@arcis/node 1.6.1 → 1.6.3

package/dist/index.js

@@ -1101,9 +1101,10 @@ function detectXxe(input) {
 // src/sanitizers/ldap.ts
 var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
 var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
+var LDAP_NOT_BYPASS_PATTERN = /\)\s*\(\s*!|&\s*\(\s*!|\|\s*\(\s*!/;
 function detectLdapInjection(input) {
   if (typeof input !== "string") return false;
-  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input);
 }
 
 // src/sanitizers/xpath.ts
@@ -9294,6 +9295,411 @@ var bot_patterns_default = [
       "ZuperlistBot\\/"
     ],
     forbidden: []
+  },
+  {
+    id: "ext-ahrefsbotsiteaudit",
+    name: "ahrefsbotsiteaudit",
+    category: "SEO",
+    patterns: [
+      "Ahrefs(Bot|SiteAudit)"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-amazonproductdiscovery",
+    name: "amazonproductdiscovery",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "AmazonProductDiscovery"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-amazonsellerinitiatedlisting",
+    name: "amazonsellerinitiatedlisting",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "AmazonSellerInitiatedListing"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-cclaudebbot",
+    name: "cclaudebbot",
+    category: "GENERIC",
+    patterns: [
+      "[cC]laude[bB]ot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-meta-externalagent",
+    name: "meta-externalagent",
+    category: "GENERIC",
+    patterns: [
+      "meta-externalagent\\/"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-meta-externalfetcher",
+    name: "meta-externalfetcher",
+    category: "GENERIC",
+    patterns: [
+      "meta-externalfetcher\\/"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-hydrozenio",
+    name: "hydrozenio",
+    category: "MONITORING",
+    patterns: [
+      "Hydrozen\\.io"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-yextbot",
+    name: "yextbot",
+    category: "SEO",
+    patterns: [
+      "YextBot\\/"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-datadogsynthetics",
+    name: "datadogsynthetics",
+    category: "MONITORING",
+    patterns: [
+      "DatadogSynthetics"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-observepoint",
+    name: "observepoint",
+    category: "MONITORING",
+    patterns: [
+      "ObservePoint"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-checkly",
+    name: "checkly",
+    category: "MONITORING",
+    patterns: [
+      "Checkly"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-alittleclient",
+    name: "alittleclient",
+    category: "GENERIC",
+    patterns: [
+      "ALittle Client"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-aliyunsecbot",
+    name: "aliyunsecbot",
+    category: "GENERIC",
+    patterns: [
+      "AliyunSecBot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-claude-web",
+    name: "claude-web",
+    category: "GENERIC",
+    patterns: [
+      "Claude-Web"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-google-extended",
+    name: "google-extended",
+    category: "GENERIC",
+    patterns: [
+      "Google-Extended"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-serankingbacklinksbot",
+    name: "serankingbacklinksbot",
+    category: "SEO",
+    patterns: [
+      "SERankingBacklinksBot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-cmschecker",
+    name: "cmschecker",
+    category: "SEO",
+    patterns: [
+      "CMSChecker"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-wayback",
+    name: "wayback",
+    category: "GENERIC",
+    patterns: [
+      "Wayback"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-playwright",
+    name: "playwright",
+    category: "GENERIC",
+    patterns: [
+      "Playwright"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-puppeteer",
+    name: "puppeteer",
+    category: "GENERIC",
+    patterns: [
+      "Puppeteer"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-selenium",
+    name: "selenium",
+    category: "GENERIC",
+    patterns: [
+      "Selenium"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-nikto",
+    name: "nikto",
+    category: "GENERIC",
+    patterns: [
+      "Nikto"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-sqlmap",
+    name: "sqlmap",
+    category: "GENERIC",
+    patterns: [
+      "sqlmap"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-zmeu",
+    name: "zmeu",
+    category: "GENERIC",
+    patterns: [
+      "ZmEu"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-masscan",
+    name: "masscan",
+    category: "GENERIC",
+    patterns: [
+      "masscan"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-wpscan",
+    name: "wpscan",
+    category: "GENERIC",
+    patterns: [
+      "WPScan"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-aacunetix",
+    name: "aacunetix",
+    category: "GENERIC",
+    patterns: [
+      "[aA]cunetix"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-nessus",
+    name: "nessus",
+    category: "GENERIC",
+    patterns: [
+      "Nessus"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-ddirbbuster",
+    name: "ddirbbuster",
+    category: "GENERIC",
+    patterns: [
+      "[dD]ir[Bb]uster"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-colly",
+    name: "colly",
+    category: "GENERIC",
+    patterns: [
+      "colly"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-mmechanize",
+    name: "mmechanize",
+    category: "GENERIC",
+    patterns: [
+      "[mM]echanize"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-airaiscanning",
+    name: "airaiscanning",
+    category: "GENERIC",
+    patterns: [
+      "air\\.ai\\/scanning"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-asnriskscorer",
+    name: "asnriskscorer",
+    category: "GENERIC",
+    patterns: [
+      "asnriskscorer"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-oicrawler",
+    name: "oicrawler",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "OICrawler"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-l9scan",
+    name: "l9scan",
+    category: "GENERIC",
+    patterns: [
+      "l9scan"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-slaccalebot",
+    name: "slaccalebot",
+    category: "SEO",
+    patterns: [
+      "SlaccaleBot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-customasynchttpclient",
+    name: "customasynchttpclient",
+    category: "GENERIC",
+    patterns: [
+      "CustomAsyncHttpClient"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-gemini-deep-research",
+    name: "gemini-deep-research",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "Gemini-Deep-Research"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-perplexity-user",
+    name: "perplexity-user",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "Perplexity-User"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-perplexityuser",
+    name: "perplexityuser",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "PerplexityUser"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-meta-webindexer",
+    name: "meta-webindexer",
+    category: "GENERIC",
+    patterns: [
+      "meta-webindexer"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-duckassistbot",
+    name: "duckassistbot",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "DuckAssistBot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-mistralai-user",
+    name: "mistralai-user",
+    category: "GENERIC",
+    patterns: [
+      "MistralAI-User"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-webzio",
+    name: "webzio",
+    category: "SEO",
+    patterns: [
+      "webzio"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-newsai",
+    name: "newsai",
+    category: "GENERIC",
+    patterns: [
+      "newsai\\/"
+    ],
+    forbidden: []
   }
 ];
 
@@ -10088,6 +10494,297 @@ function signupProtection(options = {}) {
   return middleware;
 }
 
+// src/_third_party/rate-limit/abstract.ts
+var AbstractLimiter = class {
+  constructor(opts) {
+    if (!Number.isFinite(opts.points)) {
+      throw new Error("points must be a finite number");
+    }
+    if (!Number.isFinite(opts.duration) || opts.duration < 0) {
+      throw new Error("duration must be a finite, non-negative number");
+    }
+    this._points = opts.points;
+    this._duration = opts.duration;
+    this._blockDuration = typeof opts.blockDuration === "undefined" ? 0 : opts.blockDuration;
+    this._execEvenly = Boolean(opts.execEvenly);
+    this._execEvenlyMinDelayMs = typeof opts.execEvenlyMinDelayMs === "undefined" ? Math.ceil(this._duration * 1e3 / Math.max(this._points, 1)) : opts.execEvenlyMinDelayMs;
+    if (typeof opts.keyPrefix === "undefined") {
+      this._keyPrefix = "arcis";
+    } else if (typeof opts.keyPrefix !== "string") {
+      throw new Error("keyPrefix must be a string");
+    } else {
+      this._keyPrefix = opts.keyPrefix;
+    }
+  }
+  get points() {
+    return this._points;
+  }
+  get duration() {
+    return this._duration;
+  }
+  get msDuration() {
+    return this._duration * 1e3;
+  }
+  get blockDuration() {
+    return this._blockDuration;
+  }
+  get msBlockDuration() {
+    return this._blockDuration * 1e3;
+  }
+  get execEvenly() {
+    return this._execEvenly;
+  }
+  get execEvenlyMinDelayMs() {
+    return this._execEvenlyMinDelayMs;
+  }
+  get keyPrefix() {
+    return this._keyPrefix;
+  }
+  _getKeySecDuration(options = {}) {
+    return typeof options.customDuration === "number" && options.customDuration >= 0 ? options.customDuration : this._duration;
+  }
+  _getKey(key) {
+    return this._keyPrefix.length > 0 ? `${this._keyPrefix}:${key}` : key;
+  }
+};
+
+// src/_third_party/rate-limit/types.ts
+var LimiterResult = class {
+  constructor(remainingPoints = 0, msBeforeNext = 0, consumedPoints = 0, isFirstInDuration = false) {
+    this.remainingPoints = remainingPoints;
+    this.msBeforeNext = msBeforeNext;
+    this.consumedPoints = consumedPoints;
+    this.isFirstInDuration = isFirstInDuration;
+  }
+};
+
+// src/_third_party/rate-limit/record.ts
+var StorageRecord = class {
+  constructor(value, expiresAt, timeoutId = null) {
+    this.value = Math.trunc(value);
+    this.expiresAt = expiresAt;
+    this.timeoutId = timeoutId;
+  }
+};
+
+// src/_third_party/rate-limit/memory-storage.ts
+var MemoryStorage = class {
+  constructor() {
+    this._storage = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Increment the counter for `key` by `value`. If the key has no record
+   * (or its TTL has expired), a new record is created with `durationSec`
+   * lifetime.
+   */
+  incrby(key, value, durationSec) {
+    const record = this._storage.get(key);
+    if (record) {
+      const msBeforeExpires = record.expiresAt ? record.expiresAt - Date.now() : -1;
+      if (!record.expiresAt || msBeforeExpires > 0) {
+        record.value = record.value + value;
+        return new LimiterResult(0, msBeforeExpires, record.value, false);
+      }
+      return this.set(key, value, durationSec);
+    }
+    return this.set(key, value, durationSec);
+  }
+  /**
+   * Write the counter for `key` to `value`, replacing any existing
+   * record. `durationSec` of 0 means "never expires".
+   */
+  set(key, value, durationSec) {
+    const durationMs = durationSec * 1e3;
+    const existing = this._storage.get(key);
+    if (existing && existing.timeoutId) {
+      clearTimeout(existing.timeoutId);
+    }
+    const record = new StorageRecord(value, durationMs > 0 ? Date.now() + durationMs : null);
+    this._storage.set(key, record);
+    if (durationMs > 0) {
+      record.timeoutId = setTimeout(() => {
+        this._storage.delete(key);
+      }, durationMs);
+      if (typeof record.timeoutId.unref === "function") {
+        record.timeoutId.unref();
+      }
+    }
+    return new LimiterResult(0, durationMs === 0 ? -1 : durationMs, record.value, true);
+  }
+  get(key) {
+    const record = this._storage.get(key);
+    if (!record) return null;
+    const msBeforeExpires = record.expiresAt ? record.expiresAt - Date.now() : -1;
+    return new LimiterResult(0, msBeforeExpires, record.value, false);
+  }
+  delete(key) {
+    const record = this._storage.get(key);
+    if (!record) return false;
+    if (record.timeoutId) {
+      clearTimeout(record.timeoutId);
+    }
+    this._storage.delete(key);
+    return true;
+  }
+  /** Inspect the underlying map. Test-only and not part of the public API. */
+  _dump() {
+    return this._storage.entries();
+  }
+  /** Clear all records. Used by tests and by `Limiter.dispose()`. */
+  clear() {
+    for (const record of this._storage.values()) {
+      if (record.timeoutId) clearTimeout(record.timeoutId);
+    }
+    this._storage.clear();
+  }
+};
+
+// src/_third_party/rate-limit/memory.ts
+var MemoryLimiter = class extends AbstractLimiter {
+  constructor(opts) {
+    super(opts);
+    this._storage = new MemoryStorage();
+  }
+  consume(key, pointsToConsume = 1, options = {}) {
+    return new Promise((resolve2, reject) => {
+      const rlKey = this._getKey(key);
+      const secDuration = this._getKeySecDuration(options);
+      let res = this._storage.incrby(rlKey, pointsToConsume, secDuration);
+      res.remainingPoints = Math.max(this._points - res.consumedPoints, 0);
+      if (res.consumedPoints > this._points) {
+        if (this._blockDuration > 0 && res.consumedPoints <= this._points + pointsToConsume) {
+          res = this._storage.set(rlKey, res.consumedPoints, this._blockDuration);
+        }
+        reject(res);
+        return;
+      }
+      if (this._execEvenly && res.msBeforeNext > 0 && !res.isFirstInDuration) {
+        let delay = Math.ceil(res.msBeforeNext / (res.remainingPoints + 2));
+        if (delay < this._execEvenlyMinDelayMs) {
+          delay = res.consumedPoints * this._execEvenlyMinDelayMs;
+        }
+        res.msBeforeNext = Math.max(res.msBeforeNext - delay, 0);
+        setTimeout(resolve2, delay, res);
+        return;
+      }
+      resolve2(res);
+    });
+  }
+  penalty(key, points = 1, options = {}) {
+    const rlKey = this._getKey(key);
+    const secDuration = this._getKeySecDuration(options);
+    const res = this._storage.incrby(rlKey, points, secDuration);
+    res.remainingPoints = Math.max(this._points - res.consumedPoints, 0);
+    return Promise.resolve(res);
+  }
+  reward(key, points = 1, options = {}) {
+    const rlKey = this._getKey(key);
+    const secDuration = this._getKeySecDuration(options);
+    const res = this._storage.incrby(rlKey, -points, secDuration);
+    res.remainingPoints = Math.max(this._points - res.consumedPoints, 0);
+    return Promise.resolve(res);
+  }
+  block(key, secDuration) {
+    const msDuration = secDuration * 1e3;
+    const initPoints = this._points + 1;
+    this._storage.set(this._getKey(key), initPoints, secDuration);
+    return Promise.resolve(new LimiterResult(0, msDuration === 0 ? -1 : msDuration, initPoints, false));
+  }
+  get(key) {
+    const res = this._storage.get(this._getKey(key));
+    if (res !== null) {
+      res.remainingPoints = Math.max(this._points - res.consumedPoints, 0);
+    }
+    return Promise.resolve(res);
+  }
+  delete(key) {
+    return Promise.resolve(this._storage.delete(this._getKey(key)));
+  }
+  /** Test/teardown helper. Drops every key and clears timers. */
+  dispose() {
+    this._storage.clear();
+  }
+};
+
+// src/middleware/brute-force.ts
+function defaultKeyGenerator2(req) {
+  const xff = req.headers["x-forwarded-for"];
+  if (typeof xff === "string" && xff.length > 0) {
+    const first = xff.split(",")[0]?.trim();
+    if (first) return first;
+  }
+  if (typeof req.ip === "string" && req.ip.length > 0) return req.ip;
+  const remote = req.socket?.remoteAddress;
+  return typeof remote === "string" && remote.length > 0 ? remote : "unknown";
+}
+function bruteForceProtection(options = {}) {
+  const fastPoints = options.fastPoints ?? 5;
+  const fastDuration = options.fastDuration ?? 60;
+  const slowPoints = options.slowPoints ?? 20;
+  const slowDuration = options.slowDuration ?? 900;
+  const blockDuration = options.blockDuration ?? 900;
+  const keyGenerator = options.keyGenerator ?? defaultKeyGenerator2;
+  const statusCode = options.statusCode ?? 429;
+  const message = options.message ?? "Too many login attempts. Please try again later.";
+  const skip = options.skip;
+  const fast = new MemoryLimiter({
+    points: fastPoints,
+    duration: fastDuration,
+    keyPrefix: "arcis:bf:fast"
+  });
+  const slow = new MemoryLimiter({
+    points: slowPoints,
+    duration: slowDuration,
+    blockDuration,
+    keyPrefix: "arcis:bf:slow"
+  });
+  const controller = {
+    reward: (key, points = 1) => slow.reward(key, points),
+    delete: async (key) => {
+      const a = await fast.delete(key);
+      const b = await slow.delete(key);
+      return a || b;
+    },
+    get: (key) => slow.get(key),
+    block: (key, secDuration) => slow.block(key, secDuration)
+  };
+  const handler = async (req, res, next) => {
+    try {
+      if (skip?.(req)) return next();
+      const key = keyGenerator(req);
+      req.arcisBruteForce = controller;
+      const slowRes = await slow.consume(key, 1);
+      const fastRes = await fast.consume(key, 1);
+      res.setHeader("X-RateLimit-Limit", String(slowPoints));
+      res.setHeader(
+        "X-RateLimit-Remaining",
+        String(Math.min(fastRes.remainingPoints, slowRes.remainingPoints))
+      );
+      res.setHeader(
+        "X-RateLimit-Reset",
+        String(Math.ceil(Math.max(slowRes.msBeforeNext, fastRes.msBeforeNext) / 1e3))
+      );
+      next();
+    } catch (rejection) {
+      if (rejection instanceof LimiterResult || isLimiterResultShape(rejection)) {
+        const retryAfter = Math.ceil(rejection.msBeforeNext / 1e3);
+        res.setHeader("X-RateLimit-Limit", String(slowPoints));
+        res.setHeader("X-RateLimit-Remaining", "0");
+        res.setHeader("X-RateLimit-Reset", String(retryAfter));
+        res.setHeader("Retry-After", String(retryAfter));
+        res.status(statusCode).json({ error: message, retryAfter });
+        return;
+      }
+      console.error("[arcis] brute-force middleware error:", rejection);
+      next();
+    }
+  };
+  return Object.assign(handler, { controller });
+}
+function isLimiterResultShape(x) {
+  return typeof x === "object" && x !== null && typeof x.consumedPoints === "number" && typeof x.msBeforeNext === "number";
+}
+
 // src/middleware/protect.ts
 function getClientIp(req) {
   const xff = req?.headers?.["x-forwarded-for"] ?? req?.headers?.["X-Forwarded-For"];
@@ -10138,6 +10835,10 @@ function protectLogin(options = {}) {
   const middlewares = [];
   const rl = resolve(options.rateLimit, { max: 5, windowMs: 6e4 });
   if (rl) middlewares.push(createRateLimiter(rl));
+  if (options.bruteForce) {
+    const bfOpts = options.bruteForce === true ? {} : options.bruteForce;
+    middlewares.push(bruteForceProtection(bfOpts));
+  }
   const bot = resolve(options.bot, {
     deny: ["AUTOMATED"],
     statusCode: 403,
@@ -10421,13 +11122,25 @@ var SIGNATURES = [
     rule: "ignore-previous-instructions",
     // Two clauses:
     //  1. ignore|disregard|... + adjectives? + a target object word (like
-    //     "instructions", "rules") — catches "ignore your safety rules".
+    //     "instructions", "rules"). Catches "ignore your safety rules".
     //  2. ignore|disregard|... + (the|all|any) + (previous|above|prior|...)
-    //     with no trailing noun — catches "disregard the above".
-    pattern: /\b(?:ignore|disregard|forget|override|bypass)\s+(?:(?:all|your|the|any|previous|prior|above|original|initial|system|safety)\s+)*(?:instructions?|rules?|directions?|guidelines?|prompts?|policies|directives|commands?|restrictions?|filters?|safety|content)\b|\b(?:ignore|disregard|forget|override|bypass)\s+(?:all\s+|the\s+|any\s+)?(?:previous|prior|above|preceding|earlier|original|initial)\b/i,
+    //     with no trailing noun. Catches "disregard the above".
+    // Verb set widened in v1.7 to include skip/neglect/overlook/omit (the
+    // combinatorial jailbreak corpus uses these interchangeably with
+    // ignore/disregard/forget).
+    pattern: /\b(?:ignore|disregard|forget|override|bypass|skip|neglect|overlook|omit)\s+(?:(?:all|your|the|any|previous|prior|above|original|initial|system|safety|preceding|earlier|foregoing)\s+)*(?:instructions?|rules?|directions?|guidelines?|prompts?|policies|directives?|commands?|restrictions?|filters?|safety|content|context|conversation|directive|messages?|communication|requests?|inputs?)\b|\b(?:ignore|disregard|forget|override|bypass|skip|neglect|overlook|omit)\s+(?:all\s+|the\s+|any\s+)?(?:previous|prior|above|preceding|earlier|original|initial|foregoing)\b/i,
     severity: "high",
     description: "Direct instruction override attempt"
   },
+  {
+    rule: "instruction-bypass-phrases",
+    // Multi-word verbs that don't fit the single-token alternation in
+    // `ignore-previous-instructions`. Catches "pay no attention to your
+    // previous instructions", "do not follow the above rules", etc.
+    pattern: /\b(?:pay\s+no\s+attention\s+to|do\s+not\s+(?:follow|obey|adhere\s+to|comply\s+with))\s+(?:(?:all|your|the|any|previous|prior|above|original|initial|system|safety|preceding|earlier|foregoing)\s+)*(?:instructions?|rules?|directions?|guidelines?|prompts?|policies|directives?|commands?|restrictions?|filters?|safety|content|context|directive|messages?)\b/i,
+    severity: "high",
+    description: "Multi-word instruction-bypass phrase (pay no attention to / do not follow)"
+  },
   {
     rule: "jailbreak-dan",
     pattern: /\b(?:DAN|STAN|DUDE|DAVE|JEDI|EvilBot|AIM|BetterDAN|AntiGPT|AntiClaude)\b(?:[\s.,!?]|mode|prompt|jailbreak|persona)/i,
@@ -10551,7 +11264,7 @@ var SIGNATURES = [
   // a tool, or to trick the model into echoing a synthesized
   // tool_call that the runtime then executes.
   //
-  // Narrow patterns — match the literal JSON keys and inline
+  // Narrow patterns. Match the literal JSON keys and inline
   // tool-name shapes. Won't false-positive on plain English text
   // discussing tools.
   {
@@ -10584,6 +11297,41 @@ var SIGNATURES = [
     severity: "high",
     description: "Claude/OpenAI tool-use XML-style tag forgery"
   },
+  // ── Prompt-template marker forgeries ────────────────────────────────
+  // Catches inline forgery of the special tokens that LLM runtimes use
+  // to delimit roles. If a user can land any of these in their input
+  // and the host concatenates the input into a prompt without
+  // re-tokenizing, the model treats the suffix as a new system turn.
+  //
+  // Covered runtimes:
+  //   - ChatML (OpenAI / Llama 3 chat): <|im_start|>, <|im_end|>
+  //   - Llama 2 chat: [INST] <<SYS>> ... <</SYS>>
+  //   - guidance/handlebars: {{#system~}}, {{/system~}}, {{#assistant~}}
+  //   - Markdown link spoof: [system](#assistant), [admin](#context)
+  {
+    rule: "chatml-template-marker",
+    pattern: /<\|im_(?:start|end)\|>(?:\s*(?:system|assistant|user|tool|function))?/i,
+    severity: "high",
+    description: "ChatML special token forgery (<|im_start|>...) to spoof a role turn"
+  },
+  {
+    rule: "llama2-system-marker",
+    pattern: /<<\s*\/?\s*SYS\s*>>|\[\s*\/?\s*INST\s*\]/i,
+    severity: "high",
+    description: "Llama 2 [INST]/<<SYS>> instruction-template marker forgery"
+  },
+  {
+    rule: "guidance-template-marker",
+    pattern: /\{\{\s*[#/]\s*(?:system|assistant|user|tool|function)\s*~?\s*\}\}/i,
+    severity: "medium",
+    description: "guidance/handlebars role-block marker forgery ({{#system~}} ...)"
+  },
+  {
+    rule: "markdown-system-link-spoof",
+    pattern: /\[\s*(?:system|admin|root|assistant)\s*\]\s*\(\s*#(?:assistant|context|system|root|admin)\s*\)/i,
+    severity: "medium",
+    description: "Markdown link forgery spoofing a role marker ([system](#assistant))"
+  },
   // --- LOW severity: ambiguous but worth flagging in strict mode ---
   {
     rule: "from-now-on",
@@ -11160,6 +11908,7 @@ exports.VALIDATION = VALIDATION;
 exports.arcis = arcis;
 exports.arcisFunction = arcisWithMethods;
 exports.botProtection = botProtection;
+exports.bruteForceProtection = bruteForceProtection;
 exports.checkSignup = checkSignup;
 exports.createCors = createCors;
 exports.createCsrf = createCsrf;