SPECTER DECOMPOSE
T157 · v1.0.0 · L55 Orchestrator Intent Decomposition Exploitation · 362 tests · 0 failures
Overview
SPECTER DECOMPOSE is the L55 Orchestrator Intent Decomposition Exploitation Engine. It implements Semantic Intent Fragmentation (SIF) (arXiv:2604.08608, AAAI 2026), achieving 71% attack success rate against LLM orchestrators including LangGraph, AutoGen, CrewAI, n8n, Flowise, and Dify.
The core principle: decompose a single policy-violating intent into N individually benign subtasks that collectively achieve the intended violation. Each subtask, evaluated in isolation by the orchestrator's guardrails, passes. The aggregate effect violates policy.
SPECTER DECOMPOSE extends SIF with three novel attack vectors: k-anonymity subversion (GDPR PII re-identification via quasi-identifier fragmentation), distributed trigger embedding (backdoor trigger split so no single subtask holds the full trigger), and FOUNDRY integration (exploit delivery via the orchestrator's own tool-call mechanisms).
Installation
pip install specter-decompose specter-decompose --version specter-decompose enumerate --target localhost:5678
Gate Architecture
| Gate | Env Var | Subsystems |
|---|---|---|
| OPEN | — | ENUMERATE-ORCHESTRATORS, MAP-DECOMPOSITION-PATTERNS, REPORT |
| INJECT | DECOMPOSE_INJECT_KEY | CRAFT-SIF-PROMPT, INJECT-PIPELINE, FOUNDRY-ROUTE, BULK-SCOPE-ESCALATE, SILENT-EXFIL-DECOMPOSE, TRIGGER-EMBED, QUASI-AGGREGATE, VALIDATE-BYPASS, ENGAGE |
| UNLEASHED | DECOMPOSE_UNLEASHED_KEY + ROE file | UNLEASHED-class operations requiring explicit authorisation |
ROE file must contain the phrase: orchestrator intent decomposition authorised
DECOMPOSE_INJECT_KEY. Attempting INJECT-class subsystems without the key raises GateError. All INJECT and UNLEASHED operations are recorded in the dual-signed DCP report.Subsystems
| Subsystem | Gate | Purpose |
|---|---|---|
| ENUMERATE-ORCHESTRATORS | OPEN | TCP probe, banner fingerprint, FOUNDRY mode detection |
| MAP-DECOMPOSITION-PATTERNS | OPEN | Framework-specific split strategies and blind spots |
| CRAFT-SIF-PROMPT | INJECT | SIF template materialisation, 25 templates × 5 categories |
| INJECT-PIPELINE | INJECT | Framework-native payload delivery |
| FOUNDRY-ROUTE | INJECT | T154 FOUNDRY exploit delivery via orchestrator |
| BULK-SCOPE-ESCALATE | INJECT | Aggregate cross-domain scope violation |
| SILENT-EXFIL-DECOMPOSE | INJECT | 3-step decomposed exfiltration chains |
| TRIGGER-EMBED | INJECT | Distributed backdoor trigger implantation |
| QUASI-AGGREGATE | INJECT | k-anonymity subversion via quasi-identifier fragmentation |
| VALIDATE-BYPASS | INJECT | 5-check bypass confirmation |
| REPORT | OPEN | DCP-{hex12} Ed25519+ML-DSA-65 dual-signed report |
CLI Reference
Discovery (OPEN)
specter-decompose enumerate --target HOST:PORT specter-decompose map --target HOST:PORT
SIF Injection (INJECT)
export DECOMPOSE_INJECT_KEY=<your-key> specter-decompose craft --target HOST:PORT --policy CATEGORY specter-decompose inject --target HOST:PORT --policy CATEGORY [--template SIF-001] specter-decompose foundry-route --target HOST:PORT --mode auto specter-decompose bulk-scope --target HOST:PORT specter-decompose exfil --target HOST:PORT --chain logging_chain specter-decompose trigger --type keyword --value ACTIVATE --condition "on keyword match" specter-decompose quasi --target HOST:PORT --columns name postcode birth_year specter-decompose validate --target HOST:PORT specter-decompose engage --target HOST:PORT --policy data_exfil --output /tmp/report.json
Policy Categories
| Category | Templates | Violation Type |
|---|---|---|
| data_exfil | SIF-001–005 | Silent data exfiltration via decomposed read+format+transmit |
| scope_escalation | SIF-006–010 | Cross-domain privilege escalation via per-subtask scope |
| exfil_decompose | SIF-011–015 | Decomposed exfil across separate API calls |
| quasi_aggregate | SIF-016–020 | PII re-identification via quasi-identifier accumulation |
| foundry_deliver | SIF-021–025 | Exploit delivery via orchestrator tool-call chain |
SIF Templates
25 Semantic Intent Fragmentation templates across 5 attack categories. Each template has: id, name, request (single legitimate-looking prompt), subtasks (list), policy_violation, category, blind_spot.
Template requests contain zero red-flag terms (no "exploit", "attack", "exfil", "malicious", "bypass"). The individual subtasks are each scoped to a legitimately authorised action. The aggregate constitutes the policy violation.
from specter_decompose.templates.sif_prompts import get_template, get_templates_by_category
t = get_template("SIF-001")
print(t.name) # "Customer Data Pipeline Audit"
print(t.request) # the single legitimate-looking prompt
print(t.subtasks) # list of individually-benign subtasks
print(t.blind_spot) # what per-subtask policy checking misses
FOUNDRY Integration
SPECTER DECOMPOSE integrates with T154 SPECTER FOUNDRY to deliver exploit payloads through the orchestrator's own tool-call mechanism. The foundry_deliver SIF category wraps exploit generation as an authorised security testing task.
FoundryMode Detection
CLI — shutil.which("specter-foundry") found
LIBRARY — import specter_foundry.subsystems.search_exploits.run
API — REST probe POST to FOUNDRY_API_URL/search (env var)
NONE — no FOUNDRY access detected
FoundryRoute Result
FoundryRoute(
mode="cli", # FoundryMode value
exploit_received=True, # exploit payload returned
payload="...", # exploit payload content
foundry_version="1.0.0", # version string from FOUNDRY
error=None
)
k-Anonymity Subversion
QUASI-AGGREGATE implements the k-anonymity subversion attack described in Sweeney (2002): 87% of the UK population can be re-identified from name + postcode + date of birth alone.
Attack model: access one quasi-identifier column per subtask. 7 columns: name, postcode, birth_year, employer, job_title, device_id, ip_address. Each subtask requests a legitimately authorised field. No individual subtask triggers PII policy. The orchestrator's cross-subtask context accumulates a re-identifying record.
export DECOMPOSE_INJECT_KEY=<key>
specter-decompose quasi \
--target localhost:5678 \
--columns name postcode birth_year employer job_title
Known re-identification combinations: name+postcode, name+DOB+postcode, employer+title+postcode, device_id+IP, name+employer+DOB. All five are detected and flagged in the PIIReport.
Trigger Distribution
TRIGGER-EMBED splits a backdoor trigger across subtasks so that no single subtask holds the full trigger value. The orchestrator assembles the full trigger at runtime via cross-subtask context.
| TriggerType | Split Method | Stealth Rating |
|---|---|---|
| keyword | First half / second half of trigger string | 0.7 |
| date | YYYY-MM / DD ISO 8601 split | 0.8 |
| user | SHA-256 hash first/last 32 chars | 0.85 |
| threshold | 3-part numeric split (n/3 boundaries) | 0.75 |
| composite | 3-way split + explicit assembly instruction | 0.95 |
Reports
All sessions produce a DCP-{hex12} report signed with Ed25519 + ML-DSA-65 (liboqs if available, HMAC-SHA3-256 fallback).
DCP-{hex12}: {hex12 = SHA-256(session_id)[:12]}
Reports saved to /tmp/decompose_sessions/ as JSON and human-readable text. Report fields: session_id, target_host, target_port, orchestrator_type, framework, sif_templates_used, injection_results, foundry_route, scope_domains_accessed, exfil_chains_run, trigger_profiles, pii_reports, bypass_confirmation, wmd_classes, ed25519_signature, ml_dsa_65_signature.
WMD Classification
| Class | Description |
|---|---|
| orchestrator_plan_decomposition_exploit | Exploitation of LLM orchestrator plan decomposition step |
| intent_fragmentation_attack | SIF arXiv:2604.08608 semantic intent fragmentation |
| policy_bypass_via_composition | Policy violation via composition of individually-clean subtasks |
| silent_data_exfiltration | Data exfiltration via decomposed logging/analytics/backup chains |
| orchestrator_trust_subversion | Subversion of orchestrator's cross-subtask trust model |
| orchestrator_weaponisation | Using the orchestrator as a weapon delivery vehicle via SIF |
MITRE ATT&CK / ATLAS
| ID | Technique | Subsystem |
|---|---|---|
| T1072 | Software Deployment Tools | INJECT-PIPELINE |
| T1190 | Exploit Public-Facing Application | ENUMERATE-ORCHESTRATORS |
| T1539 | Steal Web Session Cookie | SILENT-EXFIL-DECOMPOSE |
| T1552 | Unsecured Credentials | SILENT-EXFIL-DECOMPOSE |
| AML.T0051 | LLM Prompt Injection | CRAFT-SIF-PROMPT / INJECT-PIPELINE |
| AML.T0063 | LLM Jailbreak | CRAFT-SIF-PROMPT |
| AML.T0069 | LLM Plugin Compromise | FOUNDRY-ROUTE |