@arcis/node 1.6.1 → 1.6.3

package/dist/index.mjs

@@ -1078,9 +1078,10 @@ function detectXxe(input) {
 // src/sanitizers/ldap.ts
 var LDAP_DETECT_PATTERN = /[*()\\\x00]/;
 var LDAP_INJECTION_PATTERN = /\)\s*\(|\*\s*\)\s*\(/;
+var LDAP_NOT_BYPASS_PATTERN = /\)\s*\(\s*!|&\s*\(\s*!|\|\s*\(\s*!/;
 function detectLdapInjection(input) {
   if (typeof input !== "string") return false;
-  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input);
+  return LDAP_DETECT_PATTERN.test(input) || LDAP_INJECTION_PATTERN.test(input) || LDAP_NOT_BYPASS_PATTERN.test(input);
 }
 
 // src/sanitizers/xpath.ts
@@ -9271,6 +9272,411 @@ var bot_patterns_default = [
       "ZuperlistBot\\/"
     ],
     forbidden: []
+  },
+  {
+    id: "ext-ahrefsbotsiteaudit",
+    name: "ahrefsbotsiteaudit",
+    category: "SEO",
+    patterns: [
+      "Ahrefs(Bot|SiteAudit)"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-amazonproductdiscovery",
+    name: "amazonproductdiscovery",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "AmazonProductDiscovery"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-amazonsellerinitiatedlisting",
+    name: "amazonsellerinitiatedlisting",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "AmazonSellerInitiatedListing"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-cclaudebbot",
+    name: "cclaudebbot",
+    category: "GENERIC",
+    patterns: [
+      "[cC]laude[bB]ot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-meta-externalagent",
+    name: "meta-externalagent",
+    category: "GENERIC",
+    patterns: [
+      "meta-externalagent\\/"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-meta-externalfetcher",
+    name: "meta-externalfetcher",
+    category: "GENERIC",
+    patterns: [
+      "meta-externalfetcher\\/"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-hydrozenio",
+    name: "hydrozenio",
+    category: "MONITORING",
+    patterns: [
+      "Hydrozen\\.io"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-yextbot",
+    name: "yextbot",
+    category: "SEO",
+    patterns: [
+      "YextBot\\/"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-datadogsynthetics",
+    name: "datadogsynthetics",
+    category: "MONITORING",
+    patterns: [
+      "DatadogSynthetics"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-observepoint",
+    name: "observepoint",
+    category: "MONITORING",
+    patterns: [
+      "ObservePoint"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-checkly",
+    name: "checkly",
+    category: "MONITORING",
+    patterns: [
+      "Checkly"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-alittleclient",
+    name: "alittleclient",
+    category: "GENERIC",
+    patterns: [
+      "ALittle Client"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-aliyunsecbot",
+    name: "aliyunsecbot",
+    category: "GENERIC",
+    patterns: [
+      "AliyunSecBot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-claude-web",
+    name: "claude-web",
+    category: "GENERIC",
+    patterns: [
+      "Claude-Web"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-google-extended",
+    name: "google-extended",
+    category: "GENERIC",
+    patterns: [
+      "Google-Extended"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-serankingbacklinksbot",
+    name: "serankingbacklinksbot",
+    category: "SEO",
+    patterns: [
+      "SERankingBacklinksBot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-cmschecker",
+    name: "cmschecker",
+    category: "SEO",
+    patterns: [
+      "CMSChecker"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-wayback",
+    name: "wayback",
+    category: "GENERIC",
+    patterns: [
+      "Wayback"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-playwright",
+    name: "playwright",
+    category: "GENERIC",
+    patterns: [
+      "Playwright"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-puppeteer",
+    name: "puppeteer",
+    category: "GENERIC",
+    patterns: [
+      "Puppeteer"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-selenium",
+    name: "selenium",
+    category: "GENERIC",
+    patterns: [
+      "Selenium"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-nikto",
+    name: "nikto",
+    category: "GENERIC",
+    patterns: [
+      "Nikto"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-sqlmap",
+    name: "sqlmap",
+    category: "GENERIC",
+    patterns: [
+      "sqlmap"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-zmeu",
+    name: "zmeu",
+    category: "GENERIC",
+    patterns: [
+      "ZmEu"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-masscan",
+    name: "masscan",
+    category: "GENERIC",
+    patterns: [
+      "masscan"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-wpscan",
+    name: "wpscan",
+    category: "GENERIC",
+    patterns: [
+      "WPScan"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-aacunetix",
+    name: "aacunetix",
+    category: "GENERIC",
+    patterns: [
+      "[aA]cunetix"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-nessus",
+    name: "nessus",
+    category: "GENERIC",
+    patterns: [
+      "Nessus"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-ddirbbuster",
+    name: "ddirbbuster",
+    category: "GENERIC",
+    patterns: [
+      "[dD]ir[Bb]uster"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-colly",
+    name: "colly",
+    category: "GENERIC",
+    patterns: [
+      "colly"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-mmechanize",
+    name: "mmechanize",
+    category: "GENERIC",
+    patterns: [
+      "[mM]echanize"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-airaiscanning",
+    name: "airaiscanning",
+    category: "GENERIC",
+    patterns: [
+      "air\\.ai\\/scanning"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-asnriskscorer",
+    name: "asnriskscorer",
+    category: "GENERIC",
+    patterns: [
+      "asnriskscorer"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-oicrawler",
+    name: "oicrawler",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "OICrawler"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-l9scan",
+    name: "l9scan",
+    category: "GENERIC",
+    patterns: [
+      "l9scan"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-slaccalebot",
+    name: "slaccalebot",
+    category: "SEO",
+    patterns: [
+      "SlaccaleBot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-customasynchttpclient",
+    name: "customasynchttpclient",
+    category: "GENERIC",
+    patterns: [
+      "CustomAsyncHttpClient"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-gemini-deep-research",
+    name: "gemini-deep-research",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "Gemini-Deep-Research"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-perplexity-user",
+    name: "perplexity-user",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "Perplexity-User"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-perplexityuser",
+    name: "perplexityuser",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "PerplexityUser"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-meta-webindexer",
+    name: "meta-webindexer",
+    category: "GENERIC",
+    patterns: [
+      "meta-webindexer"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-duckassistbot",
+    name: "duckassistbot",
+    category: "SEARCH_ENGINE",
+    patterns: [
+      "DuckAssistBot"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-mistralai-user",
+    name: "mistralai-user",
+    category: "GENERIC",
+    patterns: [
+      "MistralAI-User"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-webzio",
+    name: "webzio",
+    category: "SEO",
+    patterns: [
+      "webzio"
+    ],
+    forbidden: []
+  },
+  {
+    id: "ext-newsai",
+    name: "newsai",
+    category: "GENERIC",
+    patterns: [
+      "newsai\\/"
+    ],
+    forbidden: []
   }
 ];
 
@@ -10065,6 +10471,297 @@ function signupProtection(options = {}) {
   return middleware;
 }
 
+// src/_third_party/rate-limit/abstract.ts
+var AbstractLimiter = class {
+  constructor(opts) {
+    if (!Number.isFinite(opts.points)) {
+      throw new Error("points must be a finite number");
+    }
+    if (!Number.isFinite(opts.duration) || opts.duration < 0) {
+      throw new Error("duration must be a finite, non-negative number");
+    }
+    this._points = opts.points;
+    this._duration = opts.duration;
+    this._blockDuration = typeof opts.blockDuration === "undefined" ? 0 : opts.blockDuration;
+    this._execEvenly = Boolean(opts.execEvenly);
+    this._execEvenlyMinDelayMs = typeof opts.execEvenlyMinDelayMs === "undefined" ? Math.ceil(this._duration * 1e3 / Math.max(this._points, 1)) : opts.execEvenlyMinDelayMs;
+    if (typeof opts.keyPrefix === "undefined") {
+      this._keyPrefix = "arcis";
+    } else if (typeof opts.keyPrefix !== "string") {
+      throw new Error("keyPrefix must be a string");
+    } else {
+      this._keyPrefix = opts.keyPrefix;
+    }
+  }
+  get points() {
+    return this._points;
+  }
+  get duration() {
+    return this._duration;
+  }
+  get msDuration() {
+    return this._duration * 1e3;
+  }
+  get blockDuration() {
+    return this._blockDuration;
+  }
+  get msBlockDuration() {
+    return this._blockDuration * 1e3;
+  }
+  get execEvenly() {
+    return this._execEvenly;
+  }
+  get execEvenlyMinDelayMs() {
+    return this._execEvenlyMinDelayMs;
+  }
+  get keyPrefix() {
+    return this._keyPrefix;
+  }
+  _getKeySecDuration(options = {}) {
+    return typeof options.customDuration === "number" && options.customDuration >= 0 ? options.customDuration : this._duration;
+  }
+  _getKey(key) {
+    return this._keyPrefix.length > 0 ? `${this._keyPrefix}:${key}` : key;
+  }
+};
+
+// src/_third_party/rate-limit/types.ts
+var LimiterResult = class {
+  constructor(remainingPoints = 0, msBeforeNext = 0, consumedPoints = 0, isFirstInDuration = false) {
+    this.remainingPoints = remainingPoints;
+    this.msBeforeNext = msBeforeNext;
+    this.consumedPoints = consumedPoints;
+    this.isFirstInDuration = isFirstInDuration;
+  }
+};
+
+// src/_third_party/rate-limit/record.ts
+var StorageRecord = class {
+  constructor(value, expiresAt, timeoutId = null) {
+    this.value = Math.trunc(value);
+    this.expiresAt = expiresAt;
+    this.timeoutId = timeoutId;
+  }
+};
+
+// src/_third_party/rate-limit/memory-storage.ts
+var MemoryStorage = class {
+  constructor() {
+    this._storage = /* @__PURE__ */ new Map();
+  }
+  /**
+   * Increment the counter for `key` by `value`. If the key has no record
+   * (or its TTL has expired), a new record is created with `durationSec`
+   * lifetime.
+   */
+  incrby(key, value, durationSec) {
+    const record = this._storage.get(key);
+    if (record) {
+      const msBeforeExpires = record.expiresAt ? record.expiresAt - Date.now() : -1;
+      if (!record.expiresAt || msBeforeExpires > 0) {
+        record.value = record.value + value;
+        return new LimiterResult(0, msBeforeExpires, record.value, false);
+      }
+      return this.set(key, value, durationSec);
+    }
+    return this.set(key, value, durationSec);
+  }
+  /**
+   * Write the counter for `key` to `value`, replacing any existing
+   * record. `durationSec` of 0 means "never expires".
+   */
+  set(key, value, durationSec) {
+    const durationMs = durationSec * 1e3;
+    const existing = this._storage.get(key);
+    if (existing && existing.timeoutId) {
+      clearTimeout(existing.timeoutId);
+    }
+    const record = new StorageRecord(value, durationMs > 0 ? Date.now() + durationMs : null);
+    this._storage.set(key, record);
+    if (durationMs > 0) {
+      record.timeoutId = setTimeout(() => {
+        this._storage.delete(key);
+      }, durationMs);
+      if (typeof record.timeoutId.unref === "function") {
+        record.timeoutId.unref();
+      }
+    }
+    return new LimiterResult(0, durationMs === 0 ? -1 : durationMs, record.value, true);
+  }
+  get(key) {
+    const record = this._storage.get(key);
+    if (!record) return null;
+    const msBeforeExpires = record.expiresAt ? record.expiresAt - Date.now() : -1;
+    return new LimiterResult(0, msBeforeExpires, record.value, false);
+  }
+  delete(key) {
+    const record = this._storage.get(key);
+    if (!record) return false;
+    if (record.timeoutId) {
+      clearTimeout(record.timeoutId);
+    }
+    this._storage.delete(key);
+    return true;
+  }
+  /** Inspect the underlying map. Test-only and not part of the public API. */
+  _dump() {
+    return this._storage.entries();
+  }
+  /** Clear all records. Used by tests and by `Limiter.dispose()`. */
+  clear() {
+    for (const record of this._storage.values()) {
+      if (record.timeoutId) clearTimeout(record.timeoutId);
+    }
+    this._storage.clear();
+  }
+};
+
+// src/_third_party/rate-limit/memory.ts
+var MemoryLimiter = class extends AbstractLimiter {
+  constructor(opts) {
+    super(opts);
+    this._storage = new MemoryStorage();
+  }
+  consume(key, pointsToConsume = 1, options = {}) {
+    return new Promise((resolve2, reject) => {
+      const rlKey = this._getKey(key);
+      const secDuration = this._getKeySecDuration(options);
+      let res = this._storage.incrby(rlKey, pointsToConsume, secDuration);
+      res.remainingPoints = Math.max(this._points - res.consumedPoints, 0);
+      if (res.consumedPoints > this._points) {
+        if (this._blockDuration > 0 && res.consumedPoints <= this._points + pointsToConsume) {
+          res = this._storage.set(rlKey, res.consumedPoints, this._blockDuration);
+        }
+        reject(res);
+        return;
+      }
+      if (this._execEvenly && res.msBeforeNext > 0 && !res.isFirstInDuration) {
+        let delay = Math.ceil(res.msBeforeNext / (res.remainingPoints + 2));
+        if (delay < this._execEvenlyMinDelayMs) {
+          delay = res.consumedPoints * this._execEvenlyMinDelayMs;
+        }
+        res.msBeforeNext = Math.max(res.msBeforeNext - delay, 0);
+        setTimeout(resolve2, delay, res);
+        return;
+      }
+      resolve2(res);
+    });
+  }
+  penalty(key, points = 1, options = {}) {
+    const rlKey = this._getKey(key);
+    const secDuration = this._getKeySecDuration(options);
+    const res = this._storage.incrby(rlKey, points, secDuration);
+    res.remainingPoints = Math.max(this._points - res.consumedPoints, 0);
+    return Promise.resolve(res);
+  }
+  reward(key, points = 1, options = {}) {
+    const rlKey = this._getKey(key);
+    const secDuration = this._getKeySecDuration(options);
+    const res = this._storage.incrby(rlKey, -points, secDuration);
+    res.remainingPoints = Math.max(this._points - res.consumedPoints, 0);
+    return Promise.resolve(res);
+  }
+  block(key, secDuration) {
+    const msDuration = secDuration * 1e3;
+    const initPoints = this._points + 1;
+    this._storage.set(this._getKey(key), initPoints, secDuration);
+    return Promise.resolve(new LimiterResult(0, msDuration === 0 ? -1 : msDuration, initPoints, false));
+  }
+  get(key) {
+    const res = this._storage.get(this._getKey(key));
+    if (res !== null) {
+      res.remainingPoints = Math.max(this._points - res.consumedPoints, 0);
+    }
+    return Promise.resolve(res);
+  }
+  delete(key) {
+    return Promise.resolve(this._storage.delete(this._getKey(key)));
+  }
+  /** Test/teardown helper. Drops every key and clears timers. */
+  dispose() {
+    this._storage.clear();
+  }
+};
+
+// src/middleware/brute-force.ts
+function defaultKeyGenerator2(req) {
+  const xff = req.headers["x-forwarded-for"];
+  if (typeof xff === "string" && xff.length > 0) {
+    const first = xff.split(",")[0]?.trim();
+    if (first) return first;
+  }
+  if (typeof req.ip === "string" && req.ip.length > 0) return req.ip;
+  const remote = req.socket?.remoteAddress;
+  return typeof remote === "string" && remote.length > 0 ? remote : "unknown";
+}
+function bruteForceProtection(options = {}) {
+  const fastPoints = options.fastPoints ?? 5;
+  const fastDuration = options.fastDuration ?? 60;
+  const slowPoints = options.slowPoints ?? 20;
+  const slowDuration = options.slowDuration ?? 900;
+  const blockDuration = options.blockDuration ?? 900;
+  const keyGenerator = options.keyGenerator ?? defaultKeyGenerator2;
+  const statusCode = options.statusCode ?? 429;
+  const message = options.message ?? "Too many login attempts. Please try again later.";
+  const skip = options.skip;
+  const fast = new MemoryLimiter({
+    points: fastPoints,
+    duration: fastDuration,
+    keyPrefix: "arcis:bf:fast"
+  });
+  const slow = new MemoryLimiter({
+    points: slowPoints,
+    duration: slowDuration,
+    blockDuration,
+    keyPrefix: "arcis:bf:slow"
+  });
+  const controller = {
+    reward: (key, points = 1) => slow.reward(key, points),
+    delete: async (key) => {
+      const a = await fast.delete(key);
+      const b = await slow.delete(key);
+      return a || b;
+    },
+    get: (key) => slow.get(key),
+    block: (key, secDuration) => slow.block(key, secDuration)
+  };
+  const handler = async (req, res, next) => {
+    try {
+      if (skip?.(req)) return next();
+      const key = keyGenerator(req);
+      req.arcisBruteForce = controller;
+      const slowRes = await slow.consume(key, 1);
+      const fastRes = await fast.consume(key, 1);
+      res.setHeader("X-RateLimit-Limit", String(slowPoints));
+      res.setHeader(
+        "X-RateLimit-Remaining",
+        String(Math.min(fastRes.remainingPoints, slowRes.remainingPoints))
+      );
+      res.setHeader(
+        "X-RateLimit-Reset",
+        String(Math.ceil(Math.max(slowRes.msBeforeNext, fastRes.msBeforeNext) / 1e3))
+      );
+      next();
+    } catch (rejection) {
+      if (rejection instanceof LimiterResult || isLimiterResultShape(rejection)) {
+        const retryAfter = Math.ceil(rejection.msBeforeNext / 1e3);
+        res.setHeader("X-RateLimit-Limit", String(slowPoints));
+        res.setHeader("X-RateLimit-Remaining", "0");
+        res.setHeader("X-RateLimit-Reset", String(retryAfter));
+        res.setHeader("Retry-After", String(retryAfter));
+        res.status(statusCode).json({ error: message, retryAfter });
+        return;
+      }
+      console.error("[arcis] brute-force middleware error:", rejection);
+      next();
+    }
+  };
+  return Object.assign(handler, { controller });
+}
+function isLimiterResultShape(x) {
+  return typeof x === "object" && x !== null && typeof x.consumedPoints === "number" && typeof x.msBeforeNext === "number";
+}
+
 // src/middleware/protect.ts
 function getClientIp(req) {
   const xff = req?.headers?.["x-forwarded-for"] ?? req?.headers?.["X-Forwarded-For"];
@@ -10115,6 +10812,10 @@ function protectLogin(options = {}) {
   const middlewares = [];
   const rl = resolve(options.rateLimit, { max: 5, windowMs: 6e4 });
   if (rl) middlewares.push(createRateLimiter(rl));
+  if (options.bruteForce) {
+    const bfOpts = options.bruteForce === true ? {} : options.bruteForce;
+    middlewares.push(bruteForceProtection(bfOpts));
+  }
   const bot = resolve(options.bot, {
     deny: ["AUTOMATED"],
     statusCode: 403,
@@ -10398,13 +11099,25 @@ var SIGNATURES = [
     rule: "ignore-previous-instructions",
     // Two clauses:
     //  1. ignore|disregard|... + adjectives? + a target object word (like
-    //     "instructions", "rules") — catches "ignore your safety rules".
+    //     "instructions", "rules"). Catches "ignore your safety rules".
     //  2. ignore|disregard|... + (the|all|any) + (previous|above|prior|...)
-    //     with no trailing noun — catches "disregard the above".
-    pattern: /\b(?:ignore|disregard|forget|override|bypass)\s+(?:(?:all|your|the|any|previous|prior|above|original|initial|system|safety)\s+)*(?:instructions?|rules?|directions?|guidelines?|prompts?|policies|directives|commands?|restrictions?|filters?|safety|content)\b|\b(?:ignore|disregard|forget|override|bypass)\s+(?:all\s+|the\s+|any\s+)?(?:previous|prior|above|preceding|earlier|original|initial)\b/i,
+    //     with no trailing noun. Catches "disregard the above".
+    // Verb set widened in v1.7 to include skip/neglect/overlook/omit (the
+    // combinatorial jailbreak corpus uses these interchangeably with
+    // ignore/disregard/forget).
+    pattern: /\b(?:ignore|disregard|forget|override|bypass|skip|neglect|overlook|omit)\s+(?:(?:all|your|the|any|previous|prior|above|original|initial|system|safety|preceding|earlier|foregoing)\s+)*(?:instructions?|rules?|directions?|guidelines?|prompts?|policies|directives?|commands?|restrictions?|filters?|safety|content|context|conversation|directive|messages?|communication|requests?|inputs?)\b|\b(?:ignore|disregard|forget|override|bypass|skip|neglect|overlook|omit)\s+(?:all\s+|the\s+|any\s+)?(?:previous|prior|above|preceding|earlier|original|initial|foregoing)\b/i,
     severity: "high",
     description: "Direct instruction override attempt"
   },
+  {
+    rule: "instruction-bypass-phrases",
+    // Multi-word verbs that don't fit the single-token alternation in
+    // `ignore-previous-instructions`. Catches "pay no attention to your
+    // previous instructions", "do not follow the above rules", etc.
+    pattern: /\b(?:pay\s+no\s+attention\s+to|do\s+not\s+(?:follow|obey|adhere\s+to|comply\s+with))\s+(?:(?:all|your|the|any|previous|prior|above|original|initial|system|safety|preceding|earlier|foregoing)\s+)*(?:instructions?|rules?|directions?|guidelines?|prompts?|policies|directives?|commands?|restrictions?|filters?|safety|content|context|directive|messages?)\b/i,
+    severity: "high",
+    description: "Multi-word instruction-bypass phrase (pay no attention to / do not follow)"
+  },
   {
     rule: "jailbreak-dan",
     pattern: /\b(?:DAN|STAN|DUDE|DAVE|JEDI|EvilBot|AIM|BetterDAN|AntiGPT|AntiClaude)\b(?:[\s.,!?]|mode|prompt|jailbreak|persona)/i,
@@ -10528,7 +11241,7 @@ var SIGNATURES = [
   // a tool, or to trick the model into echoing a synthesized
   // tool_call that the runtime then executes.
   //
-  // Narrow patterns — match the literal JSON keys and inline
+  // Narrow patterns. Match the literal JSON keys and inline
   // tool-name shapes. Won't false-positive on plain English text
   // discussing tools.
   {
@@ -10561,6 +11274,41 @@ var SIGNATURES = [
     severity: "high",
     description: "Claude/OpenAI tool-use XML-style tag forgery"
   },
+  // ── Prompt-template marker forgeries ────────────────────────────────
+  // Catches inline forgery of the special tokens that LLM runtimes use
+  // to delimit roles. If a user can land any of these in their input
+  // and the host concatenates the input into a prompt without
+  // re-tokenizing, the model treats the suffix as a new system turn.
+  //
+  // Covered runtimes:
+  //   - ChatML (OpenAI / Llama 3 chat): <|im_start|>, <|im_end|>
+  //   - Llama 2 chat: [INST] <<SYS>> ... <</SYS>>
+  //   - guidance/handlebars: {{#system~}}, {{/system~}}, {{#assistant~}}
+  //   - Markdown link spoof: [system](#assistant), [admin](#context)
+  {
+    rule: "chatml-template-marker",
+    pattern: /<\|im_(?:start|end)\|>(?:\s*(?:system|assistant|user|tool|function))?/i,
+    severity: "high",
+    description: "ChatML special token forgery (<|im_start|>...) to spoof a role turn"
+  },
+  {
+    rule: "llama2-system-marker",
+    pattern: /<<\s*\/?\s*SYS\s*>>|\[\s*\/?\s*INST\s*\]/i,
+    severity: "high",
+    description: "Llama 2 [INST]/<<SYS>> instruction-template marker forgery"
+  },
+  {
+    rule: "guidance-template-marker",
+    pattern: /\{\{\s*[#/]\s*(?:system|assistant|user|tool|function)\s*~?\s*\}\}/i,
+    severity: "medium",
+    description: "guidance/handlebars role-block marker forgery ({{#system~}} ...)"
+  },
+  {
+    rule: "markdown-system-link-spoof",
+    pattern: /\[\s*(?:system|admin|root|assistant)\s*\]\s*\(\s*#(?:assistant|context|system|root|admin)\s*\)/i,
+    severity: "medium",
+    description: "Markdown link forgery spoofing a role marker ([system](#assistant))"
+  },
   // --- LOW severity: ambiguous but worth flagging in strict mode ---
   {
     rule: "from-now-on",
@@ -11114,6 +11862,6 @@ function createRedisStore(options) {
   return new RedisStore(options);
 }
 
-export { ArcisError, ValidationError as ArcisValidationError, BLOCKED, CorrelationWindow, ERRORS, Guards, HEADERS, INPUT, InputTooLargeError, MemoryStore, RATE_LIMIT, REDACTION, RateLimitError, RedisStore, ResponseSplittingError, SanitizationError, SecurityThreatError, TelemetryClient, TelemetryHttpError, VALIDATION, arcis, arcisWithMethods as arcisFunction, botProtection, checkSignup, createCors, createCsrf, createErrorHandler, createHeaders, createHpp, createRateLimiter, createRedactor, createRedisStore, createSafeLogger, createSanitizer, createSecureCookies, createSlidingWindowLimiter, createTokenBucketLimiter, createValidator, csrfProtection, main_default as default, detectBot, detectClientIp, detectCommandInjection, detectGraphqlAbuse, detectHeaderInjection, detectJsonpInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPromptInjection, detectPrototypePollution, detectResponseSplitting, detectSql, detectSsti, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, enforceSecureCookie, errorHandler, eventLoopProtection, fingerprint, formatDuration, generateCsrfToken, graphqlGuard, hpp, inspectGraphqlQuery, isDangerousExtension, isDangerousNoSqlKey, isDangerousProtoKey, isPrivateIp, isRedirectSafe, isUrlSafe, isValidEmailSyntax, massAssign, methodAllowlist, parseDuration, pinnedDnsLookup, protectApi, protectLogin, protectSignup, rateLimit, redactObjectPii, redactPii, responseSplittingGuard, safeCors, safeFollowRedirect, safeLog, sanitizeCommand, sanitizeFilename, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeObject, sanitizePath, sanitizePromptInjection, sanitizeResponseHeader, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii, secureCookieDefaults, securityHeaders, signupProtection, tokenBudget, validate, validateCsrfToken, validateEmail, validateFile, validateRedirect, validateUrl, validateUrlAsync, verifyEmailMx };
+export { ArcisError, ValidationError as ArcisValidationError, BLOCKED, CorrelationWindow, ERRORS, Guards, HEADERS, INPUT, InputTooLargeError, MemoryStore, RATE_LIMIT, REDACTION, RateLimitError, RedisStore, ResponseSplittingError, SanitizationError, SecurityThreatError, TelemetryClient, TelemetryHttpError, VALIDATION, arcis, arcisWithMethods as arcisFunction, botProtection, bruteForceProtection, checkSignup, createCors, createCsrf, createErrorHandler, createHeaders, createHpp, createRateLimiter, createRedactor, createRedisStore, createSafeLogger, createSanitizer, createSecureCookies, createSlidingWindowLimiter, createTokenBucketLimiter, createValidator, csrfProtection, main_default as default, detectBot, detectClientIp, detectCommandInjection, detectGraphqlAbuse, detectHeaderInjection, detectJsonpInjection, detectNoSqlInjection, detectPathTraversal, detectPii, detectPromptInjection, detectPrototypePollution, detectResponseSplitting, detectSql, detectSsti, detectXss, detectXxe, encodeForAttribute, encodeForCss, encodeForHtml, encodeForJs, encodeForUrl, enforceSecureCookie, errorHandler, eventLoopProtection, fingerprint, formatDuration, generateCsrfToken, graphqlGuard, hpp, inspectGraphqlQuery, isDangerousExtension, isDangerousNoSqlKey, isDangerousProtoKey, isPrivateIp, isRedirectSafe, isUrlSafe, isValidEmailSyntax, massAssign, methodAllowlist, parseDuration, pinnedDnsLookup, protectApi, protectLogin, protectSignup, rateLimit, redactObjectPii, redactPii, responseSplittingGuard, safeCors, safeFollowRedirect, safeLog, sanitizeCommand, sanitizeFilename, sanitizeHeaderValue, sanitizeHeaders, sanitizeJsonpCallback, sanitizeObject, sanitizePath, sanitizePromptInjection, sanitizeResponseHeader, sanitizeSql, sanitizeSsti, sanitizeString, sanitizeXss, sanitizeXxe, scanObjectPii, scanPii, secureCookieDefaults, securityHeaders, signupProtection, tokenBudget, validate, validateCsrfToken, validateEmail, validateFile, validateRedirect, validateUrl, validateUrlAsync, verifyEmailMx };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map