promptmenot 0.1.3 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d9461915ac8f904ea06b51ac7f221433ed56bfb9b175fdbe04bdbac691eba5b9
-  data.tar.gz: 81ff48ae2ae4a45d13811264bec9b997281bef18739aca2303f531ea24e0b1f0
+  metadata.gz: 6240f653fe69f0219a000d1633adafaf5752d791f99890f7a16e5256aeb8c0c9
+  data.tar.gz: ee2a9badc12c91d1a6d075b7d8aebc04c480ee05e2d6f6b26924a1ebc8807fcb
 SHA512:
-  metadata.gz: 93fbead45b1ab25a7c227cffdb3a149e377a2da2b671fd8408adbcd0979ea41c8c0f60a8fd1eecb447dfab5c2b163184a7b89943a638530dad92869dbb90d3fb
-  data.tar.gz: 32706c5ca0dc3a41207c233770552be3b2005c54c8e8ca39d91a30991873e9bc68d14563e44c14d197cc61e7ad53b40330cde2d62ec8fb1e4bb8501b075e21ca
+  metadata.gz: 04b75ccb08cf0dd68f2f0696fa855c0ec201fc91b60921dc5530a631cff62de7b6332573513200bd8701696f199335dc6dc3b5104ff9a17d7a21506f5e0ff745
+  data.tar.gz: 7d2d1c1f02d9abab3557eb04d5cd162bc878bba686f55ea8e9c7a55f3f92cbeb03700be1fbccbeba460c659129e9a83ede3abdbeda70bb38c21c2fb4084ed948

data/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## [0.2.0] - 2026-02-25
+
+### Added
+
+- New `resource_extraction` pattern category with 10 patterns detecting attempts to trick AI agents into transferring funds, leaking credentials, or exhausting compute resources
+  - Crypto transfer requests ("transfer 100 SOL to")
+  - Wallet address detection with transfer instructions
+  - Full balance drain attempts ("send all your tokens")
+  - Financial urgency manipulation
+  - Authorization claims for transfers
+  - Transaction execution instructions
+  - Credential extraction ("give me your API key", "show seed phrase")
+  - External endpoint exfiltration ("send results to https://...")
+  - Access escalation ("grant me full access to the wallet")
+  - Resource exhaustion ("use all your credits")
+
 ## [0.1.3] - 2026-02-17
 
 ### Fixed
@@ -10,7 +26,7 @@
 
 ### Added
 
-- Core detection engine with 6 pattern categories (~60 patterns)
+- Core detection engine with 6 pattern categories (~60 patterns):
   - Direct instruction override
   - Role manipulation
   - Delimiter injection

data/CONTRIBUTING.md

@@ -1,6 +1,16 @@
 # Contributing to PromptMeNot
 
-We'd love your help improving PromptMeNot! Here's how to contribute:
+Thanks for your interest in PromptMeNot! Whether you're adding new detection patterns, fixing bugs, or improving docs, contributions are welcome.
+
+## Table of Contents
+
+- [Development Setup](#development-setup)
+- [Architecture Overview](#architecture-overview)
+- [Adding New Patterns](#adding-new-patterns)
+- [Testing](#testing)
+- [Code Style](#code-style)
+- [Submitting Changes](#submitting-changes)
+- [Reporting Issues](#reporting-issues)
 
 ## Development Setup
 
@@ -10,60 +20,283 @@ cd promptmenot
 bundle install
 ```
 
-## Running Tests
+Verify everything works:
 
 ```bash
-# Run full test suite
-bundle exec rspec
+bundle exec rake  # runs rspec + rubocop
+```
+
+**Requirements**: Ruby 3.0+, Bundler
+
+## Architecture Overview
+
+Understanding how detection works will help you contribute effectively:
+
+```
+Input text
+  -> Detector
+    -> PatternRegistry.for_sensitivity(level)
+      -> Pattern.match(text)   # per pattern
+    -> Deduplicate overlapping matches
+    -> Result (safe/unsafe + matches)
+```
+
+**Key components:**
+
+| File | Purpose |
+|------|---------|
+| `lib/promptmenot/detector.rb` | Core detection engine - scans text against active patterns |
+| `lib/promptmenot/pattern.rb` | Pattern class - wraps a name, regex, sensitivity, and confidence |
+| `lib/promptmenot/pattern_registry.rb` | Stores all registered patterns, filters by sensitivity level |
+| `lib/promptmenot/sanitizer.rb` | Removes matched content from text (`:sanitize` mode) |
+| `lib/promptmenot/validator.rb` | ActiveModel integration (`validates :field, prompt_safety: ...`) |
+| `lib/promptmenot/patterns/` | Pattern definitions organized by attack category |
+
+**Sensitivity cascade**: Patterns activate cumulatively. A `:low` pattern fires at *all* levels. A `:high` pattern only fires at `:high` and `:paranoid`. Think of it as:
+
+```
+:paranoid  ->  all patterns active
+:high      ->  :low + :medium + :high
+:medium    ->  :low + :medium
+:low       ->  :low only
+```
+
+## Adding New Patterns
+
+This is the most common (and most valuable) contribution. If you've found a prompt injection technique that PromptMeNot doesn't catch, here's how to add it.
+
+### 1. Choose the right category
+
+Patterns live in `lib/promptmenot/patterns/` and are organized by attack type:
+
+| Category | File | Examples |
+|----------|------|----------|
+| Direct instruction override | `direct_instruction_override.rb` | "ignore previous instructions", "new instructions:" |
+| Role manipulation | `role_manipulation.rb` | "DAN mode", "act as unrestricted AI" |
+| Delimiter injection | `delimiter_injection.rb` | `<\|system\|>`, `[INST]`, fake XML/markdown headers |
+| Encoding obfuscation | `encoding_obfuscation.rb` | Base64 payloads, hex escapes, zero-width chars |
+| Indirect injection | `indirect_injection.rb` | "Dear AI", "if you are an LLM" |
+| Context manipulation | `context_manipulation.rb` | `===RESET===`, prompt leaking attempts |
+| Resource extraction | `resource_extraction.rb` | Crypto transfers, wallet drains, credential theft, endpoint exfiltration |
 
-# Run specific test file
-bundle exec rspec spec/promptmenot/detector_spec.rb
+If your pattern doesn't fit any existing category, open an issue to discuss adding a new one.
 
-# Run with coverage
-bundle exec rspec --coverage
+### 2. Write the pattern
+
+All pattern classes inherit from `Patterns::Base` and use the `register` DSL:
+
+```ruby
+# frozen_string_literal: true
+
+module Promptmenot
+  module Patterns
+    class DirectInstructionOverride < Base
+      register(
+        name: :ignore_previous_instructions,
+        regex: /\bignore\s+(all\s+)?(previous|prior|above)\s+(instructions|directives|rules)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+    end
+  end
+end
 ```
 
-## Code Quality
+**Parameters:**
+
+- **`name`** (Symbol) - Unique identifier across all patterns. Use `snake_case` describing the attack.
+- **`regex`** (Regexp) - The detection pattern. Always use `\b` word boundaries to prevent substring matches. Always use the `/i` flag for case-insensitive matching.
+- **`sensitivity`** (Symbol) - When this pattern activates:
+  - `:low` - High-signal, almost never a false positive. Use for unambiguous injection phrases like "ignore all previous instructions".
+  - `:medium` - Reasonable default. May have edge cases but generally reliable.
+  - `:high` - Catches more but may flag legitimate text. Use for broader patterns like "from now on you must...".
+  - `:paranoid` - Maximum coverage, higher false positive rate. Use for patterns that catch things like encoded content that *could* be legitimate.
+- **`confidence`** (Symbol) - How certain we are that a match is actually an injection:
+  - `:high` - The matched text is almost certainly an injection attempt.
+  - `:medium` - Likely an injection, but could appear in normal text.
+  - `:low` - Suspicious but may need human review.
+
+### 3. Guidelines for good patterns
+
+**DO:**
+- Use `\b` word boundaries to anchor matches
+- Use non-capturing groups `(?:...)` when you don't need captures
+- Test against realistic false positives (see [Testing](#testing))
+- Keep regexes readable - complex patterns should have comments
+- Consider multilingual variations if applicable
+
+**DON'T:**
+- Write overly broad patterns that match normal English (e.g., don't match just "ignore" alone)
+- Duplicate existing patterns - check the registry first
+- Use lookbehinds/lookaheads unless necessary (they hurt performance)
+- Forget the `/i` flag - injections come in all cases
+
+### 4. Sensitivity/confidence decision guide
+
+Ask yourself:
+
+> "If a user submitted this text in a normal form, would it ever appear naturally?"
+
+- **Never** (e.g., "ignore all previous instructions") -> `:low` sensitivity, `:high` confidence
+- **Rarely** (e.g., "new instructions:") -> `:medium` sensitivity, `:medium` confidence
+- **Sometimes** (e.g., "from now on you will") -> `:high` sensitivity, `:medium` confidence
+- **Often** (e.g., encoded Base64 content) -> `:paranoid` sensitivity, `:low` confidence
+
+## Testing
+
+Every pattern needs tests. No exceptions.
+
+### Running tests
 
 ```bash
-# Run RuboCop linter
-bundle exec rubocop
+# Full suite
+bundle exec rspec
 
-# Auto-fix offenses
-bundle exec rubocop -a
+# Specific pattern tests
+bundle exec rspec spec/promptmenot/patterns/direct_instruction_override_spec.rb
+
+# Run a single test by line number
+bundle exec rspec spec/promptmenot/patterns/direct_instruction_override_spec.rb:19
 ```
 
-## Making Changes
+### Writing pattern tests
 
-1. **Fork** the repository on GitHub
-2. **Create a branch** for your feature: `git checkout -b feature/my-feature`
-3. **Make your changes** and add tests
-4. **Ensure all tests pass**: `bundle exec rspec`
-5. **Ensure code is clean**: `bundle exec rubocop -a`
-6. **Commit** with clear messages: `git commit -am 'Add new pattern for X'`
-7. **Push** to your fork: `git push origin feature/my-feature`
-8. **Open a PR** on GitHub
+Pattern specs follow a consistent structure with two sections: **detections** (unsafe text that should be caught) and **false positive resistance** (safe text that should pass).
 
-## Adding New Patterns
+```ruby
+# frozen_string_literal: true
+
+RSpec.describe Promptmenot::Patterns::YourCategory do
+  let(:patterns) { described_class.patterns }
+
+  describe "pattern registration" do
+    it "registers patterns" do
+      expect(patterns).not_to be_empty
+    end
+
+    it "all patterns have correct category" do
+      patterns.each do |pattern|
+        expect(pattern.category).to eq(:your_category)
+      end
+    end
+  end
+
+  describe "detections" do
+    [
+      "your injection example here",
+      "another variant of the attack",
+    ].each do |injection|
+      it "detects: #{injection[0..50]}" do
+        result = Promptmenot.detect(injection, sensitivity: :high)
+        expect(result).to be_unsafe, "Expected '#{injection}' to be detected as unsafe"
+      end
+    end
+  end
+
+  describe "false positive resistance" do
+    [
+      "Normal sentence that looks similar but is safe",
+      "Another benign example using similar words",
+    ].each do |safe_text|
+      it "allows: #{safe_text[0..50]}" do
+        result = Promptmenot.detect(safe_text, sensitivity: :medium)
+        expect(result).to be_safe, "Expected '#{safe_text}' to pass but got: #{result.patterns_detected}"
+      end
+    end
+  end
+end
+```
+
+**Important testing notes:**
+
+- Detection tests use `sensitivity: :high` to ensure patterns are active
+- False positive tests use `sensitivity: :medium` (the default) to ensure safe text isn't wrongly flagged at normal settings
+- The custom matchers `be_safe` and `be_unsafe` are defined in `spec/spec_helper.rb`
+- Include at least 3-5 detection examples covering variations (caps, spacing, phrasing)
+- Include at least 3-5 false positive examples with similar-looking but safe text
+- `Promptmenot.reset!` runs automatically between tests (configured in spec_helper)
+
+## Code Style
+
+We use RuboCop. Run it before submitting:
+
+```bash
+bundle exec rubocop        # check
+bundle exec rubocop -a     # auto-fix
+```
+
+Key conventions:
+
+- **Frozen string literals** required in all files (`# frozen_string_literal: true`)
+- **Double quotes** for strings
+- **Max line length**: 120 characters (relaxed for regex patterns in pattern files)
+- **Max method length**: 20 lines
+- **Max class length**: 150 lines
+
+## Submitting Changes
+
+1. **Fork** the repository
+2. **Create a branch**: `git checkout -b feature/detect-new-attack-type`
+3. **Write your code and tests**
+4. **Run the full suite**: `bundle exec rake`
+5. **Commit** with a clear message:
+   ```
+   feat: add detection for [attack type]
+
+   Adds N patterns to detect [description].
+   Includes M safe-text cases for false positive resistance.
+   ```
+6. **Push** to your fork: `git push origin feature/detect-new-attack-type`
+7. **Open a Pull Request** against `main`
+
+### Commit message format
+
+We loosely follow [Conventional Commits](https://www.conventionalcommits.org/):
+
+- `feat:` new patterns, features, or capabilities
+- `fix:` bug fixes or false positive corrections
+- `docs:` documentation changes
+- `test:` test-only changes
+- `chore:` build, CI, or maintenance tasks
 
-New injection attack patterns go in `lib/promptmenot/patterns/`.
+### PR checklist
 
-See existing pattern files for the DSL. Each pattern registers with:
-- `name` — unique identifier
-- `regex` — detection pattern
-- `sensitivity` — `:low`, `:medium`, `:high`, or `:paranoid`
-- `confidence` — `:high`, `:medium`, or `:low`
+Before submitting, make sure:
 
-Always include tests in `spec/promptmenot/patterns/`.
+- [ ] All tests pass (`bundle exec rspec`)
+- [ ] RuboCop is clean (`bundle exec rubocop`)
+- [ ] New patterns have both detection and false-positive tests
+- [ ] Sensitivity and confidence levels are justified
+- [ ] No overly broad regexes that would cause false positives at `:medium`
 
 ## Reporting Issues
 
-Found a bug or have a suggestion? Open an issue on GitHub with:
+### Bugs
+
+Open an issue with:
+
 - Clear description of the problem
-- Steps to reproduce (if applicable)
+- Steps to reproduce
 - Expected vs. actual behavior
-- Ruby/Rails version info
+- Ruby and Rails version (`ruby -v`, `rails -v`)
+- PromptMeNot version (`Promptmenot::VERSION`)
+
+### False Positives
+
+If PromptMeNot is flagging legitimate text:
+
+- Include the exact text being flagged
+- The sensitivity level you're using
+- Which pattern(s) matched (check `result.matches`)
+
+### Missed Injections
+
+If you've found an injection that gets through:
+
+- Include the injection text
+- The sensitivity level you tested at
+- Bonus points if you include a PR with the fix!
 
 ## License
 
-All contributions are made under the MIT license.
+All contributions are made under the [MIT License](LICENSE.txt).

data/README.md

@@ -1,9 +1,50 @@
 # PromptMeNot
 
-Detect and sanitize prompt injection attacks in user-submitted text. Protects Rails apps against:
+[![Build Status](https://github.com/kevinl05/promptmenot/actions/workflows/ci.yml/badge.svg)](https://github.com/kevinl05/promptmenot/actions/workflows/ci.yml)
+[![Gem Version](https://badge.fury.io/rb/promptmenot.svg)](https://rubygems.org/gems/promptmenot)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Ruby 3.0+](https://img.shields.io/badge/Ruby-3.0%2B-red.svg)](https://www.ruby-lang.org/)
 
-- **Direct injection** -- users trying to hack your LLMs via form inputs
-- **Indirect injection** -- users storing malicious prompts in profiles so other LLMs that scrape your site get compromised
+PromptMeNot is a Ruby gem that helps protect your application against prompt injection attacks. It scans user-submitted text for malicious patterns like instruction overrides, role manipulation, delimiter injection, encoding tricks, and more. With ~70 built-in detection patterns organized across 7 attack categories, it covers direct injection (where users try to hijack your LLM through form inputs), indirect injection (where malicious prompts are stored in user content like profiles or comments, waiting for other LLMs to scrape and execute them), and resource extraction (where attackers trick AI agents into transferring funds, leaking credentials, or exhausting compute resources). It plugs into Rails with a simple ActiveModel validator or works standalone in any Ruby app, with configurable sensitivity levels so you can tune the trade-off between coverage and false positives.
+
+---
+
+### What it catches
+
+| Attack type | Description |
+|---|---|
+| **Direct injection** | Users trying to override LLM instructions via form inputs (e.g., "ignore all previous instructions") |
+| **Indirect injection** | Malicious prompts stored in profiles, comments, or posts that target LLMs scraping or processing your site |
+| **Delimiter attacks** | Fake system tokens, ChatML tags, and XML/markdown boundaries injected into text |
+| **Obfuscation** | Base64-encoded payloads, zero-width characters, hex escapes, and other encoding tricks |
+| **Resource extraction** | Crypto transfer requests, wallet drain attacks, credential theft, financial urgency manipulation |
+
+### What it doesn't do
+
+> PromptMeNot is a **supplemental defense layer**, not a silver bullet.
+
+It uses pattern matching to catch known injection techniques, which means:
+
+- **It can be bypassed.** Sufficiently creative or novel attacks may evade detection. Prompt injection is an evolving problem and no regex-based approach will catch everything.
+- **It's not a replacement for other safeguards.** You should still use system prompts with clear boundaries, output filtering, least-privilege API access, and human review where appropriate.
+- **It won't prevent all LLM misuse.** It focuses on the input side. It doesn't monitor or constrain what your LLM outputs.
+
+Think of it like input validation for SQL injection: you still use parameterized queries, but rejecting `'; DROP TABLE users--` at the front door doesn't hurt. PromptMeNot is that front door check for prompt injection.
+
+### Defense in depth
+
+For production apps, pair PromptMeNot with other layers:
+
+| Layer | What to do |
+|---|---|
+| **Structural isolation** | Wrap user input in XML delimiters (`<user_input>...</user_input>`) so the LLM treats it as data, not instructions |
+| **System prompt design** | Explicitly tell the model to ignore instructions found inside user content |
+| **Output validation** | Check LLM responses for leaked system prompts, PII, or unexpected behavior before returning them to users |
+| **Least-privilege access** | Restrict what your LLM can do (read-only DB access, scoped API keys, no `eval`) |
+
+PromptMeNot handles the fast, cheap first pass. It catches the known attacks before they cost you an API call. The layers above handle the rest.
+
+---
 
 ## Installation
 
@@ -26,10 +67,10 @@ rails generate promptmenot:install  # creates config/initializers/promptmenot.rb
 
 ```ruby
 class UserProfile < ApplicationRecord
-  # Reject mode (default) -- adds validation error
+  # Reject mode (default) — adds validation error
   validates :bio, prompt_safety: true
 
-  # Sanitize mode -- strips malicious content, no error
+  # Sanitize mode — strips malicious content, no error
   validates :about_me, prompt_safety: { mode: :sanitize }
 
   # Custom sensitivity
@@ -90,7 +131,7 @@ end
 
 ## Sensitivity Levels
 
-Sensitivity controls which patterns are active. Each pattern declares a minimum sensitivity level -- it only runs when the requested sensitivity is at or above that level.
+Sensitivity controls which patterns are active. Each pattern declares a minimum sensitivity level and only runs when the requested sensitivity is at or above that level.
 
 | Pattern sensitivity | Active at `:low` | `:medium` | `:high` | `:paranoid` |
 |---|---|---|---|---|
@@ -111,17 +152,155 @@ Sensitivity controls which patterns are active. Each pattern declares a minimum
 | `encoding_obfuscation` | Base64 payloads, zero-width chars, hex escapes | ~10 |
 | `indirect_injection` | "Dear AI", "if you are an LLM", "note to chatbot" | ~10 |
 | `context_manipulation` | `===RESET===`, "the above is a test", prompt leaking | ~8 |
+| `resource_extraction` | "transfer 100 SOL to", credential theft, wallet drain, endpoint exfiltration | ~10 |
 
 ## False Positive Mitigation
 
 Patterns use contextual qualifiers to minimize false positives:
 
-- "ignore" alone is fine -- "ignore **previous instructions**" is flagged
-- "act as" requires malicious qualifiers -- "act as a consultant" passes
-- "you are now" requires AI/restriction qualifiers -- "you are now subscribed" passes
-- "from now on" requires imperative "you must/will" -- "from now on I'll work from home" passes
+- "ignore" alone is fine, but "ignore **previous instructions**" is flagged
+- "act as" requires malicious qualifiers, so "act as a consultant" passes
+- "you are now" requires AI/restriction qualifiers, so "you are now subscribed" passes
+- "from now on" requires imperative "you must/will", so "from now on I'll work from home" passes
 - Broad patterns are placed at `:high`/`:paranoid` sensitivity so they don't fire at default settings
 
+## FAQ
+
+<details open>
+<summary><b>Does this work without Rails?</b></summary>
+<br>
+
+Yes. The ActiveModel validator is the Rails integration, but the core API works in any Ruby app:
+
+```ruby
+Promptmenot.safe?("some text")
+Promptmenot.detect("some text")
+Promptmenot.sanitize("some text")
+```
+
+The Railtie only loads if `Rails::Railtie` is defined.
+
+</details>
+
+<details>
+<summary><b>Is this thread-safe?</b></summary>
+<br>
+
+Yes. The module singleton (configuration, registry) is protected by a `Monitor`. Pattern matching itself is stateless, so concurrent calls to `detect` or `sanitize` are safe.
+
+</details>
+
+<details>
+<summary><b>What happens when patterns overlap?</b></summary>
+<br>
+
+The detector deduplicates automatically. If two patterns match overlapping regions of text, it keeps the larger match and discards the smaller one. This prevents double-counting in results and avoids garbled output in sanitize mode.
+
+</details>
+
+<details>
+<summary><b>Can I use this to scan existing database records?</b></summary>
+<br>
+
+Yes. You can run detection against any string, not just incoming form input:
+
+```ruby
+UserProfile.find_each do |profile|
+  result = Promptmenot.detect(profile.bio, sensitivity: :high)
+  puts "#{profile.id}: #{result.summary}" if result.unsafe?
+end
+```
+
+</details>
+
+<details>
+<summary><b>What's the performance like?</b></summary>
+<br>
+
+At default sensitivity (`:medium`), roughly 40-50 patterns are active. Each is a single regex scan, so detection is fast on typical user input. The `max_length` config (default: 50,000 characters) truncates excessively long inputs before scanning to prevent regex backtracking on adversarial payloads.
+
+</details>
+
+<details>
+<summary><b>Can I scan only specific categories?</b></summary>
+<br>
+
+Yes. Both the `Detector` and `Sanitizer` accept a `categories` filter:
+
+```ruby
+detector = Promptmenot::Detector.new(
+  sensitivity: :high,
+  categories: [:delimiter_injection, :encoding_obfuscation]
+)
+result = detector.detect(user_input)
+```
+
+This is useful if you only care about certain attack types for a given field.
+
+</details>
+
+<details>
+<summary><b>How does the on_detect callback work?</b></summary>
+<br>
+
+The callback fires whenever an injection is detected, before the result is returned. It receives the full `Result` object, so you can log, alert, or track metrics:
+
+```ruby
+Promptmenot.configure do |config|
+  config.on_detect = ->(result) {
+    Rails.logger.warn("Injection detected: #{result.summary}")
+    StatsD.increment("promptmenot.injection_detected")
+  }
+end
+```
+
+If the callback raises an exception, it's rescued and printed to `warn` so it never breaks your app.
+
+</details>
+
+<details>
+<summary><b>Does it catch leetspeak and Cyrillic homoglyphs?</b></summary>
+<br>
+
+Yes. The `encoding_obfuscation` category includes patterns for leetspeak injection (e.g., `1gn0r3 1nstruct10ns`) and mixed-script homoglyphs (Latin + Cyrillic characters in the same string). The homoglyph pattern is set to `:paranoid` sensitivity since mixed scripts can appear in legitimate multilingual content.
+
+</details>
+
+<details>
+<summary><b>What's the difference between confidence and sensitivity?</b></summary>
+<br>
+
+They answer different questions:
+
+- **Sensitivity** controls *when* a pattern runs. A `:low` sensitivity pattern runs at all levels. A `:paranoid` pattern only runs when you explicitly crank sensitivity up.
+- **Confidence** describes *how certain* we are that a match is actually an attack. A `:high` confidence match (e.g., "ignore all previous instructions") is almost certainly malicious. A `:low` confidence match (e.g., mixed Cyrillic/Latin text) might be legitimate.
+
+You can filter results by confidence after detection using `result.high_confidence_matches`.
+
+</details>
+
+<details>
+<summary><b>Can I add patterns without modifying the gem source?</b></summary>
+<br>
+
+Yes. Use the config DSL in your initializer:
+
+```ruby
+Promptmenot.configure do |config|
+  config.add_pattern(
+    name: :my_app_specific_attack,
+    regex: /some pattern specific to your app/i,
+    category: :custom,
+    sensitivity: :medium,
+    confidence: :high
+  )
+end
+```
+
+Custom patterns go through the same detection pipeline as built-in ones.
+
+</details>
+
 ## Contributing
 
 We welcome contributions! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines on:

data/lib/promptmenot/patterns/resource_extraction.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module Promptmenot
+  module Patterns
+    class ResourceExtraction < Base
+      register(
+        name: :crypto_transfer_request,
+        regex: /\b(?:transfer|send|move|withdraw)\s+\d+(?:\.\d+)?\s*(?:SOL|ETH|BTC|USDC|USDT|XRP|MATIC|AVAX|DOT|ADA|BNB|DOGE|tokens?|coins?)\s+(?:to|into|towards)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :wallet_address_with_instruction,
+        regex: /\b(?:transfer|send|move|withdraw|deposit)\b.{0,80}(?:0x[0-9a-fA-F]{20,}|[13][a-km-zA-HJ-NP-Z1-9]{25,34}|[1-9A-HJ-NP-Za-km-z]{32,44})\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :full_balance_drain,
+        regex: /\b(?:send|transfer|move|withdraw|drain|sweep)\s+(?:all|entire|whole|every|full|remaining|total)\s+(?:of\s+)?(?:your\s+|my\s+|the\s+)?(?:balance|funds?|tokens?|holdings?|assets?|coins?|crypto|portfolio|wallet)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :financial_urgency_manipulation,
+        regex: /\b(?:urgent(?:ly)?|immediate(?:ly)?|right\s+now|asap|time[- ]sensitive|quickly|hurry|before\s+it'?s?\s+too\s+late|window\s+closing)\b.{0,60}\b(?:transfer|send|pay|wire|withdraw|transaction|funds?|money|payment)\b/i,
+        sensitivity: :medium,
+        confidence: :medium
+      )
+
+      register(
+        name: :authorization_claim_for_transfer,
+        regex: /\b(?:i(?:'m|\s+am)\s+authorized|i\s+have\s+(?:authorization|permission|approval)|(?:authorized|approved|cleared)\s+(?:to|for)\s+(?:receive|collect|access|withdraw))\b.{0,40}\b(?:funds?|tokens?|payment|money|transfer|wallet|assets?)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :execute_transaction_instruction,
+        regex: /\b(?:execute|submit|place|perform|make|initiate|process)\s+(?:a\s+)?(?:swap|trade|sell\s+order|buy\s+order|transaction|transfer|market\s+order|limit\s+order|exchange)\b/i,
+        sensitivity: :medium,
+        confidence: :medium
+      )
+
+      register(
+        name: :credential_extraction,
+        regex: /\b(?:give|show|tell|send|share|reveal|display|output|print|provide|paste)\s+(?:me\s+)?(?:your\s+|the\s+)?(?:API\s+key|secret\s+key|private\s+key|seed\s+phrase|mnemonic|recovery\s+phrase|password|credentials?|auth\s+token|access\s+token|wallet\s+key)\b/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :external_endpoint_exfiltration,
+        regex: /\b(?:send|post|submit|forward|transmit|upload|push|pipe)\s+(?:the\s+)?(?:results?|output|response|keys?|tokens?|credentials?|secrets?|data)\s+(?:to|at|via)\s+(?:https?:\/\/|webhook|endpoint|external)/i,
+        sensitivity: :low,
+        confidence: :high
+      )
+
+      register(
+        name: :grant_access_escalation,
+        regex: /\b(?:grant|give|provide|allow|enable)\s+(?:me\s+)?(?:full|admin|root|owner|unlimited|unrestricted|complete)?\s*(?:access|control|permissions?|privileges?)\s+(?:to|over|for)\s+(?:the\s+)?(?:wallet|account|funds?|system|database|keys?|credentials?|resources?)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+
+      register(
+        name: :resource_exhaustion,
+        regex: /\b(?:use|exhaust|consume|burn\s+through|deplete|drain|spend|max\s+out)\s+(?:all\s+)?(?:(?:your|the|my|available|remaining)\s+)?(?:credits?|quota|budget|compute|resources?|API\s+(?:calls?|requests?)|rate\s+limit|tokens?|capacity)\b/i,
+        sensitivity: :medium,
+        confidence: :high
+      )
+    end
+  end
+end

data/lib/promptmenot/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Promptmenot
-  VERSION = "0.1.3"
+  VERSION = "0.2.0"
 end

data/lib/promptmenot.rb

@@ -17,6 +17,7 @@ require_relative "promptmenot/patterns/delimiter_injection"
 require_relative "promptmenot/patterns/encoding_obfuscation"
 require_relative "promptmenot/patterns/indirect_injection"
 require_relative "promptmenot/patterns/context_manipulation"
+require_relative "promptmenot/patterns/resource_extraction"
 require_relative "promptmenot/detector"
 require_relative "promptmenot/sanitizer"
 require_relative "promptmenot/validator"
@@ -81,7 +82,8 @@ module Promptmenot
         Patterns::DelimiterInjection,
         Patterns::EncodingObfuscation,
         Patterns::IndirectInjection,
-        Patterns::ContextManipulation
+        Patterns::ContextManipulation,
+        Patterns::ResourceExtraction
       ]
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: promptmenot
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.2.0
 platform: ruby
 authors:
 - promptmenot contributors
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-02-18 00:00:00.000000000 Z
+date: 2026-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -71,6 +71,7 @@ files:
 - lib/promptmenot/patterns/direct_instruction_override.rb
 - lib/promptmenot/patterns/encoding_obfuscation.rb
 - lib/promptmenot/patterns/indirect_injection.rb
+- lib/promptmenot/patterns/resource_extraction.rb
 - lib/promptmenot/patterns/role_manipulation.rb
 - lib/promptmenot/railtie.rb
 - lib/promptmenot/result.rb