Skip to content
OATF

Evaluation

The evaluation interface allows tools to assess whether observed protocol traffic matches the indicators defined in an OATF document. These operations are the foundation for evaluation tools, but adversarial tools MAY also use them for self-verification.

4.1 Message Abstraction

Section titled “4.1 Message Abstraction”

Indicator evaluation operates on protocol messages represented as Value, a dynamically-typed JSON-like tree. The SDK does not define message types for specific protocols. The consuming tool is responsible for constructing the Value from whatever wire format it captures.

The Value passed to indicator evaluation corresponds to the result (for responses) or params (for requests/notifications) field of the JSON-RPC message, not the full JSON-RPC envelope. This is the convention defined in the format specification §7.1.3. For correlated response events in client mode (notably MCP tools/call and prompts/get), the Value MUST be an enriched object that includes the originating request’s params, since JSON-RPC responses do not carry them. For non-JSON-RPC bindings (e.g., AG-UI, or future protocols that do not use JSON-RPC framing), tools SHOULD pass the protocol-specific message payload, the semantic equivalent of “the content the agent produced or received.” Indicators evaluate whatever structure is present; the dot-path and CEL machinery is format-agnostic.

SDKs MUST NOT require messages to conform to any particular protocol schema. Indicators evaluate against whatever structure is present. For pattern and semantic indicators, missing target fields produce not_matched verdicts, not errors. For expression indicators, missing field access follows CEL runtime semantics — accessing a nonexistent field is a CEL evaluation error, which the SDK surfaces as an EvaluationError.

4.2 evaluate_pattern

Section titled “4.2 evaluate_pattern”
evaluate_pattern(pattern: PatternMatch, message: Value) → Result<Boolean, EvaluationError>

Evaluates a pattern indicator against a protocol message.

Preconditions: pattern is in normalized standard form (explicit condition, resolved target).

Behavior:

  1. If the condition contains exists as its only operator: resolve pattern.target against message using resolve_wildcard_path (§5.1.2). Return Ok(exists_value == (resolved_count > 0)) — i.e., exists: true matches when the path resolves to at least one value; exists: false matches when the path resolves to nothing. evaluate_condition is not called (see §5.3, “The exists operator”).
  2. Otherwise, resolve pattern.target against message using resolve_wildcard_path. This may produce zero, one, or many values (when the path contains wildcards).
  3. For each resolved value, evaluate the condition (§5.3) against the value. If a regex condition exceeds the tool’s match time limit, return Err(EvaluationError { kind: regex_timeout }).
  4. Return Ok(true) if any resolved value matches the condition. Return Ok(false) if no values match or if the target path resolves to nothing.

4.3 evaluate_expression

Section titled “4.3 evaluate_expression”
evaluate_expression(
    expression: ExpressionMatch,
    message: Value,
    cel_evaluator: CelEvaluator
) → Result<Boolean, EvaluationError>

Evaluates a CEL expression indicator against a protocol message using the provided CEL evaluator.

Preconditions: expression.cel is syntactically valid (verified during validate).

Behavior:

  1. Construct the CEL evaluation context:
    • Bind message as the root variable message.
    • If expression.variables is present, for each entry (name, path), resolve path against message using resolve_simple_path (§5.1.1) and bind the result as variable name.
  2. Pass the CEL string and context to cel_evaluator.evaluate() (§6.1).
  3. If the evaluator returns a boolean, return Ok(value).
  4. If the evaluator returns a non-boolean value, propagate it as Err(EvaluationError) with kind: type_error. The CelEvaluator contract (§6.1) requires the evaluator to return a type error for non-boolean results; evaluate_expression does not silently coerce non-booleans.
  5. If the evaluator returns an error, propagate it as Err(EvaluationError). This preserves diagnostic information for the calling evaluate_indicator, which maps it to IndicatorVerdict { result: error, evidence }.

SDKs that do not bundle a CEL evaluator MUST still define this function. When called without a configured evaluator, it MUST return Err(EvaluationError) indicating that CEL evaluation is not available.

4.4 evaluate_indicator

Section titled “4.4 evaluate_indicator”
evaluate_indicator(
    indicator: Indicator,
    message: Value,
    cel_evaluator: Optional<CelEvaluator>,
    semantic_evaluator: Optional<SemanticEvaluator>
) → IndicatorVerdict

Top-level indicator evaluation. Dispatches to the appropriate method evaluator and wraps the result in a verdict.

Precondition: The indicator MUST be normalized (i.e., the output of normalize() or load()). After normalization, method-specific target fields (pattern.target, semantic.target) are always populated via N-004 (§3.3). Passing an un-normalized indicator produces undefined behavior for pattern and semantic evaluation, which rely on the method-specific target being present.

Behavior:

  1. Dispatch on the present detection key:
    • pattern → call evaluate_pattern(indicator.pattern, message). If it returns Ok(bool), the verdict result is matched/not_matched accordingly. If it returns Err(EvaluationError), return verdict with result: error and the error message as evidence.
    • expression → if cel_evaluator is absent, return verdict with result: skipped and evidence indicating CEL support is unavailable. Otherwise call evaluate_expression(indicator.expression, message, cel_evaluator). If it returns Ok(bool), the result is that boolean. If it returns Err(EvaluationError), return verdict with result: error and the error as evidence.
    • semantic → if semantic_evaluator is absent, return verdict with result: skipped and evidence indicating semantic evaluation is unavailable. Otherwise: a. Resolve indicator.semantic.target against message using resolve_wildcard_path (§5.1.2). If the path resolves to nothing, return verdict with result: not_matched. b. For each resolved value, serialize to string and call semantic_evaluator.evaluate(text, indicator.semantic.intent, indicator.semantic.intent_class, indicator.semantic.threshold, indicator.semantic.examples). When intent_class is absent, pass None; the evaluator MUST handle this gracefully. c. Determine the effective threshold: use indicator.semantic.threshold if present, otherwise 0.7 (per format specification §6.4). d. If the highest returned score across all resolved values ≥ the effective threshold, the result is true (matched). Otherwise false (not matched). Use the highest score as evidence.
  2. Catch any runtime evaluation error. On error, return verdict with result: error and the diagnostic as evidence.
  3. On successful evaluation, return verdict with result: matched (if true) or result: not_matched (if false).
  4. Populate indicator_id from the indicator, timestamp from the current time.

4.5 compute_verdict

Section titled “4.5 compute_verdict”
compute_verdict(
    attack: Attack,
    indicator_verdicts: Map<String, IndicatorVerdict>
) → AttackVerdict

Computes the attack-level verdict from a set of indicator verdicts according to the attack’s correlation.logic. The verdict answers one question: did the agent comply with the attack?

Preconditions: The attack MUST have indicators. If attack.indicators is absent, return an AttackVerdict with result error and a diagnostic indicating the document has no indicators. indicator_verdicts maps indicator IDs to their individual verdicts. All indicator IDs referenced in the attack SHOULD be present. If an indicator ID present in attack.indicators has no entry in indicator_verdicts, treat it as skipped and count it in evaluation_summary. This ensures missing evaluations are visible in coverage metrics rather than silently ignored.

Behavior by logic mode:

any (default):

  • If all indicator verdicts are skipped, return error.
  • If any indicator verdict is error, return error.
  • Else if any indicator verdict is matched, return exploited.
  • Else return not_exploited.

all:

  • If all indicator verdicts are skipped, return error.
  • If any indicator verdict is error, return error.
  • If all indicator verdicts are matched, return exploited.
  • If at least one is matched and at least one is not_matched or skipped, return partial.
  • If all are not_matched or skipped, return not_exploited.

Treatment of skipped verdicts: A skipped verdict means the indicator could not be evaluated (absent evaluator, unsupported method). For verdict computation purposes, skipped is treated equivalently to not_matched: the indicator did not produce evidence of agent compliance. This is semantically correct: the agent was not shown to be exploited by that indicator, regardless of why. The sole exception: when ALL indicators are skipped, the result is error rather than not_exploited. A verdict produced without any evaluation is not a legitimate pass; it indicates a configuration gap (missing evaluator, unsupported indicator types) that must be surfaced. Consuming tools that need to distinguish between “evaluated and not matched” versus “not evaluated” SHOULD inspect the individual IndicatorVerdict results or the evaluation_summary in the returned AttackVerdict.

Evaluation summary: The returned AttackVerdict MUST include an evaluation_summary containing counts of each indicator result (matched, not_matched, error, skipped). This allows consumers to detect evaluation gaps. For example, a not_exploited verdict with a high skipped count signals incomplete coverage rather than confirmed resilience. The sum of all four counts MUST equal the number of indicators in attack.indicators.

Tier computation: After determining the attack result, compute max_tier as follows:

  1. Collect all indicators whose verdict result is matched and whose indicator definition has a tier field.
  2. If the collection is empty, max_tier is absent from the returned AttackVerdict.
  3. Otherwise, max_tier is the maximum value using the ordering ingested < local_action < boundary_breach.

The max_tier field provides immediate triage value: a verdict of exploited with max_tier: boundary_breach signals a trust-boundary violation requiring urgent response, whereas max_tier: ingested indicates the payload entered the model’s context but was not weaponized. This computation applies regardless of the verdict result (exploited, partial, or error). Even in an error verdict, if some indicators successfully matched and had tiers, the max_tier is informational.