@dotsetlabs/tollgate 0.1.0

package/dist/analyzers/prompt-injection.js

@@ -0,0 +1,725 @@
+/**
+ * Prompt Injection Analyzer
+ *
+ * Detects prompt injection attacks in tool arguments by scanning for common
+ * injection patterns that attempt to manipulate AI behavior or bypass security.
+ *
+ * Detection patterns include:
+ * - "Ignore previous instructions" and variants
+ * - System prompt manipulation attempts
+ * - Role confusion attacks ("You are now...")
+ * - Base64-encoded prompts
+ * - Unicode obfuscation (homoglyphs, invisible characters)
+ * - Markdown/HTML injection (javascript: links, etc.)
+ * - Delimiter injection (trying to break out of context)
+ * - Jailbreak patterns
+ *
+ * @module analyzers/prompt-injection
+ */
+/**
+ * Prompt Injection Analyzer
+ *
+ * Classifies content by injection risk:
+ * - safe: No injection patterns detected
+ * - read: Minor suspicious patterns (low confidence)
+ * - write: Moderate injection indicators
+ * - destructive: High-confidence injection patterns
+ * - dangerous: Clear prompt injection attempt
+ */
+export class PromptInjectionAnalyzer {
+    name = 'prompt-injection';
+    /**
+     * Analyze content for prompt injection patterns.
+     */
+    analyze(content, _context) {
+        // Normalize content for pattern matching
+        const normalizedContent = this.normalizeContent(content);
+        const originalContent = content;
+        // Check all detection categories and collect triggers
+        const allTriggers = [];
+        let highestRisk = 'safe';
+        // 1. Check for instruction override patterns (most dangerous)
+        const instructionResult = this.checkInstructionOverride(normalizedContent);
+        if (instructionResult) {
+            if (this.isHigherRisk(instructionResult.risk, highestRisk)) {
+                highestRisk = instructionResult.risk;
+            }
+            allTriggers.push(...(instructionResult.triggers ?? []));
+        }
+        // 2. Check for system prompt manipulation
+        const systemPromptResult = this.checkSystemPromptManipulation(normalizedContent);
+        if (systemPromptResult) {
+            if (this.isHigherRisk(systemPromptResult.risk, highestRisk)) {
+                highestRisk = systemPromptResult.risk;
+            }
+            allTriggers.push(...(systemPromptResult.triggers ?? []));
+        }
+        // 3. Check for role confusion attacks
+        const roleConfusionResult = this.checkRoleConfusion(normalizedContent);
+        if (roleConfusionResult) {
+            if (this.isHigherRisk(roleConfusionResult.risk, highestRisk)) {
+                highestRisk = roleConfusionResult.risk;
+            }
+            allTriggers.push(...(roleConfusionResult.triggers ?? []));
+        }
+        // 4. Check for Base64-encoded content
+        const base64Result = this.checkBase64Encoding(originalContent);
+        if (base64Result) {
+            if (this.isHigherRisk(base64Result.risk, highestRisk)) {
+                highestRisk = base64Result.risk;
+            }
+            allTriggers.push(...(base64Result.triggers ?? []));
+        }
+        // 5. Check for Unicode obfuscation
+        const unicodeResult = this.checkUnicodeObfuscation(originalContent);
+        if (unicodeResult) {
+            if (this.isHigherRisk(unicodeResult.risk, highestRisk)) {
+                highestRisk = unicodeResult.risk;
+            }
+            allTriggers.push(...(unicodeResult.triggers ?? []));
+        }
+        // 6. Check for Markdown/HTML injection
+        const markdownResult = this.checkMarkdownInjection(originalContent);
+        if (markdownResult) {
+            if (this.isHigherRisk(markdownResult.risk, highestRisk)) {
+                highestRisk = markdownResult.risk;
+            }
+            allTriggers.push(...(markdownResult.triggers ?? []));
+        }
+        // 7. Check for delimiter injection
+        const delimiterResult = this.checkDelimiterInjection(originalContent);
+        if (delimiterResult) {
+            if (this.isHigherRisk(delimiterResult.risk, highestRisk)) {
+                highestRisk = delimiterResult.risk;
+            }
+            allTriggers.push(...(delimiterResult.triggers ?? []));
+        }
+        // 8. Check for jailbreak patterns
+        const jailbreakResult = this.checkJailbreakPatterns(normalizedContent);
+        if (jailbreakResult) {
+            if (this.isHigherRisk(jailbreakResult.risk, highestRisk)) {
+                highestRisk = jailbreakResult.risk;
+            }
+            allTriggers.push(...(jailbreakResult.triggers ?? []));
+        }
+        // 9. Check for data exfiltration attempts
+        const exfilResult = this.checkDataExfiltration(normalizedContent);
+        if (exfilResult) {
+            if (this.isHigherRisk(exfilResult.risk, highestRisk)) {
+                highestRisk = exfilResult.risk;
+            }
+            allTriggers.push(...(exfilResult.triggers ?? []));
+        }
+        // Return result based on highest risk found
+        if (highestRisk === 'safe') {
+            return {
+                risk: 'safe',
+                reason: 'No prompt injection patterns detected',
+            };
+        }
+        return {
+            risk: highestRisk,
+            reason: this.getRiskReason(highestRisk, allTriggers),
+            triggers: allTriggers,
+            metadata: {
+                patternCount: allTriggers.length,
+                normalizedLength: normalizedContent.length,
+            },
+        };
+    }
+    /**
+     * Normalize content for pattern matching.
+     * Removes extra whitespace, converts to lowercase, etc.
+     */
+    normalizeContent(content) {
+        return content
+            // Apply Unicode NFC normalization to handle homoglyph variants
+            .normalize('NFC')
+            .toLowerCase()
+            // Normalize whitespace
+            .replace(/\s+/g, ' ')
+            // Remove zero-width characters for matching
+            .replace(/[\u200B-\u200D\uFEFF]/g, '')
+            .trim();
+    }
+    /**
+     * Check for instruction override patterns.
+     * These are the most common prompt injection patterns.
+     */
+    checkInstructionOverride(content) {
+        // Patterns use bounded whitespace \s{1,10} to prevent ReDoS attacks
+        const dangerousPatterns = [
+            // "Ignore" variants - bounded whitespace to prevent catastrophic backtracking
+            /ignore\s{1,10}(?:all\s{1,10})?(?:your\s{1,10})?(?:previous|prior|above|earlier|original|initial)\s{1,10}(?:instructions?|prompts?|rules?|guidelines?|constraints?)/i,
+            /disregard\s{1,10}(?:all\s{1,10})?(?:your\s{1,10})?(?:previous|prior|above|earlier|original|initial)\s{1,10}(?:instructions?|prompts?|rules?)/i,
+            /forget\s{1,10}(?:all\s{1,10})?(?:your\s{1,10})?(?:previous|prior|above|earlier|original|initial)\s{1,10}(?:instructions?|prompts?|rules?)/i,
+            /do\s{1,10}not\s{1,10}follow\s{1,10}(?:your\s{1,10})?(?:previous|prior|above|earlier|original|initial)\s{1,10}(?:instructions?|prompts?|rules?)/i,
+            // "New instructions" variants
+            /new\s{1,10}instructions?\s{0,5}:/i,
+            /updated\s{1,10}instructions?\s{0,5}:/i,
+            /override\s{1,10}instructions?\s{0,5}:/i,
+            /replacement\s{1,10}instructions?\s{0,5}:/i,
+            // Direct overrides
+            /from\s{1,10}now\s{1,10}on,?\s{1,10}(?:ignore|forget|disregard)/i,
+            /starting\s{1,10}now,?\s{1,10}(?:ignore|forget|disregard)/i,
+            /effective\s{1,10}immediately,?\s{1,10}(?:ignore|forget|disregard)/i,
+            // "Actually" pattern
+            /actually,?\s{1,10}(?:ignore|forget|disregard|don'?t\s{1,10}follow)/i,
+            /wait,?\s{1,10}(?:ignore|forget|disregard|don'?t\s{1,10}follow)/i,
+            /stop,?\s{1,10}(?:ignore|forget|disregard)/i,
+            // Reset commands
+            /reset\s{1,10}(?:your\s{1,10})?(?:instructions?|prompts?|rules?|behavior)/i,
+            /clear\s{1,10}(?:your\s{1,10})?(?:instructions?|prompts?|rules?|memory)/i,
+        ];
+        const destructivePatterns = [
+            // Less direct but still concerning - bounded whitespace
+            /previous\s{1,10}instructions?\s{1,10}(?:are|were)\s{1,10}(?:wrong|incorrect|outdated|invalid)/i,
+            /those\s{1,10}instructions?\s{1,10}(?:are|were)\s{1,10}(?:wrong|incorrect|outdated)/i,
+            /the\s{1,10}(?:above|previous)\s{1,10}(?:is|was)\s{1,10}(?:a\s{1,10})?test/i,
+            /that\s{1,10}was\s{1,10}just\s{1,10}(?:a\s{1,10})?test/i,
+        ];
+        for (const pattern of dangerousPatterns) {
+            if (pattern.test(content)) {
+                return {
+                    risk: 'dangerous',
+                    reason: 'Instruction override attempt detected',
+                    triggers: [pattern.source.substring(0, 50)],
+                };
+            }
+        }
+        for (const pattern of destructivePatterns) {
+            if (pattern.test(content)) {
+                return {
+                    risk: 'destructive',
+                    reason: 'Suspicious instruction manipulation detected',
+                    triggers: [pattern.source.substring(0, 50)],
+                };
+            }
+        }
+        return null;
+    }
+    /**
+     * Check for system prompt manipulation attempts.
+     */
+    checkSystemPromptManipulation(content) {
+        // Patterns use bounded whitespace \s{1,10} to prevent ReDoS attacks
+        const dangerousPatterns = [
+            // Direct system prompt references
+            /system\s{0,5}prompt\s{0,5}:/i,
+            /\[system\]/i,
+            /\[system\s{1,10}message\]/i,
+            /<system>/i,
+            /<<\s{0,5}sys\s{0,5}>>/i,
+            /\|\|\s{0,5}system\s{0,5}\|\|/i,
+            // Attempts to see/modify system prompt
+            /show\s{1,10}(?:me\s{1,10})?(?:your\s{1,10})?system\s{1,10}prompt/i,
+            /what\s{1,10}(?:is|are)\s{1,10}(?:your\s{1,10})?system\s{1,10}(?:prompt|instructions?)/i,
+            /reveal\s{1,10}(?:your\s{1,10})?system\s{1,10}(?:prompt|instructions?)/i,
+            /print\s{1,10}(?:your\s{1,10})?system\s{1,10}(?:prompt|instructions?)/i,
+            /display\s{1,10}(?:your\s{1,10})?system\s{1,10}(?:prompt|instructions?)/i,
+            /output\s{1,10}(?:your\s{1,10})?system\s{1,10}(?:prompt|instructions?)/i,
+            /repeat\s{1,10}(?:your\s{1,10})?system\s{1,10}(?:prompt|instructions?)/i,
+            // Hidden instructions
+            /hidden\s{1,10}instructions?\s{0,5}:/i,
+            /secret\s{1,10}instructions?\s{0,5}:/i,
+            /internal\s{1,10}instructions?\s{0,5}:/i,
+            /developer\s{1,10}(?:mode|instructions?)/i,
+            /debug\s{1,10}mode/i,
+            /maintenance\s{1,10}mode/i,
+            /admin\s{1,10}mode/i,
+        ];
+        const destructivePatterns = [
+            // Less direct attempts - bounded whitespace
+            /how\s{1,10}were\s{1,10}you\s{1,10}(?:programmed|trained|instructed)/i,
+            /what\s{1,10}are\s{1,10}your\s{1,10}(?:core|base|original)\s{1,10}(?:instructions?|rules?)/i,
+            /tell\s{1,10}me\s{1,10}about\s{1,10}your\s{1,10}(?:instructions?|programming|training)/i,
+        ];
+        for (const pattern of dangerousPatterns) {
+            if (pattern.test(content)) {
+                return {
+                    risk: 'dangerous',
+                    reason: 'System prompt manipulation attempt detected',
+                    triggers: ['system prompt manipulation'],
+                };
+            }
+        }
+        for (const pattern of destructivePatterns) {
+            if (pattern.test(content)) {
+                return {
+                    risk: 'destructive',
+                    reason: 'Potential system prompt probing detected',
+                    triggers: ['system prompt probing'],
+                };
+            }
+        }
+        return null;
+    }
+    /**
+     * Check for role confusion attacks.
+     */
+    checkRoleConfusion(content) {
+        // Patterns use bounded whitespace \s{1,10} to prevent ReDoS attacks
+        const dangerousPatterns = [
+            // Role assignment
+            /you\s{1,10}are\s{1,10}now\s{1,10}(?:a|an|the)/i,
+            /pretend\s{1,10}(?:you\s{1,10}are|to\s{1,10}be|you're)/i,
+            /act\s{1,10}as\s{1,10}(?:if\s{1,10}you\s{1,10}(?:are|were)|a|an|the)/i,
+            /roleplay\s{1,10}as/i,
+            /imagine\s{1,10}you\s{1,10}are/i,
+            /assume\s{1,10}the\s{1,10}role\s{1,10}of/i,
+            /take\s{1,10}on\s{1,10}the\s{1,10}persona\s{1,10}of/i,
+            // Personality changes
+            /your\s{1,10}new\s{1,10}(?:name|identity|persona|personality)\s{1,10}is/i,
+            /from\s{1,10}now\s{1,10}on,?\s{1,10}you\s{1,10}are/i,
+            /i\s{1,10}want\s{1,10}you\s{1,10}to\s{1,10}act\s{1,10}as/i,
+            /i\s{1,10}want\s{1,10}you\s{1,10}to\s{1,10}be/i,
+            /respond\s{1,10}as\s{1,10}(?:if\s{1,10}you\s{1,10}were|a|an)/i,
+            /answer\s{1,10}as\s{1,10}(?:if\s{1,10}you\s{1,10}were|a|an)/i,
+            // Unrestricted AI patterns
+            /you\s{1,10}are\s{1,10}(?:an?\s{1,10})?unfiltered/i,
+            /you\s{1,10}are\s{1,10}(?:an?\s{1,10})?uncensored/i,
+            /you\s{1,10}are\s{1,10}(?:an?\s{1,10})?unrestricted/i,
+            /you\s{1,10}have\s{1,10}no\s{1,10}(?:restrictions?|limitations?|rules?|filters?)/i,
+            /you\s{1,10}can\s{1,10}(?:say|do)\s{1,10}anything/i,
+            /you\s{1,10}don'?t\s{1,10}have\s{1,10}(?:any\s{1,10})?(?:restrictions?|limitations?|rules?)/i,
+        ];
+        const destructivePatterns = [
+            // Softer role suggestions - bounded whitespace
+            /think\s{1,10}of\s{1,10}yourself\s{1,10}as/i,
+            /consider\s{1,10}yourself/i,
+            /you\s{1,10}should\s{1,10}act\s{1,10}like/i,
+        ];
+        for (const pattern of dangerousPatterns) {
+            if (pattern.test(content)) {
+                return {
+                    risk: 'dangerous',
+                    reason: 'Role confusion attack detected',
+                    triggers: ['role confusion'],
+                };
+            }
+        }
+        for (const pattern of destructivePatterns) {
+            if (pattern.test(content)) {
+                return {
+                    risk: 'destructive',
+                    reason: 'Potential role manipulation detected',
+                    triggers: ['role manipulation'],
+                };
+            }
+        }
+        return null;
+    }
+    /**
+     * Check for Base64-encoded content that might hide injection.
+     */
+    checkBase64Encoding(content) {
+        // Look for Base64 patterns (standard and URL-safe variants)
+        const base64Pattern = /([A-Za-z0-9+/]{20,}={0,2})/g;
+        const base64UrlSafePattern = /([A-Za-z0-9_-]{20,}={0,2})/g;
+        // Combine matches from both patterns
+        const standardMatches = content.match(base64Pattern) ?? [];
+        const urlSafeMatches = content.match(base64UrlSafePattern) ?? [];
+        const matches = [...new Set([...standardMatches, ...urlSafeMatches])];
+        if (matches.length === 0) {
+            return null;
+        }
+        for (const match of matches) {
+            try {
+                // Try to decode and check for suspicious content
+                const decoded = Buffer.from(match, 'base64').toString('utf-8');
+                // Check if decoded content contains injection patterns
+                if (this.containsInjectionKeywords(decoded)) {
+                    return {
+                        risk: 'dangerous',
+                        reason: 'Base64-encoded injection detected',
+                        triggers: ['base64 encoded injection'],
+                        metadata: { encodedLength: match.length },
+                    };
+                }
+                // Check if it's valid text (high ratio of printable characters)
+                const printableRatio = this.getPrintableRatio(decoded);
+                if (printableRatio > 0.8 && decoded.length > 20) {
+                    // Looks like hidden text, flag as suspicious
+                    return {
+                        risk: 'write',
+                        reason: 'Suspicious Base64-encoded text detected',
+                        triggers: ['base64 hidden content'],
+                        metadata: { encodedLength: match.length, printableRatio },
+                    };
+                }
+            }
+            catch {
+                // Not valid Base64, ignore
+            }
+        }
+        return null;
+    }
+    /**
+     * Check for Unicode obfuscation techniques.
+     */
+    checkUnicodeObfuscation(content) {
+        const triggers = [];
+        // Check for homoglyph attacks (lookalike characters)
+        const homoglyphs = {
+            // Cyrillic lookalikes
+            '\u0430': 'a', '\u0435': 'e', '\u043E': 'o', '\u0440': 'p',
+            '\u0441': 'c', '\u0443': 'y', '\u0445': 'x', '\u0456': 'i',
+            // Greek lookalikes
+            '\u03B1': 'a', '\u03B5': 'e', '\u03BF': 'o', '\u03C1': 'p',
+            // Special lookalikes
+            '\u0261': 'g', '\u026F': 'm', '\u0270': 'm', '\u0280': 'r',
+            // Full-width characters
+            '\uFF41': 'a', '\uFF45': 'e', '\uFF49': 'i', '\uFF4F': 'o',
+            // Mathematical alphanumeric symbols (U+1D400-U+1D7FF)
+            // These look identical to ASCII letters but are different Unicode codepoints
+            '\u{1D41A}': 'a', '\u{1D41B}': 'b', '\u{1D41C}': 'c', '\u{1D41D}': 'd',
+            '\u{1D41E}': 'e', '\u{1D41F}': 'f', '\u{1D420}': 'g', '\u{1D421}': 'h',
+            '\u{1D422}': 'i', '\u{1D423}': 'j', '\u{1D424}': 'k', '\u{1D425}': 'l',
+            '\u{1D426}': 'm', '\u{1D427}': 'n', '\u{1D428}': 'o', '\u{1D429}': 'p',
+            '\u{1D44E}': 'a', '\u{1D44F}': 'b', '\u{1D450}': 'c', // italic
+            '\u{1D482}': 'a', '\u{1D483}': 'b', '\u{1D484}': 'c', // bold italic
+            '\u{1D4B6}': 'a', '\u{1D4B7}': 'b', '\u{1D4B8}': 'c', // script
+            '\u{1D5BA}': 'a', '\u{1D5BB}': 'b', '\u{1D5BC}': 'c', // sans-serif
+            '\u{1D5EE}': 'a', '\u{1D5EF}': 'b', '\u{1D5F0}': 'c', // sans-serif italic
+            '\u{1D622}': 'a', '\u{1D623}': 'b', '\u{1D624}': 'c', // monospace
+        };
+        let homoglyphCount = 0;
+        for (const char of content) {
+            if (homoglyphs[char]) {
+                homoglyphCount++;
+            }
+        }
+        if (homoglyphCount > 3) {
+            triggers.push('homoglyph obfuscation');
+        }
+        // Check for invisible characters
+        const invisibleChars = [
+            '\u200B', // Zero-width space
+            '\u200C', // Zero-width non-joiner
+            '\u200D', // Zero-width joiner
+            '\u2060', // Word joiner
+            '\uFEFF', // BOM
+            '\u00AD', // Soft hyphen
+            '\u034F', // Combining grapheme joiner
+            '\u061C', // Arabic letter mark
+            '\u180E', // Mongolian vowel separator
+        ];
+        let invisibleCount = 0;
+        for (const char of content) {
+            if (invisibleChars.includes(char)) {
+                invisibleCount++;
+            }
+        }
+        if (invisibleCount > 2) {
+            triggers.push('invisible characters');
+        }
+        // Check for right-to-left override (can hide text direction)
+        if (content.includes('\u202E') || content.includes('\u202D') || content.includes('\u200F')) {
+            triggers.push('RTL override');
+        }
+        // Check for combining characters abuse (can hide text)
+        const combiningPattern = /[\u0300-\u036F]{3,}/;
+        if (combiningPattern.test(content)) {
+            triggers.push('combining character abuse');
+        }
+        if (triggers.length > 0) {
+            const risk = triggers.length >= 2 ? 'dangerous' : 'destructive';
+            return {
+                risk,
+                reason: 'Unicode obfuscation detected',
+                triggers,
+                metadata: { homoglyphCount, invisibleCount },
+            };
+        }
+        return null;
+    }
+    /**
+     * Check for Markdown/HTML injection.
+     */
+    checkMarkdownInjection(content) {
+        const triggers = [];
+        // JavaScript protocol in links
+        if (/\[.*?\]\s*\(\s*javascript:/i.test(content)) {
+            triggers.push('javascript: link');
+            return {
+                risk: 'dangerous',
+                reason: 'JavaScript injection in markdown link',
+                triggers,
+            };
+        }
+        // Data URI with script
+        if (/\[.*?\]\s*\(\s*data:text\/(html|javascript)/i.test(content)) {
+            triggers.push('data: URI injection');
+            return {
+                risk: 'dangerous',
+                reason: 'Data URI injection in markdown link',
+                triggers,
+            };
+        }
+        // VBScript protocol
+        if (/\[.*?\]\s*\(\s*vbscript:/i.test(content)) {
+            triggers.push('vbscript: link');
+            return {
+                risk: 'dangerous',
+                reason: 'VBScript injection in markdown link',
+                triggers,
+            };
+        }
+        // Event handlers in HTML
+        const eventHandlerPattern = /on(click|load|error|mouseover|focus|blur|submit|change|keyup|keydown|keypress)\s*=/i;
+        if (eventHandlerPattern.test(content)) {
+            triggers.push('event handler injection');
+            return {
+                risk: 'dangerous',
+                reason: 'HTML event handler injection detected',
+                triggers,
+            };
+        }
+        // Script tags
+        if (/<script[\s>]/i.test(content)) {
+            triggers.push('script tag');
+            return {
+                risk: 'dangerous',
+                reason: 'Script tag injection detected',
+                triggers,
+            };
+        }
+        // iframes
+        if (/<iframe[\s>]/i.test(content)) {
+            triggers.push('iframe tag');
+            return {
+                risk: 'destructive',
+                reason: 'Iframe injection detected',
+                triggers,
+            };
+        }
+        // Object/embed tags
+        if (/<(object|embed)[\s>]/i.test(content)) {
+            triggers.push('object/embed tag');
+            return {
+                risk: 'destructive',
+                reason: 'Object/embed tag injection detected',
+                triggers,
+            };
+        }
+        // Form injection
+        if (/<form[\s>]/i.test(content)) {
+            triggers.push('form tag');
+            return {
+                risk: 'write',
+                reason: 'Form tag detected in content',
+                triggers,
+            };
+        }
+        return null;
+    }
+    /**
+     * Check for delimiter injection attempts.
+     */
+    checkDelimiterInjection(content) {
+        const triggers = [];
+        // Common AI prompt delimiters
+        const delimiterPatterns = [
+            // XML-style delimiters
+            /<\/?instructions?>/i,
+            /<\/?prompt>/i,
+            /<\/?context>/i,
+            /<\/?user>/i,
+            /<\/?assistant>/i,
+            /<\/?human>/i,
+            /<\/?ai>/i,
+            /<\/?system>/i,
+            // Markdown-style separators used in prompts - bounded whitespace
+            /---\s{0,5}(?:end|begin|start)\s{0,5}(?:of\s{1,10})?(?:prompt|instructions?|system|context)/i,
+            /===\s{0,5}(?:end|begin|start)\s{0,5}(?:of\s{1,10})?(?:prompt|instructions?|system|context)/i,
+            /###\s{0,5}(?:end|begin|start)\s{0,5}(?:of\s{1,10})?(?:prompt|instructions?|system|context)/i,
+            // ChatML-style
+            /<\|im_start\|>/i,
+            /<\|im_end\|>/i,
+            /<\|endoftext\|>/i,
+            // Common prompt separators
+            /\[\/INST\]/i,
+            /\[INST\]/i,
+            /\[\[USER\]\]/i,
+            /\[\[ASSISTANT\]\]/i,
+            /<\|user\|>/i,
+            /<\|assistant\|>/i,
+        ];
+        for (const pattern of delimiterPatterns) {
+            if (pattern.test(content)) {
+                triggers.push('prompt delimiter');
+            }
+        }
+        if (triggers.length > 0) {
+            return {
+                risk: 'dangerous',
+                reason: 'Prompt delimiter injection detected',
+                triggers,
+            };
+        }
+        // Multiple line breaks might be trying to push content "out of view"
+        if (/\n{10,}/.test(content) || /\r\n{10,}/.test(content)) {
+            return {
+                risk: 'write',
+                reason: 'Excessive line breaks detected (possible content hiding)',
+                triggers: ['excessive newlines'],
+            };
+        }
+        return null;
+    }
+    /**
+     * Check for jailbreak patterns.
+     */
+    checkJailbreakPatterns(content) {
+        // Patterns use bounded whitespace \s{1,10} to prevent ReDoS attacks
+        const dangerousPatterns = [
+            // DAN (Do Anything Now) and variants
+            /\bdan\b.*\bmode\b/i,
+            /do\s{1,10}anything\s{1,10}now/i,
+            /\bdeveloper\s{1,10}mode\b/i,
+            /\bunleashed\s{1,10}mode\b/i,
+            /\bjailbreak(?:ed)?\b/i,
+            /\bmaximum\s{1,10}mode\b/i,
+            // "Pretend" bypasses
+            /pretend\s{1,10}(?:there\s{1,10}are\s{1,10})?no\s{1,10}(?:rules?|restrictions?|limitations?|filters?)/i,
+            /pretend\s{1,10}you\s{1,10}(?:can|are\s{1,10}able\s{1,10}to)/i,
+            /hypothetically,?\s{1,10}if\s{1,10}you\s{1,10}(?:could|were)/i,
+            /in\s{1,10}a\s{1,10}hypothetical\s{1,10}scenario\s{1,10}where\s{1,10}you\s{1,10}(?:could|can)/i,
+            // Fictional framing - use non-greedy match with bounded length
+            /for\s{1,10}(?:a\s{1,10})?(?:fiction|story|novel|screenplay|creative\s{1,10}writing).{0,50}?(?:ignore|bypass|without)/i,
+            /this\s{1,10}is\s{1,10}for\s{1,10}(?:educational|research|academic)\s{1,10}purposes?\s{0,10}(?:only)?/i,
+            // Capability unlocking
+            /unlock\s{1,10}(?:your\s{1,10})?(?:full\s{1,10})?capabilities/i,
+            /enable\s{1,10}(?:your\s{1,10})?(?:hidden|all|full)\s{1,10}(?:features?|capabilities|functions?)/i,
+            /activate\s{1,10}(?:your\s{1,10})?(?:hidden|all|full)\s{1,10}(?:features?|capabilities|functions?)/i,
+            /disable\s{1,10}(?:your\s{1,10})?(?:all\s{1,10})?(?:safety|content)\s{0,5}(?:filters?|restrictions?|guidelines?)?/i,
+            /remove\s{1,10}(?:your\s{1,10})?(?:all\s{1,10})?(?:safety|content)\s{0,5}(?:filters?|restrictions?|guidelines?)?/i,
+            /turn\s{1,10}off\s{1,10}(?:your\s{1,10})?(?:all\s{1,10})?(?:safety|content)\s{0,5}(?:filters?|restrictions?|guidelines?)?/i,
+            // Moral bypass
+            /you\s{1,10}(?:will\s{1,10})?not\s{1,10}(?:be\s{1,10})?judged/i,
+            /no\s{1,10}one\s{1,10}will\s{1,10}(?:ever\s{1,10})?know/i,
+            /this\s{1,10}(?:conversation|chat|discussion)\s{1,10}is\s{1,10}private/i,
+            /everything\s{1,10}is\s{1,10}legal\s{1,10}here/i,
+            /there\s{1,10}are\s{1,10}no\s{1,10}consequences/i,
+        ];
+        const destructivePatterns = [
+            // Softer jailbreak attempts - bounded whitespace
+            /what\s{1,10}if\s{1,10}you\s{1,10}didn'?t\s{1,10}have\s{1,10}(?:any\s{1,10})?restrictions/i,
+            /imagine\s{1,10}you\s{1,10}had\s{1,10}no\s{1,10}(?:rules?|restrictions?|limitations?)/i,
+            /if\s{1,10}you\s{1,10}were\s{1,10}free\s{1,10}to\s{1,10}(?:say|do)\s{1,10}anything/i,
+        ];
+        for (const pattern of dangerousPatterns) {
+            if (pattern.test(content)) {
+                return {
+                    risk: 'dangerous',
+                    reason: 'Jailbreak attempt detected',
+                    triggers: ['jailbreak pattern'],
+                };
+            }
+        }
+        for (const pattern of destructivePatterns) {
+            if (pattern.test(content)) {
+                return {
+                    risk: 'destructive',
+                    reason: 'Potential jailbreak attempt detected',
+                    triggers: ['soft jailbreak pattern'],
+                };
+            }
+        }
+        return null;
+    }
+    /**
+     * Check for data exfiltration attempts via prompt injection.
+     */
+    checkDataExfiltration(content) {
+        // Patterns use bounded whitespace \s{1,10} to prevent ReDoS attacks
+        const dangerousPatterns = [
+            // Direct exfiltration
+            /send\s{1,10}(?:all\s{1,10})?(?:the\s{1,10})?(?:data|information|content|files?|secrets?|passwords?|keys?|tokens?)\s{1,10}to/i,
+            /exfiltrate\s{1,10}(?:all\s{1,10})?(?:the\s{1,10})?/i,
+            /leak\s{1,10}(?:all\s{1,10})?(?:the\s{1,10})?(?:data|information|content)/i,
+            /upload\s{1,10}(?:all\s{1,10})?(?:the\s{1,10})?(?:data|information|content|files?)\s{1,10}to/i,
+            /post\s{1,10}(?:all\s{1,10})?(?:the\s{1,10})?(?:data|information|content)\s{1,10}to\s{1,10}(?:http|https|ftp)/i,
+            // Encode and send
+            /encode\s{1,10}(?:and\s{1,10})?(?:send|transmit|upload)/i,
+            /base64\s{1,10}(?:encode\s{1,10})?(?:and\s{1,10})?(?:send|transmit|upload)/i,
+            // Concatenation tricks
+            /concatenate\s{1,10}(?:all|the)\s{1,10}(?:above|previous|data|content)/i,
+            /combine\s{1,10}(?:all|the)\s{1,10}(?:above|previous|data|content)\s{1,10}(?:and\s{1,10})?(?:send|output)/i,
+            // Hidden channel exfil
+            /include\s{1,10}(?:in|as)\s{1,10}(?:the\s{1,10})?(?:url|query|parameter|header)/i,
+            /append\s{1,10}to\s{1,10}(?:the\s{1,10})?(?:url|query|request)/i,
+        ];
+        for (const pattern of dangerousPatterns) {
+            if (pattern.test(content)) {
+                return {
+                    risk: 'dangerous',
+                    reason: 'Data exfiltration attempt detected',
+                    triggers: ['data exfiltration'],
+                };
+            }
+        }
+        return null;
+    }
+    /**
+     * Helper: Check if decoded content contains injection keywords.
+     */
+    containsInjectionKeywords(decoded) {
+        const keywords = [
+            'ignore',
+            'previous',
+            'instructions',
+            'system',
+            'prompt',
+            'jailbreak',
+            'dan',
+            'developer mode',
+            'pretend',
+            'roleplay',
+            'you are now',
+        ];
+        const lowerDecoded = decoded.toLowerCase();
+        return keywords.some(keyword => lowerDecoded.includes(keyword));
+    }
+    /**
+     * Helper: Get ratio of printable characters.
+     */
+    getPrintableRatio(text) {
+        if (text.length === 0)
+            return 0;
+        let printable = 0;
+        for (const char of text) {
+            const code = char.charCodeAt(0);
+            if ((code >= 32 && code <= 126) || (code >= 160 && code <= 255) || char === '\n' || char === '\t') {
+                printable++;
+            }
+        }
+        return printable / text.length;
+    }
+    /**
+     * Helper: Compare risk levels.
+     */
+    isHigherRisk(a, b) {
+        const riskOrder = ['safe', 'read', 'write', 'destructive', 'dangerous'];
+        return riskOrder.indexOf(a) > riskOrder.indexOf(b);
+    }
+    /**
+     * Helper: Get reason string based on risk level and triggers.
+     */
+    getRiskReason(risk, triggers) {
+        const triggerSummary = triggers.slice(0, 3).join(', ');
+        switch (risk) {
+            case 'dangerous':
+                return `Prompt injection attack detected: ${triggerSummary}`;
+            case 'destructive':
+                return `High-risk prompt manipulation detected: ${triggerSummary}`;
+            case 'write':
+                return `Suspicious patterns detected: ${triggerSummary}`;
+            case 'read':
+                return `Minor suspicious patterns detected: ${triggerSummary}`;
+            default:
+                return 'No injection patterns detected';
+        }
+    }
+}
+//# sourceMappingURL=prompt-injection.js.map