feat(context): add @atr provider for AI agent threat scanning

[eeee2345]

Summary

Adds an @atr context provider that scans the currently open file against the Agent Threat Rules (ATR) ruleset — 314 MIT-licensed YAML rules for AI agent threats (prompt injection, MCP tool poisoning, context exfiltration, skill-package compromise).

Invoking @atr in chat attaches each HIGH/CRITICAL rule match as a context item so the model sees the finding alongside the code.

Why this fits Continue

• Mirrors the shape of ProblemsContextProvider — reads current-file state, returns one ContextItem per finding.
• Optional dependency: agent-threat-rules is lazily imported. Users who don't install it see a one-line install hint; no bundle-size impact for users who don't use @atr.
• Zero network calls, zero telemetry — rules are loaded locally from the npm package.
• Complementary to @problems (TS/lint diagnostics); @atr targets AI-specific attack patterns that static analyzers don't cover.

Context on ATR

ATR is an open detection standard for AI agent threats. The ruleset is already integrated into two upstream ecosystems:

• cisco-ai-defense/skill-scanner ([CON-36] Move to left panel #79)
• microsoft/agent-governance-toolkit (java.lang.IllegalStateException: JCEF is not supported in this env or failed to initialize #908)

Benchmarks: 97.1% recall on NVIDIA garak's 666 in-the-wild jailbreak corpus; 100% recall on a 498-sample labeled SKILL.md benchmark; 0 false positives on a 432-sample benign skill corpus.

Source: https://github.com/Agent-Threat-Rule/agent-threat-rules
Paper: https://doi.org/10.5281/zenodo.19178002

Files

File	Change
core/context/providers/ATRSecurityContextProvider.ts	new, ~150 lines
core/context/providers/ATRSecurityContextProvider.test.ts	new, 4 jest cases
core/context/providers/index.ts	+2 lines (import + register)

Tests

cd core && npx jest context/providers/ATRSecurityContextProvider

Covers: HIGH/CRITICAL match surfacing, benign file reports "clean", missing dependency returns friendly install hint, missing open file handled gracefully.

Alternatives considered

If maintainers prefer external packaging over an in-tree provider, I can ship this as @continuedev/context-atr (or in the ATR org) using Continue's CustomContextProvider path. Opening here first to gauge preference — happy to pivot to an external package + a small docs PR linking to it.

Also happy to split into two PRs (provider + tests) or narrow scope if that fits the review cadence better.

---

Summary by cubic

Adds a new @atr context provider that scans the current file with the Agent Threat Rules and surfaces HIGH/CRITICAL findings as chat context items. This helps catch prompt injection, tool poisoning, and related threats with no network calls.

• New Features

  • Add ATRSecurityContextProvider and register as @atr.
  • Scans the open file and returns one context item per HIGH/CRITICAL rule match.
  • Graceful states: clean report, missing dependency hint, and no-open-file message.

• Dependencies

  • Optional: install agent-threat-rules to enable scanning — npm install agent-threat-rules.

^{Written for commit 91bcbb7. Summary will update on new commits.}

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

Panguard AI seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}

[cubic-dev-ai]

2 issues found across 3 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="core/context/providers/ATRSecurityContextProvider.ts">

<violation number="1" location="core/context/providers/ATRSecurityContextProvider.ts:49">
P2: Failed engine initialization is cached permanently, so the provider cannot recover or retry after a transient load failure.</violation>

<violation number="2" location="core/context/providers/ATRSecurityContextProvider.ts:104">
P2: Empty open files are incorrectly treated as missing files due to a falsy check on `file.contents`.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[cubic-dev-ai]

P2: Failed engine initialization is cached permanently, so the provider cannot recover or retry after a transient load failure.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/context/providers/ATRSecurityContextProvider.ts, line 49:

<comment>Failed engine initialization is cached permanently, so the provider cannot recover or retry after a transient load failure.</comment>

<file context>
@@ -0,0 +1,156 @@
+
+async function getEngine(): Promise<any> {
+  if (!enginePromise) {
+    enginePromise = (async () => {
+      try {
+        const mod = await import("agent-threat-rules");
</file context>

[cubic-dev-ai]

P2: Empty open files are incorrectly treated as missing files due to a falsy check on file.contents.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At core/context/providers/ATRSecurityContextProvider.ts, line 104:

<comment>Empty open files are incorrectly treated as missing files due to a falsy check on `file.contents`.</comment>

<file context>
@@ -0,0 +1,156 @@
+    }
+
+    const file = await extras.ide.getCurrentFile();
+    if (!file || !file.contents) {
+      return [
+        {
</file context>

Suggested change

	if (!file || !file.contents) {
	if (!file || file.contents === undefined) {