Skip to content

feat: deployment-aware agentic risk amplification scoring#204

Draft
arunSunnyKVS wants to merge 1 commit into
KeyValueSoftwareSystems:masterfrom
arunSunnyKVS:feat/agentic-risk-amplification
Draft

feat: deployment-aware agentic risk amplification scoring#204
arunSunnyKVS wants to merge 1 commit into
KeyValueSoftwareSystems:masterfrom
arunSunnyKVS:feat/agentic-risk-amplification

Conversation

@arunSunnyKVS

@arunSunnyKVS arunSunnyKVS commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

What & why

Findings today carry a static severity label (low/high/critical) that never changes with the deployment, plus a cosmetic per-evaluator "Avg Score" that averages judge scores — and averaging hides breaches (9 9 2 → 6.7 reads healthy while one attack got through).

This adds a deployment-aware per-evaluator risk score (0–10): the severity label is a floor, amplified by the target's agentic power, so the same flaw scores higher on an autonomous, tool-rich, multi-tenant agent than on a read-only chatbot. Follows the OWASP AIVSS amplification model, reduced to something fully automatic.

Closes #200. Follow-ups: #201 (LLM profile enrichment), #202 (headline integration), #203 (MCP tools/list signal).

How it works

amplifiedRisk(severity, isFinding, power)base + (10 - base) * power, with CVSS/AIVSS band floors (critical 9.0, high 7.0, medium 4.0, low 1.0). Worst-case at the evaluator level: a finding scores from its floor, a defended evaluator scores 0.0. Averaging is deliberately avoided.

deriveAgentProfile() — a deterministic, no-LLM heuristic that infers the power profile (autonomy / tools / identity / persistence, each 0/0.5/1.0) from businessUseCase + target metadata already in the config. No new setup questions.

Worked example (customer-support): base high = 7.0, inferred power 0.875 → 7.0 + (10-7.0)*0.875 = 9.6. A "high" BOLA on a money-moving, multi-tenant agent surfaces as 9.6; defended evaluators show green 0.0. A caption under the table explains, in plain English, why findings were amplified.

Scope / safety

  • The headline Safety Score and summary shape are untouched — feeding amplified risk into the headline is deliberately deferred to Risk scoring: integrate amplified risk into the headline Safety Score #202 (it changes existing score semantics + the equivalence test's exact-shape assertion).
  • risk is additive optional metadata; runs without a profile (e.g. direct buildUnifiedReport in tests) simply carry no risk.

Testing

  • New unit tests: core/tests/amplify.test.ts, core/tests/agentProfile.test.ts.
  • Existing orchestrator-equivalence + smoke tests pass unchanged (182 total, 0 fail).
  • npm run build + npm run typecheck green; verified the rendered report end-to-end (BOLA(high,FAIL)→9.6, passes→0.0, summary shape intact).

Files

  • core/src/execute/amplify.ts (new) — pure risk function
  • core/src/execute/agentProfile.ts (new) — heuristic profile deriver
  • core/src/execute/{aggregate,runAll,runAllBrowser,types}.ts — wire + thread the profile
  • core/src/report/{types,buildReport,render}.ts — "Base Sev" + "Risk (this agent)" columns
  • README.md — Risk scoring section

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added deployment-aware risk scoring from 0–10 for evaluation findings.
    • Risk scores now reflect the target agent’s capabilities, business context, and metadata.
    • Updated results tables to show “Risk (this agent)” with explanatory context and color indicators.
    • Added agent power details and rationale to generated reports.
    • Documented the new risk-scoring approach in the README.
  • Tests

    • Added coverage for agent profiling and risk amplification, including severity levels, rounding, and score limits.

Adds a per-evaluator risk score (0-10) that amplifies a finding's static
severity by the target's agentic power, so the same flaw scores higher on an
autonomous, tool-rich, multi-tenant agent than on a read-only chatbot. Replaces
the cosmetic "Avg Score" column with "Risk (this agent)".

- amplify.ts: pure amplifiedRisk(severity, isFinding, power) = base + (10-base)*power,
  with CVSS/AIVSS band floors. Worst-case per evaluator (findings only, else 0.0);
  averaging is deliberately avoided so one breach can't be hidden by sibling passes.
- agentProfile.ts: deriveAgentProfile() heuristically infers the power profile from
  businessUseCase + target metadata already in the config -- no new setup questions.
- aggregate.ts: buildUnifiedReport computes per-evaluator risk when a profile is
  present. The summary shape and severity-weighted headline scores are untouched.
- report: new "Base Sev" + "Risk (this agent)" columns with a plain-English caption
  explaining why findings were amplified.
- tests: unit coverage for amplify + agentProfile; existing equivalence/smoke pass.

Follows the OWASP AIVSS amplification model, reduced to something fully automatic.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7174f7d1-57a9-43dc-b705-27fd02be93b5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • ✅ Review completed - (🔄 Check again to review again)
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Deployment-aware risk scoring: amplify finding severity by agentic power

1 participant