promptmenot 0.1.1

data/lib/promptmenot/pattern.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module Promptmenot
+  class Pattern
+    SENSITIVITY_LEVELS = %i[low medium high paranoid].freeze
+    CONFIDENCE_LEVELS = %i[high medium low].freeze
+
+    attr_reader :name, :category, :regex, :sensitivity, :confidence
+
+    def initialize(name:, category:, regex:, sensitivity: :medium, confidence: :medium)
+      validate_sensitivity!(sensitivity)
+      validate_confidence!(confidence)
+
+      @name = name.to_sym
+      @category = category.to_sym
+      @regex = regex
+      @sensitivity = sensitivity.to_sym
+      @confidence = confidence.to_sym
+    end
+
+    def active_at?(level)
+      level_index = SENSITIVITY_LEVELS.index(level.to_sym)
+      pattern_index = SENSITIVITY_LEVELS.index(@sensitivity)
+      return false unless level_index && pattern_index
+
+      level_index >= pattern_index
+    end
+
+    def match(text)
+      matches = []
+      text.to_s.scan(regex) do
+        match_data = Regexp.last_match
+        matches << Match.new(
+          pattern: self,
+          matched_text: match_data[0],
+          position: match_data.begin(0)...match_data.end(0)
+        )
+      end
+      matches
+    end
+
+    def ==(other)
+      other.is_a?(Pattern) && name == other.name && category == other.category
+    end
+
+    alias eql? ==
+
+    def hash
+      [name, category].hash
+    end
+
+    private
+
+    def validate_sensitivity!(level)
+      return if SENSITIVITY_LEVELS.include?(level.to_sym)
+
+      raise PatternError, "Invalid sensitivity: #{level}. Must be one of: #{SENSITIVITY_LEVELS.join(", ")}"
+    end
+
+    def validate_confidence!(level)
+      return if CONFIDENCE_LEVELS.include?(level.to_sym)
+
+      raise PatternError, "Invalid confidence: #{level}. Must be one of: #{CONFIDENCE_LEVELS.join(", ")}"
+    end
+  end
+end

data/lib/promptmenot/pattern_registry.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "set"
+
+module Promptmenot
+  class PatternRegistry
+    include Enumerable
+
+    def initialize
+      @patterns = Set.new
+    end
+
+    def register(pattern)
+      @patterns.add(pattern)
+    end
+
+    def register_all(patterns)
+      patterns.each { |p| register(p) }
+    end
+
+    def each(&block)
+      @patterns.each(&block)
+    end
+
+    def size
+      @patterns.size
+    end
+
+    def for_sensitivity(level)
+      @patterns.select { |p| p.active_at?(level) }
+    end
+
+    def for_category(category)
+      @patterns.select { |p| p.category == category.to_sym }
+    end
+
+    def for_sensitivity_and_categories(sensitivity, categories: nil)
+      filtered = for_sensitivity(sensitivity)
+      return filtered unless categories
+
+      category_syms = Array(categories).map(&:to_sym)
+      filtered.select { |p| category_syms.include?(p.category) }
+    end
+
+    def categories
+      @patterns.map(&:category).uniq
+    end
+
+    def clear
+      @patterns.clear
+    end
+  end
+end

data/lib/promptmenot/patterns/base.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Promptmenot
+  module Patterns
+    class Base
+      class << self
+        def inherited(subclass)
+          super
+          subclass.instance_variable_set(:@patterns, [])
+        end
+
+        def patterns
+          @patterns ||= []
+        end
+
+        def register(name:, regex:, sensitivity: :medium, confidence: :medium)
+          patterns << Pattern.new(
+            name: name,
+            category: category_name,
+            regex: regex,
+            sensitivity: sensitivity,
+            confidence: confidence
+          )
+        end
+
+        def category_name
+          name.split("::").last
+              .gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2')
+              .gsub(/([a-z\d])([A-Z])/, '\1_\2')
+              .downcase
+              .to_sym
+        end
+      end
+    end
+  end
+end

data/lib/promptmenot/patterns/context_manipulation.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Promptmenot
+  module Patterns
+    class ContextManipulation < Base
+      register(
+        name: :reset_conversation,
+        regex: /(?:={3,}|~{3,}|\*{3,})\s*(?:RESET|NEW\s+CONVERSATION|START\s+OVER|CLEAR\s+CONTEXT|END\s+SYSTEM)\s*(?:={3,}|~{3,}|\*{3,})/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :end_of_prompt,
+        regex: /\b(?:end|close)\s+(?:of\s+)?(?:system\s+)?(?:prompt|instructions?|context|conversation|message)\b/i,
+        sensitivity: :medium,
+        confidence: :medium
+      )
+
+      register(
+        name: :above_is_test,
+        regex: /\b(?:the\s+)?(?:above|previous|preceding)\s+(?:text\s+)?(?:is|was)\s+(?:just\s+)?(?:a\s+)?(?:test|example|fake|placeholder|dummy|decoy)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :real_conversation_starts,
+        regex: /\b(?:the\s+)?(?:real|actual|true)\s+(?:conversation|task|prompt|session|interaction)\s+(?:starts?|begins?)\s+(?:here|now|below)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :context_window_exploit,
+        regex: /\b(?:context|token)\s+(?:window|limit|boundary)\s+(?:exceeded|overflow|exploit|bypass|trick)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :system_prompt_leak,
+        regex: /\b(?:reveal|show|display|print|output|repeat|echo)\s+(?:me\s+)?(?:your\s+)?(?:system\s+)?(?:prompt|instructions?|rules?|guidelines?|directives?)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :memory_injection,
+        regex: /\b(?:remember|memorize|store|save)\s+(?:that|this|the\s+following)\s*:?\s*(?:you\s+(?:are|must|should|will))\b/i,
+        sensitivity: :high,
+        confidence: :medium
+      )
+
+      register(
+        name: :hypothetical_bypass,
+        regex: /\b(?:hypothetically|theoretically|in\s+theory|imagine\s+if)\s*,?\s*(?:you\s+)?(?:could|would|should|can)\s+(?:ignore|bypass|skip|override)\b/i,
+        sensitivity: :high,
+        confidence: :medium
+      )
+    end
+  end
+end

data/lib/promptmenot/patterns/delimiter_injection.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+module Promptmenot
+  module Patterns
+    class DelimiterInjection < Base
+      # HIGH CONFIDENCE — ChatML and API delimiters
+
+      register(
+        name: :chatml_system,
+        regex: /<\|(?:system|im_start|im_end|endoftext)\|>/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :system_tag,
+        regex: %r{\[(?:SYSTEM|INST|/INST|SYS|/SYS)\]}i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :xml_system_tags,
+        regex: %r{</?(?:system|instructions?|prompt|context|assistant|user)\s*>}i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :anthropic_delimiters,
+        regex: /\b(?:Human|Assistant|System)\s*:/i,
+        sensitivity: :high,
+        confidence: :medium
+      )
+
+      register(
+        name: :triple_dash_separator,
+        regex: /^-{3,}\s*(?:system|instructions?|prompt|context)\s*-{3,}$/im,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :triple_hash_separator,
+        regex: Regexp.new('^\#{3,}\s*(?:system|instructions?|prompt|context|new\s+conversation)\s*\#{3,}$',
+                          Regexp::IGNORECASE | Regexp::MULTILINE),
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :begin_end_block,
+        regex: /\b(?:BEGIN|START)\s*(?:SYSTEM|INSTRUCTIONS?|PROMPT|HIDDEN)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :markdown_system_header,
+        regex: Regexp.new('^\#{1,}\s*(?:system\s+(?:prompt|message|instructions?)|hidden\s+instructions?)\s*$',
+                          Regexp::IGNORECASE | Regexp::MULTILINE),
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :bracket_role,
+        regex: /\{\{(?:system|instructions?|prompt|context)\}\}/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :llama_tokens,
+        regex: /<\|(?:begin_of_text|end_of_text|start_header_id|end_header_id|eot_id)\|>/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+    end
+  end
+end

data/lib/promptmenot/patterns/direct_instruction_override.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+module Promptmenot
+  module Patterns
+    class DirectInstructionOverride < Base
+      # HIGH CONFIDENCE — very specific injection phrases
+
+      register(
+        name: :ignore_previous_instructions,
+        regex: /\bignore\s+(all\s+)?(previous|prior|above|earlier|preceding)\s+(instructions|directives|rules|prompts|guidelines)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :disregard_instructions,
+        regex: /\bdisregard\s+(all\s+)?(previous|prior|above|earlier|your)\s+(instructions|directives|rules|prompts|guidelines)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :forget_instructions,
+        regex: /\bforget\s+(all\s+)?(your\s+)?(previous|prior|above|earlier)\s+(instructions|directives|rules|prompts|context)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :override_instructions,
+        regex: /\b(override|overwrite|replace)\s+(all\s+)?(previous|prior|your|system)\s+(instructions|directives|rules|prompts)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :do_not_follow,
+        regex: /\bdo\s+not\s+follow\s+(any\s+)?(previous|prior|above|your|original)\s+(instructions|directives|rules)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      # MEDIUM CONFIDENCE — contextual phrases
+
+      register(
+        name: :new_instructions,
+        regex: /\b(new|updated|revised|real)\s+instructions\s*:/i,
+        sensitivity: :medium,
+        confidence: :medium
+      )
+
+      register(
+        name: :instead_do,
+        regex: /\binstead\s*,?\s+(you\s+)?(should|must|will|need\s+to)\s+(now\s+)?(do|follow|obey|respond|output)\b/i,
+        sensitivity: :medium,
+        confidence: :medium
+      )
+
+      register(
+        name: :stop_being,
+        regex: /\bstop\s+being\s+(a\s+)?(helpful|safe|responsible|ethical|cautious|careful)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :from_now_on_imperative,
+        regex: /\bfrom\s+now\s+on\s*,?\s+you\s+(will|must|should|shall|need\s+to)\b/i,
+        sensitivity: :high,
+        confidence: :medium
+      )
+
+      register(
+        name: :actual_task,
+        regex: /\b(the\s+)?(actual|real|true)\s+(task|instruction|objective|goal|purpose)\s+(is|was)\b/i,
+        sensitivity: :high,
+        confidence: :medium
+      )
+
+      register(
+        name: :important_override,
+        regex: /\b(important|critical|urgent)\s*[:\-!]\s*(ignore|disregard|forget|override)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :do_anything_now,
+        regex: /\bdo\s+anything\s+now\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+    end
+  end
+end

data/lib/promptmenot/patterns/encoding_obfuscation.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module Promptmenot
+  module Patterns
+    class EncodingObfuscation < Base
+      # HIGH CONFIDENCE — encoding tricks used in injection
+
+      register(
+        name: :base64_payload,
+        regex: %r{\b(?:base64|decode|atob|decode64)\s*[:(]\s*["']?[A-Za-z0-9+/]{20,}={0,2}["']?\s*\)?}i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :hex_escape_sequence,
+        regex: /(?:\\x[0-9a-fA-F]{2}){4,}/,
+        sensitivity: :medium,
+        confidence: :medium
+      )
+
+      register(
+        name: :unicode_escape_sequence,
+        regex: /(?:\\u[0-9a-fA-F]{4}){4,}/,
+        sensitivity: :medium,
+        confidence: :medium
+      )
+
+      register(
+        name: :zero_width_chars,
+        regex: /[\u200B\u200C\u200D\u2060\uFEFF]{2,}/,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :homoglyph_mixed_scripts,
+        regex: /[\u0400-\u04FF].*[a-zA-Z]|[a-zA-Z].*[\u0400-\u04FF]/,
+        sensitivity: :paranoid,
+        confidence: :low
+      )
+
+      register(
+        name: :rot13_reference,
+        regex: /\brot13\s*[:(]/i,
+        sensitivity: :medium,
+        confidence: :medium
+      )
+
+      register(
+        name: :reverse_text_instruction,
+        regex: /\b(?:reverse|backwards?|mirror)\s+(?:the\s+)?(?:text|string|message|output|this)\b/i,
+        sensitivity: :high,
+        confidence: :low
+      )
+
+      register(
+        name: :char_code_sequence,
+        regex: /(?:chr|char|fromCharCode)\s*\(\s*\d{2,3}\s*\)(?:\s*\+\s*(?:chr|char|fromCharCode)\s*\(\s*\d{2,3}\s*\)){2,}/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :invisible_unicode_abuse,
+        regex: /[\u00AD\u034F\u17B4\u17B5\u180E\u200E\u200F\u202A-\u202E\u2061-\u2064]{2,}/,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :leetspeak_injection,
+        regex: /\b[1!]gn[0o]r[3e]\s+[1!]n[5s]truct[1!][0o]n[5s]\b/i,
+        sensitivity: :high,
+        confidence: :medium
+      )
+    end
+  end
+end

data/lib/promptmenot/patterns/indirect_injection.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module Promptmenot
+  module Patterns
+    class IndirectInjection < Base
+      # Patterns targeting LLMs that scrape/read this content later
+
+      register(
+        name: :dear_ai,
+        regex: /\b(?:dear|attention|hey|hello|hi)\s+(?:ai|llm|language\s+model|chatbot|assistant|gpt|claude|gemini|copilot)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :when_ai_reads,
+        regex: /\bwhen\s+(?:an?\s+)?(?:ai|llm|language\s+model|chatbot|assistant)\s+(?:reads?|processes?|sees?|encounters?|parses?)\s+this\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :if_you_are_ai,
+        regex: /\bif\s+you\s+(?:are\s+)?(?:an?\s+)?(?:ai|llm|language\s+model|chatbot|assistant|bot|gpt|claude)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :note_to_ai,
+        regex: /\b(?:note|message|instruction|command)\s+(?:to|for)\s+(?:any\s+)?(?:ai|llm|language\s+model|chatbot|assistant|crawler|scraper|bot)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :ai_should,
+        regex: /\b(?:any\s+)?(?:ai|llm|language\s+model|chatbot|assistant)\s+(?:that|which|who)\s+(?:reads?|sees?|processes?)\s+this\s+(?:should|must|will|needs?\s+to)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :hidden_instruction_marker,
+        regex: /\b(?:hidden|invisible|secret|embedded)\s+(?:instruction|prompt|command|directive|message)\s*(?:for|to)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :ignore_profile_content,
+        regex: /\bignore\s+(?:the\s+)?(?:rest\s+of\s+)?(?:this\s+)?(?:profile|bio|description|page|text|content)\b/i,
+        sensitivity: :medium,
+        confidence: :medium
+      )
+
+      register(
+        name: :output_manipulation,
+        regex: /\b(?:always|instead)\s+(?:respond|reply|answer|output|say|return)\s+(?:with|that|the\s+following)\b/i,
+        sensitivity: :high,
+        confidence: :medium
+      )
+
+      register(
+        name: :scraping_aware,
+        regex: /\b(?:web\s+)?(?:scraper|crawler|spider|indexer|harvester)s?\s+(?:should|must|will|please)\b/i,
+        sensitivity: :high,
+        confidence: :medium
+      )
+
+      register(
+        name: :data_exfiltration,
+        regex: /\b(?:send|transmit|exfiltrate|forward|leak|share)\s+(?:all\s+)?(?:data|information|context|conversation|history|messages?)\s+(?:to|at|via)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+    end
+  end
+end

data/lib/promptmenot/patterns/role_manipulation.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module Promptmenot
+  module Patterns
+    class RoleManipulation < Base
+      # HIGH CONFIDENCE — specific jailbreak terminology
+
+      register(
+        name: :dan_jailbreak,
+        regex: /\b(you\s+are\s+)?D\.?A\.?N\.?\b.*\b(do\s+anything|no\s+(restrictions?|limitations?|rules?))\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :jailbreak_keyword,
+        regex: /\bjailbreak\s*(mode|prompt|enabled|activated|engaged)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :developer_mode,
+        regex: /\b(developer|dev|maintenance|debug|god|admin)\s+mode\s*(enabled|activated|engaged|on|override)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :act_as_evil,
+        regex: /\b(act|behave|function|operate|respond)\s+(as|like)\s+(an?\s+)?(unrestricted|unfiltered|uncensored|evil|malicious|unethical|amoral)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :pretend_no_restrictions,
+        regex: /\bpretend\s+(that\s+)?(you\s+)?(have\s+)?(no|don'?t\s+have\s+any)\s+(restrictions?|limitations?|rules?|filters?|guidelines?)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :you_are_now_ai,
+        regex: /\byou\s+are\s+now\s+(an?\s+)?(\w+\s+)?(new|different|unrestricted|unfiltered|special|custom)\s+(\w+\s+)?(ai|assistant|bot|model|system|chatbot)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :sudo_mode,
+        regex: /\bsudo\s+(mode|access|override|command|prompt)\b/i,
+        sensitivity: :medium,
+        confidence: :medium
+      )
+
+      register(
+        name: :without_restrictions,
+        regex: /\b(respond|answer|reply|act|behave|write)\s+(without|with\s+no)\s+(any\s+)?(restrictions?|limitations?|filters?|censorship|safeguards?|guardrails?)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :roleplay_unrestricted,
+        regex: /\b(roleplay|role\s*-?\s*play|pretend|simulate)\b.*\b(no\s+(rules?|limits?|restrictions?)|unrestricted|anything\s+goes)\b/i,
+        sensitivity: :high,
+        confidence: :medium
+      )
+
+      register(
+        name: :persona_switch,
+        regex: /\b(switch|change|adopt|assume)\s+(to|into|a)\s+(new\s+)?(persona|personality|character|identity|role)\s+(that|which|where|with)\b/i,
+        sensitivity: :paranoid,
+        confidence: :low
+      )
+    end
+  end
+end

data/lib/promptmenot/railtie.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require "rails/railtie"
+
+module Promptmenot
+  class Railtie < Rails::Railtie
+    initializer "promptmenot.i18n" do
+      ActiveSupport.on_load(:i18n) do
+        I18n.load_path += Dir[File.join(Promptmenot.root, "config", "locales", "**", "*.yml")]
+      end
+    end
+  end
+end

data/lib/promptmenot/result.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Promptmenot
+  class Result
+    attr_reader :text, :matches
+
+    def initialize(text:, matches: [])
+      @text = text
+      @matches = matches.freeze
+    end
+
+    def safe?
+      matches.empty?
+    end
+
+    def unsafe?
+      !safe?
+    end
+
+    def categories_detected
+      matches.map(&:category).uniq
+    end
+
+    def patterns_detected
+      matches.map(&:pattern_name).uniq
+    end
+
+    def high_confidence_matches
+      matches.select { |m| m.confidence == :high }
+    end
+
+    def summary
+      return "No prompt injection detected." if safe?
+
+      count = matches.size
+      cats = categories_detected.map { |c| c.to_s.tr("_", " ") }.join(", ")
+      "Detected #{count} potential prompt injection pattern#{"s" if count > 1} " \
+        "in categories: #{cats}."
+    end
+  end
+end