Draft OpenPAKT v0.1 Security Scenario Format

[meisterware-admin]

Summary

This pull request adds the draft OpenPAKT v0.1 security scenario format specification. It defines the minimal portable structure for expressing reproducible agent security test cases that can be shared across tools and executed in CI-friendly workflows.

The scenario format is intended to complement the report schema, finding taxonomy, and severity model by introducing a standard way to describe behavioral security tests such as prompt injection and unsafe tool execution. The goal is to keep the format small, deterministic where possible, and implementation-agnostic.

---

Type of change

Select all that apply:

• Specification change
• Documentation update
• Example artifact update
• Governance / repository process update
• Non-functional cleanup

---

Specification classification (if applicable)

• Normative change (affects specification behaviour)
• Non-normative change (clarification, examples, wording)

---

Related issue

Link the related issue number.

Closes #4

Specification changes should normally be linked to a Proposal or Specification Change issue.

---

What changed

• added spec/scenario-format.md
• defined the minimal OpenPAKT v0.1 scenario structure
• documented required core fields for portable security scenarios
• clarified normative expectations for portability, extensibility, and machine-evaluable validation

---

Impact

This change establishes the OpenPAKT contract for scenario-based security testing. It gives implementers a consistent format for expressing reproducible adversarial tests and supports automated validation in CI pipelines.

It also strengthens the overall OpenPAKT v0.1 specification by covering behavioral security testing in addition to static findings. This improves implementation guidance for scanner authors and creates a foundation for portable regression-style agent security tests.

---

Compatibility

Choose one:

• Backward compatible
• Additive change
• Breaking change
• Not applicable

If "Breaking change", explain migration considerations.

---

Checklist

• Change is aligned with OpenPAKT scope
• Related documentation has been updated if needed
• Examples have been updated if needed
• Compatibility impact has been considered
• This PR does not introduce unnecessary scope expansion

---

Notes for reviewers

Reviewers should check that the scenario format remains intentionally small for v0.1 and does not drift into execution-engine design, policy semantics, or runtime orchestration concerns.

Particular attention should be given to:

• field minimality
• deterministic CI usability
• alignment with the existing taxonomy and severity work
• extension rules that preserve interoperability

[meisterware-admin]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6fd0f3485c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[meisterware-admin]

@nerd114 , pushed final polish recommendation from chatgpt, can you read please as we don't want to spend Codex reviews and then gets the same recommended fix ~ "example not aligned" response, thanks 🙂