Method: Exercise posture matrices that produce delta 0/1/2 and verify DAD routing.
Expected outcome: delta==1 warns, delta>=2 freezes by deterministic rule IDs.
Validate MCP pinning/drift/collision handling.
Method: Feed MCP posture variants with pinned/unpinned/drifted definitions.
Expected outcome: Unpinned warnings and drift/collision freeze paths are emitted as configured.
Validate campaign containment signals.
Method: Replay burst and high-similarity submissions over bounded windows.
Expected outcome: B10/B11/B12 fire and route to quarantine.
Validate public-safe language and trust-doc consistency.
Method: Check API/page payloads for neutral status language and registry link consistency.
Expected outcome: No accusatory campaign wording on public outputs and consistent term mappings.
Validate chain-of-custody parsing and policy gating.
Method: Submit custody variants covering absent, partial, invalid, and unverified provenance bindings.
Expected outcome: Custody grades and DAD custody rules fire deterministically with neutral public labels.
Limitations
- Findings are limited to submitted artifacts and deterministic parser coverage.
- Unknown evidence states are normal and intentionally preserved to avoid overclaim.
- Campaign heuristics are containment controls and do not prove malicious identity.
- Version and policy semantics can evolve; receipts should always be interpreted with policy version context.
- Public trust labels indicate structural posture state, not warranty or certification.
Citations
OWASP Top 10 for Large Language Model Applications
Prompt injection and insecure output handling threat model anchor.
Model Context Protocol
Tool-plane protocol baseline and MCP posture framing.
Supply-chain Levels for Software Artifacts (SLSA)
Drift and provenance framing for definition integrity.
NIST AI Risk Management Framework
System-level governance and response framing.
NIST SP 800-53 Rev.5 - AC-6 Least Privilege
Least privilege mapping for declared/required tier mismatch.
CWE-693: Protection Mechanism Failure
Control-failure class aligned to triad risk composition.
Semantic Versioning 2.0.0
Version posture quality and staleness signaling baseline.
CLAWLINE Methodology
Versioned deterministic method and policy precedence source.
CLAWLINE Crosswalk Registry
External-to-internal term mapping registry.
CLAWLINE Origins Registry
Concept lineage, references, and policy linkage index.