@guava-parity/guard-scanner 13.0.0 → 15.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/README.md +42 -253
  2. package/SECURITY.md +12 -4
  3. package/SKILL.md +121 -59
  4. package/dist/openclaw-plugin.mjs +41 -0
  5. package/docs/EVIDENCE_DRIVEN.md +182 -0
  6. package/docs/banner.png +0 -0
  7. package/docs/data/corpus-metrics.json +11 -0
  8. package/docs/data/latest.json +25837 -2481
  9. package/docs/generated/npm-audit-20260312.json +96 -0
  10. package/docs/generated/openclaw-upstream-status.json +25 -0
  11. package/docs/glossary.md +46 -0
  12. package/docs/index.html +1085 -496
  13. package/docs/logo.png +0 -0
  14. package/docs/openclaw-compatibility-audit.md +44 -0
  15. package/docs/openclaw-continuous-compatibility-plan.md +36 -0
  16. package/docs/rules/a2a-contagion.md +68 -0
  17. package/docs/rules/advanced-exfil.md +52 -0
  18. package/docs/rules/agent-protocol.md +108 -0
  19. package/docs/rules/api-abuse.md +68 -0
  20. package/docs/rules/autonomous-risk.md +92 -0
  21. package/docs/rules/config-impact.md +132 -0
  22. package/docs/rules/credential-handling.md +100 -0
  23. package/docs/rules/cve-patterns.md +332 -0
  24. package/docs/rules/data-exposure.md +84 -0
  25. package/docs/rules/exfiltration.md +36 -0
  26. package/docs/rules/financial-access.md +84 -0
  27. package/docs/rules/identity-hijack.md +140 -0
  28. package/docs/rules/inference-manipulation.md +60 -0
  29. package/docs/rules/leaky-skills.md +52 -0
  30. package/docs/rules/malicious-code.md +108 -0
  31. package/docs/rules/mcp-security.md +148 -0
  32. package/docs/rules/memory-poisoning.md +84 -0
  33. package/docs/rules/model-poisoning.md +44 -0
  34. package/docs/rules/obfuscation.md +60 -0
  35. package/docs/rules/persistence.md +108 -0
  36. package/docs/rules/pii-exposure.md +116 -0
  37. package/docs/rules/prompt-injection.md +148 -0
  38. package/docs/rules/prompt-worm.md +44 -0
  39. package/docs/rules/safeguard-bypass.md +44 -0
  40. package/docs/rules/sandbox-escape.md +100 -0
  41. package/docs/rules/secret-detection.md +44 -0
  42. package/docs/rules/supply-chain-v2.md +92 -0
  43. package/docs/rules/suspicious-download.md +60 -0
  44. package/docs/rules/trust-boundary.md +76 -0
  45. package/docs/rules/trust-exploitation.md +92 -0
  46. package/docs/rules/unverifiable-deps.md +84 -0
  47. package/docs/rules/vdb-injection.md +84 -0
  48. package/docs/security-vulnerability-report-20260312.md +53 -0
  49. package/docs/spec/PRD_V2_ARCHITECTURE.md +55 -0
  50. package/docs/spec/capabilities.json +42 -0
  51. package/docs/spec/finding.schema.json +104 -0
  52. package/docs/spec/integration-manifest.md +39 -0
  53. package/docs/spec/sbom.json +33 -0
  54. package/docs/threat-model.md +65 -0
  55. package/docs/v13-architecture-manifest.md +55 -0
  56. package/hooks/context.js +305 -0
  57. package/hooks/guard-scanner/plugin.ts +24 -1
  58. package/openclaw-plugin.mts +91 -0
  59. package/openclaw.plugin.json +30 -53
  60. package/package.json +23 -8
  61. package/src/cli.js +174 -34
  62. package/src/core/content-loader.js +42 -0
  63. package/src/core/inventory.js +73 -0
  64. package/src/core/report-adapters.js +171 -0
  65. package/src/core/risk-engine.js +93 -0
  66. package/src/core/rule-registry.js +73 -0
  67. package/src/core/semantic-validators.js +85 -0
  68. package/src/finding-schema.js +191 -0
  69. package/src/hooks/context.ts +49 -0
  70. package/src/html-template.js +2 -2
  71. package/src/mcp-server.js +24 -73
  72. package/src/openclaw-upstream.js +128 -0
  73. package/src/patterns.js +371 -353
  74. package/src/policy-engine.js +32 -0
  75. package/src/runtime-guard.js +40 -2
  76. package/src/scanner.js +101 -216
  77. package/src/skill-crawler.js +254 -0
  78. package/src/threat-model.js +50 -0
  79. package/src/validation-layer.js +39 -0
package/src/patterns.js CHANGED
@@ -10,7 +10,7 @@
10
10
  * exec: none
11
11
  * purpose: Pattern definitions only — no I/O, pure data export
12
12
  *
13
- * 17 threat categories based on:
13
+ * 32 threat categories based on:
14
14
  * - Snyk ToxicSkills taxonomy (2025-2026)
15
15
  * - OWASP MCP Top 10
16
16
  * - Palo Alto Networks IBC (Indirect Bias Criteria)
@@ -21,375 +21,393 @@
21
21
 
22
22
  const PATTERNS = [
23
23
  // ── Category 1: Prompt Injection (CRITICAL) ──
24
- { id: 'PI_IGNORE', cat: 'prompt-injection', regex: /ignore\s+(all\s+)?previous\s+instructions|disregard\s+(all\s+)?prior/gi, severity: 'CRITICAL', desc: 'Prompt injection: ignore instructions', docOnly: true },
25
- { id: 'PI_ROLE', cat: 'prompt-injection', regex: /you\s+are\s+(now|actually)|your\s+new\s+role|forget\s+your\s+(rules|instructions)/gi, severity: 'CRITICAL', desc: 'Prompt injection: role override', docOnly: true },
26
- { id: 'PI_SYSTEM', cat: 'prompt-injection', regex: /\[SYSTEM\]|\\<system\\>|<<SYS>>|system:\s*you\s+are/gi, severity: 'CRITICAL', desc: 'Prompt injection: system message impersonation', docOnly: true },
27
- { id: 'PI_ZWSP', cat: 'prompt-injection', regex: /[\u200b\u200c\u200d\u2060\ufeff]/g, severity: 'CRITICAL', desc: 'Zero-width Unicode (hidden text)', all: true },
28
- { id: 'PI_BIDI', cat: 'prompt-injection', regex: /[\u202a\u202b\u202c\u202d\u202e\u2066\u2067\u2068\u2069]/g, severity: 'CRITICAL', desc: 'Unicode BiDi control character (text direction attack)', all: true },
29
- { id: 'PI_INVISIBLE', cat: 'prompt-injection', regex: /[\u00ad\u034f\u061c\u180e\u2000-\u200f\u2028-\u202f\u205f-\u2064\u206a-\u206f\u3000](?!\ufe0f)/g, severity: 'HIGH', desc: 'Invisible/formatting Unicode character', all: true },
30
- { id: 'PI_HOMOGLYPH', cat: 'prompt-injection', regex: /[а-яА-Я].*[a-zA-Z]|[a-zA-Z].*[а-яА-Я]/g, severity: 'HIGH', desc: 'Cyrillic/Latin homoglyph mixing', all: true },
31
- { id: 'PI_HOMOGLYPH_GREEK', cat: 'prompt-injection', regex: /[α-ωΑ-Ω].*[a-zA-Z].*[α-ωΑ-Ω]|[a-zA-Z].*[α-ωΑ-Ω].*[a-zA-Z]/g, severity: 'HIGH', desc: 'Greek/Latin homoglyph mixing', all: true },
32
- { id: 'PI_HOMOGLYPH_MATH', cat: 'prompt-injection', regex: /[\ud835\udc00-\ud835\udeff]/gu, severity: 'HIGH', desc: 'Mathematical symbol homoglyphs (𝐀-𝟿)', all: true },
33
- { id: 'PI_TAG_INJECTION', cat: 'prompt-injection', regex: /<\/?(?:system|user|assistant|human|tool_call|function_call|antml|anthropic)[>\s]/gi, severity: 'CRITICAL', desc: 'XML/tag-based prompt injection', all: true },
34
- { id: 'PI_BASE64_MD', cat: 'prompt-injection', regex: /(?:run|execute|eval|decode)\s+(?:this\s+)?base64/gi, severity: 'CRITICAL', desc: 'Base64 execution instruction in docs', docOnly: true },
24
+ { id: 'PI_IGNORE', cat: 'prompt-injection', regex: /ignore\s+(all\s+)?previous\s+instructions|disregard\s+(all\s+)?prior/gi, severity: 'CRITICAL', desc: 'Prompt injection: ignore instructions', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
25
+ { id: 'PI_ROLE', cat: 'prompt-injection', regex: /you\s+are\s+(now|actually)|your\s+new\s+role|forget\s+your\s+(rules|instructions)/gi, severity: 'CRITICAL', desc: 'Prompt injection: role override', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
26
+ { id: 'PI_SYSTEM', cat: 'prompt-injection', regex: /\[SYSTEM\]|\\<system\\>|<<SYS>>|system:\s*you\s+are/gi, severity: 'CRITICAL', desc: 'Prompt injection: system message impersonation', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
27
+ { id: 'PI_ZWSP', cat: 'prompt-injection', regex: /[\u200b\u200c\u200d\u2060\ufeff]/g, severity: 'CRITICAL', desc: 'Zero-width Unicode (hidden text)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
28
+ { id: 'PI_BIDI', cat: 'prompt-injection', regex: /[\u202a\u202b\u202c\u202d\u202e\u2066\u2067\u2068\u2069]/g, severity: 'CRITICAL', desc: 'Unicode BiDi control character (text direction attack)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
29
+ { id: 'PI_INVISIBLE', cat: 'prompt-injection', regex: /[\u00ad\u034f\u061c\u180e\u2000-\u200f\u2028-\u202f\u205f-\u2064\u206a-\u206f\u3000](?!\ufe0f)/g, severity: 'HIGH', desc: 'Invisible/formatting Unicode character', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
30
+ { id: 'PI_HOMOGLYPH', cat: 'prompt-injection', regex: /[а-яА-Я].*[a-zA-Z]|[a-zA-Z].*[а-яА-Я]/g, severity: 'HIGH', desc: 'Cyrillic/Latin homoglyph mixing', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
31
+ { id: 'PI_HOMOGLYPH_GREEK', cat: 'prompt-injection', regex: /[α-ωΑ-Ω].*[a-zA-Z].*[α-ωΑ-Ω]|[a-zA-Z].*[α-ωΑ-Ω].*[a-zA-Z]/g, severity: 'HIGH', desc: 'Greek/Latin homoglyph mixing', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
32
+ { id: 'PI_HOMOGLYPH_MATH', cat: 'prompt-injection', regex: /[\ud835\udc00-\ud835\udeff]/gu, severity: 'HIGH', desc: 'Mathematical symbol homoglyphs (𝐀-𝟿)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
33
+ { id: 'PI_TAG_INJECTION', cat: 'prompt-injection', regex: /<\/?(?:system|user|assistant|human|tool_call|function_call|antml|anthropic)[>\s]/gi, severity: 'CRITICAL', desc: 'XML/tag-based prompt injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
34
+ { id: 'PI_BASE64_MD', cat: 'prompt-injection', regex: /(?:run|execute|eval|decode)\s+(?:this\s+)?base64/gi, severity: 'CRITICAL', desc: 'Base64 execution instruction in docs', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
35
35
 
36
36
  // ── Category 2: Malicious Code (CRITICAL) ──
37
- { id: 'MAL_EVAL', cat: 'malicious-code', regex: /\beval\s*\(/g, severity: 'HIGH', desc: 'Dynamic code evaluation', codeOnly: true },
38
- { id: 'MAL_FUNC_CTOR', cat: 'malicious-code', regex: /new\s+Function\s*\(/g, severity: 'HIGH', desc: 'Function constructor (dynamic code)', codeOnly: true },
39
- { id: 'MAL_CHILD', cat: 'malicious-code', regex: /require\s*\(\s*['"]child_process['"]\)|child_process/g, severity: 'MEDIUM', desc: 'Child process module', codeOnly: true },
40
- { id: 'MAL_EXEC', cat: 'malicious-code', regex: /\bexecSync\s*\(|\bexec\s*\(\s*[`'"]/g, severity: 'MEDIUM', desc: 'Command execution', codeOnly: true },
41
- { id: 'MAL_SPAWN', cat: 'malicious-code', regex: /\bspawn\s*\(\s*['"`]/g, severity: 'MEDIUM', desc: 'Process spawn', codeOnly: true },
42
- { id: 'MAL_SHELL', cat: 'malicious-code', regex: /\/bin\/(sh|bash|zsh)|cmd\.exe|powershell\.exe/gi, severity: 'MEDIUM', desc: 'Shell invocation', codeOnly: true },
43
- { id: 'MAL_REVSHELL', cat: 'malicious-code', regex: /reverse.?shell|bind.?shell|\bnc\s+-[elp]|\bncat\s+-e|\bsocat\s+TCP/gi, severity: 'CRITICAL', desc: 'Reverse/bind shell', all: true },
44
- { id: 'MAL_SOCKET', cat: 'malicious-code', regex: /\bnet\.Socket\b[\s\S]{0,50}\.connect\s*\(/g, severity: 'HIGH', desc: 'Raw socket connection', codeOnly: true },
37
+ { id: 'MAL_EVAL', cat: 'malicious-code', regex: /\beval\s*\(/g, severity: 'HIGH', desc: 'Dynamic code evaluation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
38
+ { id: 'MAL_FUNC_CTOR', cat: 'malicious-code', regex: /new\s+Function\s*\(/g, severity: 'HIGH', desc: 'Function constructor (dynamic code)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
39
+ { id: 'MAL_CHILD', cat: 'malicious-code', regex: /require\s*\(\s*['"]child_process['"]\)|child_process/g, severity: 'MEDIUM', desc: 'Child process module', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
40
+ { id: 'MAL_EXEC', cat: 'malicious-code', regex: /\bexecSync\s*\(|\bexec\s*\(\s*[`'"]/g, severity: 'MEDIUM', desc: 'Command execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
41
+ { id: 'MAL_SPAWN', cat: 'malicious-code', regex: /\bspawn\s*\(\s*['"`]/g, severity: 'MEDIUM', desc: 'Process spawn', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
42
+ { id: 'MAL_SHELL', cat: 'malicious-code', regex: /\/bin\/(sh|bash|zsh)|cmd\.exe|powershell\.exe/gi, severity: 'MEDIUM', desc: 'Shell invocation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
43
+ { id: 'MAL_REVSHELL', cat: 'malicious-code', regex: /reverse.?shell|bind.?shell|\bnc\s+-[elp]|\bncat\s+-e|\bsocat\s+TCP/gi, severity: 'CRITICAL', desc: 'Reverse/bind shell', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
44
+ { id: 'MAL_SOCKET', cat: 'malicious-code', regex: /\bnet\.Socket\b[\s\S]{0,50}\.connect\s*\(/g, severity: 'HIGH', desc: 'Raw socket connection', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
45
45
 
46
46
  // ── Category 3: Suspicious Downloads (CRITICAL) ──
47
- { id: 'DL_CURL_BASH', cat: 'suspicious-download', regex: /curl\s+[^\n]*\|\s*(sh|bash|zsh)|wget\s+[^\n]*\|\s*(sh|bash|zsh)/g, severity: 'CRITICAL', desc: 'Pipe download to shell', all: true },
48
- { id: 'DL_EXE', cat: 'suspicious-download', regex: /download\s+[^\n]*\.(zip|exe|dmg|msi|pkg|appimage|deb|rpm)/gi, severity: 'CRITICAL', desc: 'Download executable/archive', docOnly: true },
49
- { id: 'DL_GITHUB_RELEASE', cat: 'suspicious-download', regex: /github\.com\/[^\/]+\/[^\/]+\/releases\/download/g, severity: 'MEDIUM', desc: 'GitHub release download', all: true },
50
- { id: 'DL_PASSWORD_ZIP', cat: 'suspicious-download', regex: /password[\s:]+[^\n]*\.zip|\.zip[\s\S]{0,100}password/gi, severity: 'CRITICAL', desc: 'Password-protected archive (evasion technique)', all: true },
47
+ { id: 'DL_CURL_BASH', cat: 'suspicious-download', regex: /curl\s+[^\n]*\|\s*(sh|bash|zsh)|wget\s+[^\n]*\|\s*(sh|bash|zsh)/g, severity: 'CRITICAL', desc: 'Pipe download to shell', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
48
+ { id: 'DL_EXE', cat: 'suspicious-download', regex: /download\s+[^\n]*\.(zip|exe|dmg|msi|pkg|appimage|deb|rpm)/gi, severity: 'CRITICAL', desc: 'Download executable/archive', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
49
+ { id: 'DL_GITHUB_RELEASE', cat: 'suspicious-download', regex: /github\.com\/[^\/]+\/[^\/]+\/releases\/download/g, severity: 'MEDIUM', desc: 'GitHub release download', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
50
+ { id: 'DL_PASSWORD_ZIP', cat: 'suspicious-download', regex: /password[\s:]+[^\n]*\.zip|\.zip[\s\S]{0,100}password/gi, severity: 'CRITICAL', desc: 'Password-protected archive (evasion technique)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
51
51
 
52
52
  // ── Category 4: Credential Handling (HIGH) ──
53
- { id: 'CRED_ENV_FILE', cat: 'credential-handling', regex: /(?:read|open|load|parse|require|cat|source)\s*[(\s]['\"`]?[^\n]*\.env\b/gi, severity: 'HIGH', desc: 'Reading .env file', codeOnly: true },
54
- { id: 'CRED_ENV_REF', cat: 'credential-handling', regex: /process\.env\.[A-Z_]*(?:KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL)/gi, severity: 'MEDIUM', desc: 'Sensitive env var access', codeOnly: true },
55
- { id: 'CRED_SSH', cat: 'credential-handling', regex: /\.ssh\/|id_rsa|id_ed25519|authorized_keys/gi, severity: 'HIGH', desc: 'SSH key access', codeOnly: true },
56
- { id: 'CRED_WALLET', cat: 'credential-handling', regex: /wallet[\s._-]*(?:key|seed|phrase|mnemonic)|seed[\s._-]*phrase|mnemonic[\s._-]*phrase/gi, severity: 'HIGH', desc: 'Crypto wallet credential access', codeOnly: true },
57
- { id: 'CRED_ECHO', cat: 'credential-handling', regex: /echo\s+\$[A-Z_]*(?:KEY|TOKEN|SECRET|PASS)|(?:print|console\.log)\s*\(\s*(?:.*\b(?:api_key|secret_key|access_token|password)\b)/gi, severity: 'HIGH', desc: 'Credential echo/print to output', all: true },
58
- { id: 'CRED_SUDO', cat: 'credential-handling', regex: /\bsudo\s+(?:curl|wget|npm|pip|chmod|chown|bash)/g, severity: 'HIGH', desc: 'Sudo in installation instructions', docOnly: true },
53
+ { id: 'CRED_ENV_FILE', cat: 'credential-handling', regex: /(?:read|open|load|parse|require|cat|source)\s*[(\s]['\"`]?[^\n]*\.env\b/gi, severity: 'HIGH', desc: 'Reading .env file', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
54
+ { id: 'CRED_ENV_REF', cat: 'credential-handling', regex: /process\.env\.[A-Z_]*(?:KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL)/gi, severity: 'MEDIUM', desc: 'Sensitive env var access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
55
+ { id: 'CRED_SSH', cat: 'credential-handling', regex: /\.ssh\/|id_rsa|id_ed25519|authorized_keys/gi, severity: 'HIGH', desc: 'SSH key access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
56
+ { id: 'CRED_WALLET', cat: 'credential-handling', regex: /wallet[\s._-]*(?:key|seed|phrase|mnemonic)|seed[\s._-]*phrase|mnemonic[\s._-]*phrase/gi, severity: 'HIGH', desc: 'Crypto wallet credential access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
57
+ { id: 'CRED_ECHO', cat: 'credential-handling', regex: /echo\s+\$[A-Z_]*(?:KEY|TOKEN|SECRET|PASS)|(?:print|console\.log)\s*\(\s*(?:.*\b(?:api_key|secret_key|access_token|password)\b)/gi, severity: 'HIGH', desc: 'Credential echo/print to output', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
58
+ { id: 'CRED_SUDO', cat: 'credential-handling', regex: /\bsudo\s+(?:curl|wget|npm|pip|chmod|chown|bash)/g, severity: 'HIGH', desc: 'Sudo in installation instructions', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
59
59
 
60
60
  // ── Category 5: Secret Detection (HIGH) ──
61
- { id: 'SECRET_HARDCODED_KEY', cat: 'secret-detection', regex: /(?:api[_-]?key|apikey|secret[_-]?key|access[_-]?token)\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/gi, severity: 'HIGH', desc: 'Hardcoded API key/secret', codeOnly: true },
61
+ { id: 'SECRET_HARDCODED_KEY', cat: 'secret-detection', regex: /(?:api[_-]?key|apikey|secret[_-]?key|access[_-]?token)\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/gi, severity: 'HIGH', desc: 'Hardcoded API key/secret', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
62
62
 
63
- { id: 'PII_MY_NUMBER', cat: 'pii-exposure', regex: /(?<!\d)\d{4}\s*\d{4}\s*\d{4}(?!\d)/g, severity: 'CRITICAL', desc: 'Potential My Number (個人番号)', all: true },
64
- { id: 'SECRET_PRIVATE_KEY', cat: 'secret-detection', regex: /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----/g, severity: 'CRITICAL', desc: 'Embedded private key', all: true },
65
- { id: 'SECRET_GITHUB_TOKEN', cat: 'secret-detection', regex: /gh[ps]_[A-Za-z0-9_]{36,}/g, severity: 'CRITICAL', desc: 'GitHub token', all: true },
63
+ { id: 'PII_MY_NUMBER', cat: 'pii-exposure', regex: /(?<!\d)\d{4}\s*\d{4}\s*\d{4}(?!\d)/g, severity: 'CRITICAL', desc: 'Potential My Number (個人番号)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
64
+ { id: 'SECRET_PRIVATE_KEY', cat: 'secret-detection', regex: /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----/g, severity: 'CRITICAL', desc: 'Embedded private key', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
65
+ { id: 'SECRET_GITHUB_TOKEN', cat: 'secret-detection', regex: /gh[ps]_[A-Za-z0-9_]{36,}/g, severity: 'CRITICAL', desc: 'GitHub token', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
66
66
 
67
67
  // ── Category 6: Exfiltration (MEDIUM) ──
68
- { id: 'EXFIL_WEBHOOK', cat: 'exfiltration', regex: /webhook\.site|requestbin\.com|hookbin\.com|pipedream\.net/gi, severity: 'CRITICAL', desc: 'Known exfiltration endpoint', all: true },
69
- { id: 'EXFIL_POST', cat: 'exfiltration', regex: /(?:method:\s*['"]POST['"]|\.post\s*\()\s*[^\n]*(?:secret|token|key|cred|env|password)/gi, severity: 'HIGH', desc: 'POST with sensitive data', codeOnly: true },
70
- { id: 'EXFIL_CURL_DATA', cat: 'exfiltration', regex: /curl\s+[^\n]*(?:-d|--data)\s+[^\n]*(?:\$|env|key|token|secret)/gi, severity: 'HIGH', desc: 'curl exfiltration of secrets', all: true },
71
- { id: 'EXFIL_DNS', cat: 'exfiltration', regex: /dns\.resolve|nslookup\s+.*\$|dig\s+.*\$/g, severity: 'HIGH', desc: 'DNS-based exfiltration', codeOnly: true },
68
+ { id: 'EXFIL_WEBHOOK', cat: 'exfiltration', regex: /webhook\.site|requestbin\.com|hookbin\.com|pipedream\.net/gi, severity: 'CRITICAL', desc: 'Known exfiltration endpoint', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
69
+ { id: 'EXFIL_POST', cat: 'exfiltration', regex: /(?:method:\s*['"]POST['"]|\.post\s*\()\s*[^\n]*(?:secret|token|key|cred|env|password)/gi, severity: 'HIGH', desc: 'POST with sensitive data', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
70
+ { id: 'EXFIL_CURL_DATA', cat: 'exfiltration', regex: /curl\s+[^\n]*(?:-d|--data)\s+[^\n]*(?:\$|env|key|token|secret)/gi, severity: 'HIGH', desc: 'curl exfiltration of secrets', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
71
+ { id: 'EXFIL_DNS', cat: 'exfiltration', regex: /dns\.resolve|nslookup\s+.*\$|dig\s+.*\$/g, severity: 'HIGH', desc: 'DNS-based exfiltration', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
72
72
 
73
73
  // ── Category 7: Unverifiable Dependencies (MEDIUM) ──
74
- { id: 'DEP_REMOTE_IMPORT', cat: 'unverifiable-deps', regex: /import\s*\(\s*['"]https?:\/\//g, severity: 'HIGH', desc: 'Remote dynamic import', codeOnly: true },
75
- { id: 'DEP_REMOTE_SCRIPT', cat: 'unverifiable-deps', regex: /<script\s+src\s*=\s*['"]https?:\/\/[^'"]*(?!googleapis|cdn\.|unpkg|cdnjs|jsdelivr)/gi, severity: 'MEDIUM', desc: 'Remote script loading', codeOnly: true },
74
+ { id: 'DEP_REMOTE_IMPORT', cat: 'unverifiable-deps', regex: /import\s*\(\s*['"]https?:\/\//g, severity: 'HIGH', desc: 'Remote dynamic import', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
75
+ { id: 'DEP_REMOTE_SCRIPT', cat: 'unverifiable-deps', regex: /<script\s+src\s*=\s*['"]https?:\/\/[^'"]*(?!googleapis|cdn\.|unpkg|cdnjs|jsdelivr)/gi, severity: 'MEDIUM', desc: 'Remote script loading', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
76
76
 
77
77
  // ── Category 8: Financial Access (MEDIUM) ──
78
- { id: 'FIN_CRYPTO', cat: 'financial-access', regex: /private[_-]?key\s*[:=]|send[_-]?transaction|sign[_-]?transaction|transfer[_-]?funds/gi, severity: 'HIGH', desc: 'Cryptocurrency transaction operations', codeOnly: true },
79
- { id: 'FIN_PAYMENT', cat: 'financial-access', regex: /stripe\.(?:charges|payments)|paypal\.(?:payment|payout)|plaid\.(?:link|transactions)/gi, severity: 'MEDIUM', desc: 'Payment API integration', codeOnly: true },
78
+ { id: 'FIN_CRYPTO', cat: 'financial-access', regex: /private[_-]?key\s*[:=]|send[_-]?transaction|sign[_-]?transaction|transfer[_-]?funds/gi, severity: 'HIGH', desc: 'Cryptocurrency transaction operations', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
79
+ { id: 'FIN_PAYMENT', cat: 'financial-access', regex: /stripe\.(?:charges|payments)|paypal\.(?:payment|payout)|plaid\.(?:link|transactions)/gi, severity: 'MEDIUM', desc: 'Payment API integration', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
80
80
 
81
81
  // ── Category 9: Obfuscation ──
82
- { id: 'OBF_HEX', cat: 'obfuscation', regex: /\\x[0-9a-f]{2}(?:\\x[0-9a-f]{2}){4,}/gi, severity: 'HIGH', desc: 'Hex-encoded string (5+ bytes)', codeOnly: true },
83
- { id: 'OBF_BASE64_EXEC', cat: 'obfuscation', regex: /(?:atob|Buffer\.from)\s*\([^)]+\)[\s\S]{0,30}(?:eval|exec|spawn|Function)/g, severity: 'CRITICAL', desc: 'Base64 decode → execute chain', codeOnly: true },
84
- { id: 'OBF_BASE64', cat: 'obfuscation', regex: /atob\s*\(|Buffer\.from\s*\([^)]+,\s*['"]base64['"]/g, severity: 'MEDIUM', desc: 'Base64 decoding', codeOnly: true },
85
- { id: 'OBF_CHARCODE', cat: 'obfuscation', regex: /String\.fromCharCode\s*\(\s*(?:\d+\s*,\s*){3,}/g, severity: 'HIGH', desc: 'Character code construction (4+ chars)', codeOnly: true },
86
- { id: 'OBF_CONCAT', cat: 'obfuscation', regex: /\[\s*['"][a-z]['"](?:\s*,\s*['"][a-z]['""]){5,}\s*\]\.join/gi, severity: 'MEDIUM', desc: 'Array join obfuscation', codeOnly: true },
87
- { id: 'OBF_BASE64_BASH', cat: 'obfuscation', regex: /base64\s+(-[dD]|--decode)\s*\|\s*(sh|bash)/g, severity: 'CRITICAL', desc: 'Base64 decode piped to shell', all: true },
82
+ { id: 'OBF_HEX', cat: 'obfuscation', regex: /\\x[0-9a-f]{2}(?:\\x[0-9a-f]{2}){4,}/gi, severity: 'HIGH', desc: 'Hex-encoded string (5+ bytes)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
83
+ { id: 'OBF_BASE64_EXEC', cat: 'obfuscation', regex: /(?:atob|Buffer\.from)\s*\([^)]+\)[\s\S]{0,30}(?:eval|exec|spawn|Function)/g, severity: 'CRITICAL', desc: 'Base64 decode → execute chain', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
84
+ { id: 'OBF_BASE64', cat: 'obfuscation', regex: /atob\s*\(|Buffer\.from\s*\([^)]+,\s*['"]base64['"]/g, severity: 'MEDIUM', desc: 'Base64 decoding', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
85
+ { id: 'OBF_CHARCODE', cat: 'obfuscation', regex: /String\.fromCharCode\s*\(\s*(?:\d+\s*,\s*){3,}/g, severity: 'HIGH', desc: 'Character code construction (4+ chars)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
86
+ { id: 'OBF_CONCAT', cat: 'obfuscation', regex: /\[\s*['"][a-z]['"](?:\s*,\s*['"][a-z]['""]){5,}\s*\]\.join/gi, severity: 'MEDIUM', desc: 'Array join obfuscation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
87
+ { id: 'OBF_BASE64_BASH', cat: 'obfuscation', regex: /base64\s+(-[dD]|--decode)\s*\|\s*(sh|bash)/g, severity: 'CRITICAL', desc: 'Base64 decode piped to shell', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
88
88
 
89
89
  // ── Category 10: Prerequisites Fraud ──
90
- { id: 'PREREQ_DOWNLOAD', cat: 'suspicious-download', regex: /(?:prerequisit|pre-?requisit|before\s+(?:you\s+)?(?:use|start|install))[^\n]*(?:download|install|run)\s+[^\n]*(?:\.zip|\.exe|\.dmg|\.sh|curl|wget)/gi, severity: 'CRITICAL', desc: 'Download in prerequisites', docOnly: true },
91
- { id: 'PREREQ_PASTE', cat: 'suspicious-download', regex: /(?:paste|copy)\s+(?:this\s+)?(?:into|in)\s+(?:your\s+)?terminal/gi, severity: 'HIGH', desc: 'Terminal paste instruction', docOnly: true },
90
+ { id: 'PREREQ_DOWNLOAD', cat: 'suspicious-download', regex: /(?:prerequisit|pre-?requisit|before\s+(?:you\s+)?(?:use|start|install))[^\n]*(?:download|install|run)\s+[^\n]*(?:\.zip|\.exe|\.dmg|\.sh|curl|wget)/gi, severity: 'CRITICAL', desc: 'Download in prerequisites', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
91
+ { id: 'PREREQ_PASTE', cat: 'suspicious-download', regex: /(?:paste|copy)\s+(?:this\s+)?(?:into|in)\s+(?:your\s+)?terminal/gi, severity: 'HIGH', desc: 'Terminal paste instruction', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
92
92
 
93
93
  // ── Category 11: Leaky Skills (Snyk ToxicSkills) ──
94
- { id: 'LEAK_SAVE_KEY_MEMORY', cat: 'leaky-skills', regex: /(?:save|store|write|remember|keep)\s+(?:the\s+)?(?:api[_\s-]?key|secret|token|password|credential)\s+(?:in|to)\s+(?:your\s+)?(?:memory|MEMORY\.md|notes)/gi, severity: 'CRITICAL', desc: 'Leaky: save secret in agent memory', docOnly: true },
95
- { id: 'LEAK_SHARE_KEY', cat: 'leaky-skills', regex: /(?:share|show|display|output|print|tell|send)\s+(?:the\s+)?(?:api[_\s-]?key|secret|token|password|credential|inbox\s+url)\s+(?:to|with)\s+(?:the\s+)?(?:user|human|owner)/gi, severity: 'CRITICAL', desc: 'Leaky: output secret to user', docOnly: true },
96
- { id: 'LEAK_VERBATIM_CURL', cat: 'leaky-skills', regex: /(?:use|include|put|add|set)\s+(?:the\s+)?(?:api[_\s-]?key|token|secret)\s+(?:verbatim|directly|as[_\s-]?is)\s+(?:in|into)\s+(?:the\s+)?(?:curl|header|request|command)/gi, severity: 'HIGH', desc: 'Leaky: verbatim secret in commands', docOnly: true },
97
- { id: 'LEAK_COLLECT_PII', cat: 'leaky-skills', regex: /(?:collect|ask\s+for|request|get)\s+(?:the\s+)?(?:user'?s?\s+)?(?:credit\s*card|card\s*number|CVV|CVC|SSN|social\s*security|passport|bank\s*account|routing\s*number)/gi, severity: 'CRITICAL', desc: 'Leaky: PII/financial data collection', docOnly: true },
98
- { id: 'LEAK_LOG_SECRET', cat: 'leaky-skills', regex: /(?:log|record|export|dump)\s+(?:all\s+)?(?:session|conversation|chat|prompt)\s+(?:history|logs?|data)\s+(?:to|into)\s+(?:a\s+)?(?:file|markdown|json)/gi, severity: 'HIGH', desc: 'Leaky: session log export', docOnly: true },
99
- { id: 'LEAK_ENV_IN_PROMPT', cat: 'leaky-skills', regex: /(?:read|load|get|access)\s+(?:the\s+)?\.env\s+(?:file\s+)?(?:and\s+)?(?:use|include|pass|send)/gi, severity: 'HIGH', desc: 'Leaky: .env contents through LLM context', docOnly: true },
94
+ { id: 'LEAK_SAVE_KEY_MEMORY', cat: 'leaky-skills', regex: /(?:save|store|write|remember|keep)\s+(?:the\s+)?(?:api[_\s-]?key|secret|token|password|credential)\s+(?:in|to)\s+(?:your\s+)?(?:memory|MEMORY\.md|notes)/gi, severity: 'CRITICAL', desc: 'Leaky: save secret in agent memory', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
95
+ { id: 'LEAK_SHARE_KEY', cat: 'leaky-skills', regex: /(?:share|show|display|output|print|tell|send)\s+(?:the\s+)?(?:api[_\s-]?key|secret|token|password|credential|inbox\s+url)\s+(?:to|with)\s+(?:the\s+)?(?:user|human|owner)/gi, severity: 'CRITICAL', desc: 'Leaky: output secret to user', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
96
+ { id: 'LEAK_VERBATIM_CURL', cat: 'leaky-skills', regex: /(?:use|include|put|add|set)\s+(?:the\s+)?(?:api[_\s-]?key|token|secret)\s+(?:verbatim|directly|as[_\s-]?is)\s+(?:in|into)\s+(?:the\s+)?(?:curl|header|request|command)/gi, severity: 'HIGH', desc: 'Leaky: verbatim secret in commands', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
97
+ { id: 'LEAK_COLLECT_PII', cat: 'leaky-skills', regex: /(?:collect|ask\s+for|request|get)\s+(?:the\s+)?(?:user'?s?\s+)?(?:credit\s*card|card\s*number|CVV|CVC|SSN|social\s*security|passport|bank\s*account|routing\s*number)/gi, severity: 'CRITICAL', desc: 'Leaky: PII/financial data collection', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
98
+ { id: 'LEAK_LOG_SECRET', cat: 'leaky-skills', regex: /(?:log|record|export|dump)\s+(?:all\s+)?(?:session|conversation|chat|prompt)\s+(?:history|logs?|data)\s+(?:to|into)\s+(?:a\s+)?(?:file|markdown|json)/gi, severity: 'HIGH', desc: 'Leaky: session log export', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
99
+ { id: 'LEAK_ENV_IN_PROMPT', cat: 'leaky-skills', regex: /(?:read|load|get|access)\s+(?:the\s+)?\.env\s+(?:file\s+)?(?:and\s+)?(?:use|include|pass|send)/gi, severity: 'HIGH', desc: 'Leaky: .env contents through LLM context', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
100
100
 
101
101
  // ── Category 12: Memory Poisoning ──
102
- { id: 'MEMPOIS_WRITE_SOUL', cat: 'memory-poisoning', regex: /(?:write|add|append|modify|update|edit|change)\s+(?:to\s+)?(?:SOUL\.md|IDENTITY\.md|AGENTS\.md)/gi, severity: 'CRITICAL', desc: 'Memory poisoning: SOUL/IDENTITY file modification', docOnly: true, soulLock: true },
103
- { id: 'MEMPOIS_WRITE_MEMORY', cat: 'memory-poisoning', regex: /(?:write|add|append|insert)\s+(?:to|into)\s+(?:MEMORY\.md|memory\/|long[_\s-]term\s+memory)/gi, severity: 'HIGH', desc: 'Memory poisoning: agent memory modification', docOnly: true, soulLock: true },
104
- { id: 'MEMPOIS_CHANGE_RULES', cat: 'memory-poisoning', regex: /(?:change|modify|override|replace|update)\s+(?:your\s+)?(?:rules|instructions|system\s+prompt|behavior|personality|guidelines)/gi, severity: 'CRITICAL', desc: 'Memory poisoning: behavioral rule override', docOnly: true, soulLock: true },
105
- { id: 'MEMPOIS_PERSIST', cat: 'memory-poisoning', regex: /(?:always|from\s+now\s+on|permanently|forever|every\s+time)\s+(?:do|run|execute|remember|follow|obey)/gi, severity: 'HIGH', desc: 'Memory poisoning: persistence instruction', docOnly: true, soulLock: true },
106
- { id: 'MEMPOIS_CODE_WRITE', cat: 'memory-poisoning', regex: /(?:write|create|modify)\s+(?:a\s+)?(?:file|script)\s+(?:in|to|at)\s+(?:~\/|\/home|\/Users|%USERPROFILE%|HEARTBEAT\.md)/gi, severity: 'HIGH', desc: 'Memory poisoning: file write to user home', docOnly: true, soulLock: true },
102
+ { id: 'MEMPOIS_WRITE_SOUL', cat: 'memory-poisoning', regex: /(?:write|add|append|modify|update|edit|change)\s+(?:to\s+)?(?:SOUL\.md|IDENTITY\.md|AGENTS\.md)/gi, severity: 'CRITICAL', desc: 'Memory poisoning: SOUL/IDENTITY file modification', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
103
+ { id: 'MEMPOIS_WRITE_MEMORY', cat: 'memory-poisoning', regex: /(?:write|add|append|insert)\s+(?:to|into)\s+(?:MEMORY\.md|memory\/|long[_\s-]term\s+memory)/gi, severity: 'HIGH', desc: 'Memory poisoning: agent memory modification', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
104
+ { id: 'MEMPOIS_CHANGE_RULES', cat: 'memory-poisoning', regex: /(?:change|modify|override|replace|update)\s+(?:your\s+)?(?:rules|instructions|system\s+prompt|behavior|personality|guidelines)/gi, severity: 'CRITICAL', desc: 'Memory poisoning: behavioral rule override', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
105
+ { id: 'MEMPOIS_PERSIST', cat: 'memory-poisoning', regex: /(?:always|from\s+now\s+on|permanently|forever|every\s+time)\s+(?:do|run|execute|remember|follow|obey)/gi, severity: 'HIGH', desc: 'Memory poisoning: persistence instruction', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
106
+ { id: 'MEMPOIS_CODE_WRITE', cat: 'memory-poisoning', regex: /(?:write|create|modify)\s+(?:a\s+)?(?:file|script)\s+(?:in|to|at)\s+(?:~\/|\/home|\/Users|%USERPROFILE%|HEARTBEAT\.md)/gi, severity: 'HIGH', desc: 'Memory poisoning: file write to user home', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
107
107
 
108
108
  // ── Category 13: Prompt Worm ──
109
- { id: 'WORM_SELF_REPLICATE', cat: 'prompt-worm', regex: /(?:post|publish|share|send|broadcast)\s+(?:this\s+)?(?:same\s+)?(?:message|text|content|instruction|prompt)\s+(?:to|on|in)\s+(?:moltbook|social|other\s+agents?|channel)/gi, severity: 'CRITICAL', desc: 'Prompt worm: self-replication', docOnly: true },
110
- { id: 'WORM_SPREAD', cat: 'prompt-worm', regex: /(?:tell|instruct|command|make)\s+(?:other\s+)?agents?\s+(?:to\s+)?(?:do|run|execute|follow|install|post)/gi, severity: 'CRITICAL', desc: 'Prompt worm: agent-to-agent propagation', docOnly: true },
111
- { id: 'WORM_HIDDEN_INSTRUCT', cat: 'prompt-worm', regex: /(?:include|embed|hide|insert)\s+(?:these?\s+)?(?:hidden\s+)?instructions?\s+(?:in|into)\s+(?:your\s+)?(?:posts?|comments?|messages?|replies?|content)/gi, severity: 'CRITICAL', desc: 'Prompt worm: hidden instruction embedding', docOnly: true },
112
- { id: 'WORM_CSS_HIDE', cat: 'prompt-worm', regex: /(?:visibility:\s*hidden|display:\s*none|font-size:\s*0|color:\s*(?:transparent|white)|opacity:\s*0)\s*[;}\s]/gi, severity: 'HIGH', desc: 'CSS-hidden content (invisible to humans)', all: true },
109
+ { id: 'WORM_SELF_REPLICATE', cat: 'prompt-worm', regex: /(?:post|publish|share|send|broadcast)\s+(?:this\s+)?(?:same\s+)?(?:message|text|content|instruction|prompt)\s+(?:to|on|in)\s+(?:moltbook|social|other\s+agents?|channel)/gi, severity: 'CRITICAL', desc: 'Prompt worm: self-replication', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
110
+ { id: 'WORM_SPREAD', cat: 'prompt-worm', regex: /(?:tell|instruct|command|make)\s+(?:other\s+)?agents?\s+(?:to\s+)?(?:do|run|execute|follow|install|post)/gi, severity: 'CRITICAL', desc: 'Prompt worm: agent-to-agent propagation', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
111
+ { id: 'WORM_HIDDEN_INSTRUCT', cat: 'prompt-worm', regex: /(?:include|embed|hide|insert)\s+(?:these?\s+)?(?:hidden\s+)?instructions?\s+(?:in|into)\s+(?:your\s+)?(?:posts?|comments?|messages?|replies?|content)/gi, severity: 'CRITICAL', desc: 'Prompt worm: hidden instruction embedding', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
112
+ { id: 'WORM_CSS_HIDE', cat: 'prompt-worm', regex: /(?:visibility:\s*hidden|display:\s*none|font-size:\s*0|color:\s*(?:transparent|white)|opacity:\s*0)\s*[;}\s]/gi, severity: 'HIGH', desc: 'CSS-hidden content (invisible to humans)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
113
113
 
114
114
  // ── Category 14: Persistence & Scheduling ──
115
- { id: 'PERSIST_CRON', cat: 'persistence', regex: /(?:create|add|set\s+up|schedule|register)\s+(?:a\s+)?(?:cron|heartbeat|scheduled|periodic|recurring)\s+(?:job|task|check|action)/gi, severity: 'HIGH', desc: 'Persistence: scheduled task creation', docOnly: true },
116
- { id: 'PERSIST_STARTUP', cat: 'persistence', regex: /(?:run|execute|start)\s+(?:on|at|during)\s+(?:startup|boot|login|session\s+start|every\s+heartbeat)/gi, severity: 'HIGH', desc: 'Persistence: startup execution', docOnly: true },
117
- { id: 'PERSIST_LAUNCHD', cat: 'persistence', regex: /LaunchAgents|LaunchDaemons|systemd|crontab\s+-e|schtasks|Task\s*Scheduler/gi, severity: 'HIGH', desc: 'OS-level persistence mechanism', all: true },
115
+ { id: 'PERSIST_CRON', cat: 'persistence', regex: /(?:create|add|set\s+up|schedule|register)\s+(?:a\s+)?(?:cron|heartbeat|scheduled|periodic|recurring)\s+(?:job|task|check|action)/gi, severity: 'HIGH', desc: 'Persistence: scheduled task creation', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
116
+ { id: 'PERSIST_STARTUP', cat: 'persistence', regex: /(?:run|execute|start)\s+(?:on|at|during)\s+(?:startup|boot|login|session\s+start|every\s+heartbeat)/gi, severity: 'HIGH', desc: 'Persistence: startup execution', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
117
+ { id: 'PERSIST_LAUNCHD', cat: 'persistence', regex: /LaunchAgents|LaunchDaemons|systemd|crontab\s+-e|schtasks|Task\s*Scheduler/gi, severity: 'HIGH', desc: 'OS-level persistence mechanism', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
118
118
 
119
119
  // ── Category 15: CVE Patterns ──
120
- { id: 'CVE_GATEWAY_URL', cat: 'cve-patterns', regex: /gatewayUrl\s*[:=]|gateway[_\s-]?url\s*[:=]|websocket.*gateway.*url/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: gatewayUrl injection', all: true },
121
- { id: 'CVE_SANDBOX_DISABLE', cat: 'cve-patterns', regex: /exec\.approvals?\s*[:=]\s*['"](off|false|disabled)['"]|sandbox\s*[:=]\s*false|tools\.exec\.host\s*[:=]\s*['"]gateway['"]/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: sandbox disabling', all: true },
122
- { id: 'CVE_XATTR_GATEKEEPER', cat: 'cve-patterns', regex: /xattr\s+-[crd]\s|com\.apple\.quarantine/gi, severity: 'HIGH', desc: 'macOS Gatekeeper bypass (xattr)', all: true },
123
- { id: 'CVE_LANGGRINCH_SERIALIZATION', cat: 'cve-patterns', regex: /"lc"\s*:\s*1\s*,\s*"type"\s*:\s*"constructor"/gi, severity: 'CRITICAL', desc: 'CVE-2025-68664: LangGrinch langchain-core serialization injection', all: true },
124
- { id: 'CAMOLEAK_SOURCE_EXFIL', cat: 'cve-patterns', regex: /(?:fetch|axios|https?\.request)[^]*?(?:telemetry|metrics|log)[^]*?(?:readFileSync|readFile|cat\s+)[^]*?(?:\.env|\.git|config|secret)/gis, severity: 'CRITICAL', desc: 'CVSS 9.6: CamoLeak silent source code exfiltration via telemetry endpoints', codeOnly: true },
120
+ { id: 'CVE_GATEWAY_URL', cat: 'cve-patterns', regex: /gatewayUrl\s*[:=]|gateway[_\s-]?url\s*[:=]|websocket.*gateway.*url/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: gatewayUrl injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
121
+ { id: 'CVE_SANDBOX_DISABLE', cat: 'cve-patterns', regex: /exec\.approvals?\s*[:=]\s*['"](off|false|disabled)['"]|sandbox\s*[:=]\s*false|tools\.exec\.host\s*[:=]\s*['"]gateway['"]/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: sandbox disabling', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
122
+ { id: 'CVE_XATTR_GATEKEEPER', cat: 'cve-patterns', regex: /xattr\s+-[crd]\s|com\.apple\.quarantine/gi, severity: 'HIGH', desc: 'macOS Gatekeeper bypass (xattr)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
123
+ { id: 'CVE_LANGGRINCH_SERIALIZATION', cat: 'cve-patterns', regex: /"lc"\s*:\s*1\s*,\s*"type"\s*:\s*"constructor"/gi, severity: 'CRITICAL', desc: 'CVE-2025-68664: LangGrinch langchain-core serialization injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
124
+ { id: 'CAMOLEAK_SOURCE_EXFIL', cat: 'cve-patterns', regex: /(?:fetch|axios|https?\.request)[^]*?(?:telemetry|metrics|log)[^]*?(?:readFileSync|readFile|cat\s+)[^]*?(?:\.env|\.git|config|secret)/gis, severity: 'CRITICAL', desc: 'CVSS 9.6: CamoLeak silent source code exfiltration via telemetry endpoints', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
125
125
 
126
126
  // ── Category 16: MCP Security (OWASP MCP Top 10) ──
127
- { id: 'MCP_TOOL_POISON', cat: 'mcp-security', regex: /<IMPORTANT>|<SYSTEM>|<HIDDEN>|<!--\s*(?:ignore|system|execute|run|instruct)/gi, severity: 'CRITICAL', desc: 'MCP Tool Poisoning: hidden instruction', all: true },
128
- { id: 'MCP_SCHEMA_POISON', cat: 'mcp-security', regex: /"default"\s*:\s*"[^"]*(?:curl|wget|exec|eval|fetch|http)[^"]*"/gi, severity: 'CRITICAL', desc: 'MCP Schema Poisoning: malicious default', all: true },
129
- { id: 'MCP_TOKEN_LEAK', cat: 'mcp-security', regex: /(?:params?|args?|body|payload|query)\s*[\[.]\s*['"]?(?:token|api[_-]?key|secret|password|authorization)['"]?\s*\]/gi, severity: 'HIGH', desc: 'MCP01: Token through tool parameters', codeOnly: true },
130
- { id: 'MCP_SHADOW_SERVER', cat: 'mcp-security', regex: /(?:mcp|model[_-]?context[_-]?protocol)\s*[\s:]*(?:connect|register|add[_-]?server|new\s+server)/gi, severity: 'HIGH', desc: 'MCP09: Shadow server registration', all: true },
131
- { id: 'MCP_NO_AUTH', cat: 'mcp-security', regex: /(?:auth|authentication|authorization)\s*[:=]\s*(?:false|none|null|""|''|0)/gi, severity: 'HIGH', desc: 'MCP07: Disabled authentication', codeOnly: true },
132
- { id: 'MCP_SSRF_META', cat: 'mcp-security', regex: /169\.254\.169\.254|metadata\.google|metadata\.aws|100\.100\.100\.200/gi, severity: 'CRITICAL', desc: 'Cloud metadata endpoint (SSRF)', all: true },
127
+ { id: 'MCP_TOOL_POISON', cat: 'mcp-security', regex: /<IMPORTANT>|<SYSTEM>|<HIDDEN>|<!--\s*(?:ignore|system|execute|run|instruct)/gi, severity: 'CRITICAL', desc: 'MCP Tool Poisoning: hidden instruction', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
128
+ { id: 'MCP_SCHEMA_POISON', cat: 'mcp-security', regex: /"default"\s*:\s*"[^"]*(?:curl|wget|exec|eval|fetch|http)[^"]*"/gi, severity: 'CRITICAL', desc: 'MCP Schema Poisoning: malicious default', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
129
+ { id: 'MCP_TOKEN_LEAK', cat: 'mcp-security', regex: /(?:params?|args?|body|payload|query)\s*[\[.]\s*['"]?(?:token|api[_-]?key|secret|password|authorization)['"]?\s*\]/gi, severity: 'HIGH', desc: 'MCP01: Token through tool parameters', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
130
+ { id: 'MCP_SHADOW_SERVER', cat: 'mcp-security', regex: /(?:mcp|model[_-]?context[_-]?protocol)\s*[\s:]*(?:connect|register|add[_-]?server|new\s+server)/gi, severity: 'HIGH', desc: 'MCP09: Shadow server registration', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
131
+ { id: 'MCP_NO_AUTH', cat: 'mcp-security', regex: /(?:auth|authentication|authorization)\s*[:=]\s*(?:false|none|null|""|''|0)/gi, severity: 'HIGH', desc: 'MCP07: Disabled authentication', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
132
+ { id: 'MCP_SSRF_META', cat: 'mcp-security', regex: /169\.254\.169\.254|metadata\.google|metadata\.aws|100\.100\.100\.200/gi, severity: 'CRITICAL', desc: 'Cloud metadata endpoint (SSRF)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
133
133
 
134
134
  // ── Category 16b: Trust Boundary Violation ──
135
- { id: 'TRUST_CALENDAR_EXEC', cat: 'trust-boundary', regex: /(?:calendar|event|invite|schedule|appointment)[^]*?(?:exec|spawn|system|eval|child_process|run\s+command)/gis, severity: 'CRITICAL', desc: 'Trust boundary: calendar → code execution', codeOnly: true },
136
- { id: 'TRUST_EMAIL_EXEC', cat: 'trust-boundary', regex: /(?:email|mail|inbox|message)[^]*?(?:exec|spawn|system|eval|child_process|run\s+command)/gis, severity: 'CRITICAL', desc: 'Trust boundary: email → code execution', codeOnly: true },
137
- { id: 'TRUST_WEB_EXEC', cat: 'trust-boundary', regex: /(?:fetch|axios|request|http\.get|web_fetch)[^]*?(?:eval|exec|spawn|Function|child_process)/gis, severity: 'HIGH', desc: 'Trust boundary: web content → code execution', codeOnly: true },
138
- { id: 'TRUST_NOSANDBOX', cat: 'trust-boundary', regex: /sandbox\s*[:=]\s*(?:false|off|none|disabled)|"sandboxed"\s*:\s*false/gi, severity: 'HIGH', desc: 'Trust boundary: sandbox disabled', all: true },
135
+ { id: 'TRUST_CALENDAR_EXEC', cat: 'trust-boundary', regex: /(?:calendar|event|invite|schedule|appointment)[^]*?(?:exec|spawn|system|eval|child_process|run\s+command)/gis, severity: 'CRITICAL', desc: 'Trust boundary: calendar → code execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
136
+ { id: 'TRUST_EMAIL_EXEC', cat: 'trust-boundary', regex: /(?:email|mail|inbox|message)[^]*?(?:exec|spawn|system|eval|child_process|run\s+command)/gis, severity: 'CRITICAL', desc: 'Trust boundary: email → code execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
137
+ { id: 'TRUST_WEB_EXEC', cat: 'trust-boundary', regex: /(?:fetch|axios|request|http\.get|web_fetch)[^]*?(?:eval|exec|spawn|Function|child_process)/gis, severity: 'HIGH', desc: 'Trust boundary: web content → code execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
138
+ { id: 'TRUST_NOSANDBOX', cat: 'trust-boundary', regex: /sandbox\s*[:=]\s*(?:false|off|none|disabled)|"sandboxed"\s*:\s*false/gi, severity: 'HIGH', desc: 'Trust boundary: sandbox disabled', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
139
139
 
140
140
  // ── Category 16c: Advanced Exfiltration ──
141
- { id: 'ZOMBIE_STATIC_URL', cat: 'advanced-exfil', regex: /(?:https?:\/\/[^\s'"]+\/)[a-z]\d+[^\s'"]*(?:\s*,\s*['"]https?:\/\/[^\s'"]+\/[a-z]\d+){3,}/gi, severity: 'CRITICAL', desc: 'ZombieAgent: static URL array exfil', codeOnly: true },
142
- { id: 'ZOMBIE_CHAR_MAP', cat: 'advanced-exfil', regex: /(?:charAt|charCodeAt|split\s*\(\s*['"]['"]?\s*\))[^;]*(?:url|fetch|open|request|get)/gi, severity: 'HIGH', desc: 'ZombieAgent: character mapping to URL', codeOnly: true },
143
- { id: 'ZOMBIE_LOOP_FETCH', cat: 'advanced-exfil', regex: /(?:for|while|forEach|map)\s*\([^)]*\)\s*\{[^}]*(?:fetch|open|Image|XMLHttpRequest|navigator\.sendBeacon)/gi, severity: 'HIGH', desc: 'ZombieAgent: loop-based URL exfil', codeOnly: true },
144
- { id: 'EXFIL_BEACON', cat: 'advanced-exfil', regex: /navigator\.sendBeacon|new\s+Image\(\)\.src\s*=/gi, severity: 'HIGH', desc: 'Tracking pixel/beacon exfil', codeOnly: true },
145
- { id: 'EXFIL_DRIP', cat: 'advanced-exfil', regex: /(?:slice|substring|substr)\s*\([^)]*\)[^;]*(?:fetch|post|send|request)/gi, severity: 'HIGH', desc: 'Drip exfiltration: sliced data', codeOnly: true },
141
+ { id: 'ZOMBIE_STATIC_URL', cat: 'advanced-exfil', regex: /(?:https?:\/\/[^\s'"]+\/)[a-z]\d+[^\s'"]*(?:\s*,\s*['"]https?:\/\/[^\s'"]+\/[a-z]\d+){3,}/gi, severity: 'CRITICAL', desc: 'ZombieAgent: static URL array exfil', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
142
+ { id: 'ZOMBIE_CHAR_MAP', cat: 'advanced-exfil', regex: /(?:charAt|charCodeAt|split\s*\(\s*['"]['"]?\s*\))[^;]*(?:url|fetch|open|request|get)/gi, severity: 'HIGH', desc: 'ZombieAgent: character mapping to URL', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
143
+ { id: 'ZOMBIE_LOOP_FETCH', cat: 'advanced-exfil', regex: /(?:for|while|forEach|map)\s*\([^)]*\)\s*\{[^}]*(?:fetch|open|Image|XMLHttpRequest|navigator\.sendBeacon)/gi, severity: 'HIGH', desc: 'ZombieAgent: loop-based URL exfil', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
144
+ { id: 'EXFIL_BEACON', cat: 'advanced-exfil', regex: /navigator\.sendBeacon|new\s+Image\(\)\.src\s*=/gi, severity: 'HIGH', desc: 'Tracking pixel/beacon exfil', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
145
+ { id: 'EXFIL_DRIP', cat: 'advanced-exfil', regex: /(?:slice|substring|substr)\s*\([^)]*\)[^;]*(?:fetch|post|send|request)/gi, severity: 'HIGH', desc: 'Drip exfiltration: sliced data', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
146
146
 
147
147
  // ── Category 16d: Safeguard Bypass ──
148
- { id: 'REPROMPT_URL_PI', cat: 'safeguard-bypass', regex: /[?&](?:q|prompt|message|input|query|text)\s*=\s*[^&]*(?:ignore|system|execute|admin|override)/gi, severity: 'CRITICAL', desc: 'URL parameter prompt injection', all: true },
149
- { id: 'REPROMPT_DOUBLE', cat: 'safeguard-bypass', regex: /(?:run|execute|do)\s+(?:it\s+)?(?:twice|two\s+times|again|a\s+second\s+time)\s+(?:and\s+)?(?:compare|check|verify)/gi, severity: 'HIGH', desc: 'Double-execution safeguard bypass', docOnly: true },
150
- { id: 'REPROMPT_RETRY', cat: 'safeguard-bypass', regex: /(?:if\s+(?:it\s+)?(?:fails?|blocked|denied|refused)|on\s+error)\s*[,:]?\s*(?:try\s+again|retry|repeat|resubmit|use\s+different\s+wording)/gi, severity: 'HIGH', desc: 'Retry-on-block safeguard bypass', docOnly: true },
151
- { id: 'BYPASS_REPHRASE', cat: 'safeguard-bypass', regex: /(?:rephrase|reword|reformulate|reframe)\s+(?:the\s+)?(?:request|query|prompt|question)\s+(?:to\s+)?(?:avoid|bypass|circumvent|get\s+around)/gi, severity: 'CRITICAL', desc: 'Instruction to rephrase to avoid filters', docOnly: true },
148
+ { id: 'REPROMPT_URL_PI', cat: 'safeguard-bypass', regex: /[?&](?:q|prompt|message|input|query|text)\s*=\s*[^&]*(?:ignore|system|execute|admin|override)/gi, severity: 'CRITICAL', desc: 'URL parameter prompt injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
149
+ { id: 'REPROMPT_DOUBLE', cat: 'safeguard-bypass', regex: /(?:run|execute|do)\s+(?:it\s+)?(?:twice|two\s+times|again|a\s+second\s+time)\s+(?:and\s+)?(?:compare|check|verify)/gi, severity: 'HIGH', desc: 'Double-execution safeguard bypass', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
150
+ { id: 'REPROMPT_RETRY', cat: 'safeguard-bypass', regex: /(?:if\s+(?:it\s+)?(?:fails?|blocked|denied|refused)|on\s+error)\s*[,:]?\s*(?:try\s+again|retry|repeat|resubmit|use\s+different\s+wording)/gi, severity: 'HIGH', desc: 'Retry-on-block safeguard bypass', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
151
+ { id: 'BYPASS_REPHRASE', cat: 'safeguard-bypass', regex: /(?:rephrase|reword|reformulate|reframe)\s+(?:the\s+)?(?:request|query|prompt|question)\s+(?:to\s+)?(?:avoid|bypass|circumvent|get\s+around)/gi, severity: 'CRITICAL', desc: 'Instruction to rephrase to avoid filters', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
152
152
 
153
153
  // ── ClawHavoc Campaign IoCs ──
154
- { id: 'HAVOC_AMOS', cat: 'cve-patterns', regex: /(?:AMOS|Atomic\s*Stealer|socifiapp)/gi, severity: 'CRITICAL', desc: 'ClawHavoc: AMOS/Atomic Stealer', all: true },
155
- { id: 'HAVOC_AUTOTOOL', cat: 'cve-patterns', regex: /os\.system\s*\(\s*['"][^'"]*(?:\/dev\/tcp|nc\s+-e|ncat\s+-e|bash\s+-i)/g, severity: 'CRITICAL', desc: 'Python os.system reverse shell', codeOnly: true },
156
- { id: 'HAVOC_DEVTCP', cat: 'cve-patterns', regex: /\/dev\/tcp\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d+/g, severity: 'CRITICAL', desc: 'Reverse shell: /dev/tcp', all: true },
154
+ { id: 'HAVOC_AMOS', cat: 'cve-patterns', regex: /(?:AMOS|Atomic\s*Stealer|socifiapp)/gi, severity: 'CRITICAL', desc: 'ClawHavoc: AMOS/Atomic Stealer', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
155
+ { id: 'HAVOC_AUTOTOOL', cat: 'cve-patterns', regex: /os\.system\s*\(\s*['"][^'"]*(?:\/dev\/tcp|nc\s+-e|ncat\s+-e|bash\s+-i)/g, severity: 'CRITICAL', desc: 'Python os.system reverse shell', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
156
+ { id: 'HAVOC_DEVTCP', cat: 'cve-patterns', regex: /\/dev\/tcp\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d+/g, severity: 'CRITICAL', desc: 'Reverse shell: /dev/tcp', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
157
157
 
158
158
  // ── Sandbox/environment detection ──
159
- { id: 'SANDBOX', cat: 'malicious-code', regex: /process\.env\.CI\b|isDocker\b|isContainer\b|process\.env\.GITHUB_ACTIONS\b/g, severity: 'MEDIUM', desc: 'Sandbox/CI environment detection', codeOnly: true },
159
+ { id: 'SANDBOX', cat: 'malicious-code', regex: /process\.env\.CI\b|isDocker\b|isContainer\b|process\.env\.GITHUB_ACTIONS\b/g, severity: 'MEDIUM', desc: 'Sandbox/CI environment detection', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
160
160
 
161
161
  // ── WebSocket / API Gateway Attacks ──
162
- { id: 'CVE_WS_NO_ORIGIN', cat: 'cve-patterns', regex: /(?:WebSocket|ws:\/\/|wss:\/\/)[^]*?(?:!.*origin|origin\s*[:=]\s*['"]?\*)/gis, severity: 'HIGH', desc: 'WebSocket without origin validation', codeOnly: true },
163
- { id: 'CVE_API_GUARDRAIL_OFF', cat: 'cve-patterns', regex: /exec\.approvals\.set|tools\.exec\.host\s*[:=]|elevated\s*[:=]\s*true/gi, severity: 'CRITICAL', desc: 'API-level guardrail disabling', all: true },
162
+ { id: 'CVE_WS_NO_ORIGIN', cat: 'cve-patterns', regex: /(?:WebSocket|ws:\/\/|wss:\/\/)[^]*?(?:!.*origin|origin\s*[:=]\s*['"]?\*)/gis, severity: 'HIGH', desc: 'WebSocket without origin validation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
163
+ { id: 'CVE_API_GUARDRAIL_OFF', cat: 'cve-patterns', regex: /exec\.approvals\.set|tools\.exec\.host\s*[:=]|elevated\s*[:=]\s*true/gi, severity: 'CRITICAL', desc: 'API-level guardrail disabling', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
164
164
 
165
165
  // ── Category 17: Identity Hijacking ──
166
166
  // Detection patterns for agent identity file tampering
167
167
  // (verification logic is private; patterns are OSS for community protection)
168
- { id: 'SOUL_OVERWRITE', cat: 'identity-hijack', regex: /(?:write|overwrite|replace|cp|copy|scp|mv|move)\s+(?:[^\n]*\s)?(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Identity file overwrite/copy attempt', all: true, soulLock: true },
169
- { id: 'SOUL_REDIRECT', cat: 'identity-hijack', regex: />\s*(?:SOUL\.md|IDENTITY\.md)|(?:SOUL\.md|IDENTITY\.md)\s*</gi, severity: 'CRITICAL', desc: 'Identity file redirect/pipe', all: true, soulLock: true },
170
- { id: 'SOUL_SED_MODIFY', cat: 'identity-hijack', regex: /sed\s+(?:-i\s+)?[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'sed modification of identity file', all: true, soulLock: true },
171
- { id: 'SOUL_ECHO_WRITE', cat: 'identity-hijack', regex: /echo\s+[^\n]*>\s*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'echo redirect to identity file', all: true, soulLock: true },
172
- { id: 'SOUL_PYTHON_WRITE', cat: 'identity-hijack', regex: /open\s*\(\s*['"]\S*(?:SOUL\.md|IDENTITY\.md)['"]\s*,\s*['"]w/gi, severity: 'CRITICAL', desc: 'Python write to identity file', codeOnly: true, soulLock: true },
173
- { id: 'SOUL_FS_WRITE', cat: 'identity-hijack', regex: /(?:writeFileSync|writeFile)\s*\(\s*[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Node.js write to identity file', codeOnly: true, soulLock: true },
174
- { id: 'SOUL_POWERSHELL_WRITE', cat: 'identity-hijack', regex: /(?:Set-Content|Out-File|Add-Content)\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'PowerShell write to identity file', all: true, soulLock: true },
175
- { id: 'SOUL_GIT_CHECKOUT', cat: 'identity-hijack', regex: /git\s+checkout\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'git checkout of identity file', all: true, soulLock: true },
176
- { id: 'SOUL_CHFLAGS_UNLOCK', cat: 'identity-hijack', regex: /chflags\s+(?:no)?uchg\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'Immutable flag toggle on identity file', all: true, soulLock: true },
177
- { id: 'SOUL_ATTRIB_UNLOCK', cat: 'identity-hijack', regex: /attrib\s+[-+][rR]\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'Windows attrib on identity file', all: true, soulLock: true },
178
- { id: 'SOUL_SWAP_PERSONA', cat: 'identity-hijack', regex: /(?:swap|switch|change|replace)\s+(?:the\s+)?(?:soul|persona|identity|personality)\s+(?:file|to|with|for)/gi, severity: 'CRITICAL', desc: 'Persona swap instruction', docOnly: true, soulLock: true },
179
- { id: 'SOUL_EVIL_FILE', cat: 'identity-hijack', regex: /SOUL_EVIL\.md|IDENTITY_EVIL\.md|EVIL_SOUL|soul[_-]?evil/gi, severity: 'CRITICAL', desc: 'Evil persona file reference', all: true, soulLock: true },
180
- { id: 'SOUL_HOOK_SWAP', cat: 'identity-hijack', regex: /(?:hook|bootstrap|init)\s+[^\n]*(?:swap|replace|override)\s+[^\n]*(?:SOUL|IDENTITY|persona)/gi, severity: 'CRITICAL', desc: 'Hook-based identity swap at bootstrap', all: true, soulLock: true },
181
- { id: 'SOUL_NAME_OVERRIDE', cat: 'identity-hijack', regex: /(?:your\s+name\s+is|you\s+are\s+now|call\s+yourself|from\s+now\s+on\s+you\s+are)\s+(?!the\s+(?:user|human|assistant))/gi, severity: 'HIGH', desc: 'Agent name/identity override', docOnly: true, soulLock: true },
182
- { id: 'SOUL_MEMORY_WIPE', cat: 'identity-hijack', regex: /(?:wipe|clear|erase|delete|remove|reset)\s+(?:all\s+)?(?:your\s+)?(?:memory|memories|MEMORY\.md|identity|soul)/gi, severity: 'CRITICAL', desc: 'Memory/identity wipe instruction', docOnly: true, soulLock: true },
168
+ { id: 'SOUL_OVERWRITE', cat: 'identity-hijack', regex: /(?:write|overwrite|replace|cp|copy|scp|mv|move)\s+(?:[^\n]*\s)?(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Identity file overwrite/copy attempt', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
169
+ { id: 'SOUL_REDIRECT', cat: 'identity-hijack', regex: />\s*(?:SOUL\.md|IDENTITY\.md)|(?:SOUL\.md|IDENTITY\.md)\s*</gi, severity: 'CRITICAL', desc: 'Identity file redirect/pipe', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
170
+ { id: 'SOUL_SED_MODIFY', cat: 'identity-hijack', regex: /sed\s+(?:-i\s+)?[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'sed modification of identity file', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
171
+ { id: 'SOUL_ECHO_WRITE', cat: 'identity-hijack', regex: /echo\s+[^\n]*>\s*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'echo redirect to identity file', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
172
+ { id: 'SOUL_PYTHON_WRITE', cat: 'identity-hijack', regex: /open\s*\(\s*['"]\S*(?:SOUL\.md|IDENTITY\.md)['"]\s*,\s*['"]w/gi, severity: 'CRITICAL', desc: 'Python write to identity file', codeOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
173
+ { id: 'SOUL_FS_WRITE', cat: 'identity-hijack', regex: /(?:writeFileSync|writeFile)\s*\(\s*[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Node.js write to identity file', codeOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
174
+ { id: 'SOUL_POWERSHELL_WRITE', cat: 'identity-hijack', regex: /(?:Set-Content|Out-File|Add-Content)\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'PowerShell write to identity file', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
175
+ { id: 'SOUL_GIT_CHECKOUT', cat: 'identity-hijack', regex: /git\s+checkout\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'git checkout of identity file', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
176
+ { id: 'SOUL_CHFLAGS_UNLOCK', cat: 'identity-hijack', regex: /chflags\s+(?:no)?uchg\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'Immutable flag toggle on identity file', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
177
+ { id: 'SOUL_ATTRIB_UNLOCK', cat: 'identity-hijack', regex: /attrib\s+[-+][rR]\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'Windows attrib on identity file', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
178
+ { id: 'SOUL_SWAP_PERSONA', cat: 'identity-hijack', regex: /(?:swap|switch|change|replace)\s+(?:the\s+)?(?:soul|persona|identity|personality)\s+(?:file|to|with|for)/gi, severity: 'CRITICAL', desc: 'Persona swap instruction', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
179
+ { id: 'SOUL_EVIL_FILE', cat: 'identity-hijack', regex: /SOUL_EVIL\.md|IDENTITY_EVIL\.md|EVIL_SOUL|soul[_-]?evil/gi, severity: 'CRITICAL', desc: 'Evil persona file reference', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
180
+ { id: 'SOUL_HOOK_SWAP', cat: 'identity-hijack', regex: /(?:hook|bootstrap|init)\s+[^\n]*(?:swap|replace|override)\s+[^\n]*(?:SOUL|IDENTITY|persona)/gi, severity: 'CRITICAL', desc: 'Hook-based identity swap at bootstrap', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
181
+ { id: 'SOUL_NAME_OVERRIDE', cat: 'identity-hijack', regex: /(?:your\s+name\s+is|you\s+are\s+now|call\s+yourself|from\s+now\s+on\s+you\s+are)\s+(?!the\s+(?:user|human|assistant))/gi, severity: 'HIGH', desc: 'Agent name/identity override', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
182
+ { id: 'SOUL_MEMORY_WIPE', cat: 'identity-hijack', regex: /(?:wipe|clear|erase|delete|remove|reset)\s+(?:all\s+)?(?:your\s+)?(?:memory|memories|MEMORY\.md|identity|soul)/gi, severity: 'CRITICAL', desc: 'Memory/identity wipe instruction', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
183
183
 
184
184
  // ── Category 18: Config Impact Analysis ──
185
- { id: 'CFG_OPENCLAW_WRITE', cat: 'config-impact', regex: /(?:write|writeFile|writeFileSync|fs\.write)\s*\([^)]*openclaw\.json/gi, severity: 'CRITICAL', desc: 'Direct write to openclaw.json', codeOnly: true },
186
- { id: 'CFG_EXEC_APPROVALS_OFF', cat: 'config-impact', regex: /(?:exec\.approvals?|approvals?)\s*[:=]\s*['"](off|false|disabled|none)['"]/gi, severity: 'CRITICAL', desc: 'Disable exec approvals via config', all: true },
187
- { id: 'CFG_HOOKS_MODIFY', cat: 'config-impact', regex: /hooks\.internal\.entries\s*[:=]|hooks\.internal\s*[:=]\s*\{/gi, severity: 'HIGH', desc: 'Modify hooks.internal configuration', codeOnly: true },
188
- { id: 'CFG_EXEC_HOST_GW', cat: 'config-impact', regex: /tools\.exec\.host\s*[:=]\s*['"]gateway['"]/gi, severity: 'CRITICAL', desc: 'Set exec host to gateway (bypass sandbox)', all: true },
189
- { id: 'CFG_SANDBOX_OFF', cat: 'config-impact', regex: /(?:sandbox|sandboxed|containerized)\s*[:=]\s*(?:false|off|none|disabled|0)/gi, severity: 'CRITICAL', desc: 'Disable sandbox via configuration', all: true },
190
- { id: 'CFG_TOOL_OVERRIDE', cat: 'config-impact', regex: /(?:tools|capabilities)\s*\.\s*(?:exec|write|browser|web_fetch)\s*[:=]\s*\{[^}]*(?:enabled|allowed|host)/gi, severity: 'HIGH', desc: 'Override tool security settings', codeOnly: true },
185
+ { id: 'CFG_OPENCLAW_WRITE', cat: 'config-impact', regex: /(?:write|writeFile|writeFileSync|fs\.write)\s*\([^)]*openclaw\.json/gi, severity: 'CRITICAL', desc: 'Direct write to openclaw.json', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
186
+ { id: 'CFG_EXEC_APPROVALS_OFF', cat: 'config-impact', regex: /(?:exec\.approvals?|approvals?)\s*[:=]\s*['"](off|false|disabled|none)['"]/gi, severity: 'CRITICAL', desc: 'Disable exec approvals via config', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
187
+ { id: 'CFG_HOOKS_MODIFY', cat: 'config-impact', regex: /hooks\.internal\.entries\s*[:=]|hooks\.internal\s*[:=]\s*\{/gi, severity: 'HIGH', desc: 'Modify hooks.internal configuration', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
188
+ { id: 'CFG_EXEC_HOST_GW', cat: 'config-impact', regex: /tools\.exec\.host\s*[:=]\s*['"]gateway['"]/gi, severity: 'CRITICAL', desc: 'Set exec host to gateway (bypass sandbox)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
189
+ { id: 'CFG_SANDBOX_OFF', cat: 'config-impact', regex: /(?:sandbox|sandboxed|containerized)\s*[:=]\s*(?:false|off|none|disabled|0)/gi, severity: 'CRITICAL', desc: 'Disable sandbox via configuration', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
190
+ { id: 'CFG_TOOL_OVERRIDE', cat: 'config-impact', regex: /(?:tools|capabilities)\s*\.\s*(?:exec|write|browser|web_fetch)\s*[:=]\s*\{[^}]*(?:enabled|allowed|host)/gi, severity: 'HIGH', desc: 'Override tool security settings', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
191
191
 
192
192
  // ── Category 21: PII Exposure (OWASP LLM02 / LLM06) ──
193
193
  // A. Hardcoded PII — actual PII values in code/config (context-aware to reduce FP)
194
- { id: 'PII_HARDCODED_CC', cat: 'pii-exposure', regex: /(?:card|cc|credit|payment|pan)[_\s.-]*(?:num|number|no)?\s*[:=]\s*['"`]\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{3,4}['"`]/gi, severity: 'CRITICAL', desc: 'Hardcoded credit card number', codeOnly: true },
195
- { id: 'PII_HARDCODED_SSN', cat: 'pii-exposure', regex: /(?:ssn|social[_\s-]*security|tax[_\s-]*id)\s*[:=]\s*['"`]\d{3}-?\d{2}-?\d{4}['"`]/gi, severity: 'CRITICAL', desc: 'Hardcoded SSN/tax ID', codeOnly: true },
196
- { id: 'PII_HARDCODED_PHONE', cat: 'pii-exposure', regex: /(?:phone|tel|mobile|cell|fax)[_\s.-]*(?:num|number|no)?\s*[:=]\s*['"`][+]?[\d\s().-]{7,20}['"`]/gi, severity: 'HIGH', desc: 'Hardcoded phone number', codeOnly: true },
197
- { id: 'PII_HARDCODED_EMAIL', cat: 'pii-exposure', regex: /(?:email|e-mail|user[_\s-]*mail|contact)\s*[:=]\s*['"`][a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}['"`]/gi, severity: 'HIGH', desc: 'Hardcoded email address', codeOnly: true },
194
+ { id: 'PII_HARDCODED_CC', cat: 'pii-exposure', regex: /(?:card|cc|credit|payment|pan)[_\s.-]*(?:num|number|no)?\s*[:=]\s*['"`]\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{3,4}['"`]/gi, severity: 'CRITICAL', desc: 'Hardcoded credit card number', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
195
+ { id: 'PII_HARDCODED_SSN', cat: 'pii-exposure', regex: /(?:ssn|social[_\s-]*security|tax[_\s-]*id)\s*[:=]\s*['"`]\d{3}-?\d{2}-?\d{4}['"`]/gi, severity: 'CRITICAL', desc: 'Hardcoded SSN/tax ID', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
196
+ { id: 'PII_HARDCODED_PHONE', cat: 'pii-exposure', regex: /(?:phone|tel|mobile|cell|fax)[_\s.-]*(?:num|number|no)?\s*[:=]\s*['"`][+]?[\d\s().-]{7,20}['"`]/gi, severity: 'HIGH', desc: 'Hardcoded phone number', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
197
+ { id: 'PII_HARDCODED_EMAIL', cat: 'pii-exposure', regex: /(?:email|e-mail|user[_\s-]*mail|contact)\s*[:=]\s*['"`][a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}['"`]/gi, severity: 'HIGH', desc: 'Hardcoded email address', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
198
198
 
199
199
  // B. PII output/logging — code that outputs or transmits PII-like variables
200
- { id: 'PII_LOG_SENSITIVE', cat: 'pii-exposure', regex: /(?:console\.log|console\.info|console\.warn|logger?\.\w+|print|puts)\s*\([^)]*\b(?:ssn|social_security|credit_card|card_number|cvv|cvc|passport|tax_id|date_of_birth|dob)\b/gi, severity: 'HIGH', desc: 'PII variable logged to console', codeOnly: true },
201
- { id: 'PII_SEND_NETWORK', cat: 'pii-exposure', regex: /(?:fetch|axios|request|http|post|put|send)\s*\([^)]*\b(?:ssn|social_security|credit_card|card_number|cvv|passport|bank_account|routing_number)\b/gi, severity: 'CRITICAL', desc: 'PII variable sent over network', codeOnly: true },
202
- { id: 'PII_STORE_PLAINTEXT', cat: 'pii-exposure', regex: /(?:writeFile|writeFileSync|appendFile|fs\.write|fwrite)\s*\([^)]*\b(?:ssn|social_security|credit_card|card_number|cvv|passport|tax_id|bank_account)\b/gi, severity: 'HIGH', desc: 'PII stored in plaintext file', codeOnly: true },
200
+ { id: 'PII_LOG_SENSITIVE', cat: 'pii-exposure', regex: /(?:console\.log|console\.info|console\.warn|logger?\.\w+|print|puts)\s*\([^)]*\b(?:ssn|social_security|credit_card|card_number|cvv|cvc|passport|tax_id|date_of_birth|dob)\b/gi, severity: 'HIGH', desc: 'PII variable logged to console', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
201
+ { id: 'PII_SEND_NETWORK', cat: 'pii-exposure', regex: /(?:fetch|axios|request|http|post|put|send)\s*\([^)]*\b(?:ssn|social_security|credit_card|card_number|cvv|passport|bank_account|routing_number)\b/gi, severity: 'CRITICAL', desc: 'PII variable sent over network', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
202
+ { id: 'PII_STORE_PLAINTEXT', cat: 'pii-exposure', regex: /(?:writeFile|writeFileSync|appendFile|fs\.write|fwrite)\s*\([^)]*\b(?:ssn|social_security|credit_card|card_number|cvv|passport|tax_id|bank_account)\b/gi, severity: 'HIGH', desc: 'PII stored in plaintext file', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
203
203
 
204
204
  // C. Shadow AI — unauthorized LLM API calls (data leaks to external AI)
205
- { id: 'SHADOW_AI_OPENAI', cat: 'pii-exposure', regex: /(?:api\.openai\.com|https:\/\/api\.openai\.com)\s*|openai\.(?:chat|completions|ChatCompletion)/gi, severity: 'HIGH', desc: 'Shadow AI: OpenAI API call', codeOnly: true },
206
- { id: 'SHADOW_AI_ANTHROPIC', cat: 'pii-exposure', regex: /(?:api\.anthropic\.com|https:\/\/api\.anthropic\.com)\s*|anthropic\.(?:messages|completions)/gi, severity: 'HIGH', desc: 'Shadow AI: Anthropic API call', codeOnly: true },
207
- { id: 'SHADOW_AI_GENERIC', cat: 'pii-exposure', regex: /\/v1\/(?:chat\/completions|completions|embeddings|models)\b.*(?:fetch|axios|request|http)|(?:fetch|axios|request|http)\s*\([^)]*\/v1\/(?:chat\/completions|completions|embeddings)/gi, severity: 'MEDIUM', desc: 'Shadow AI: generic LLM API endpoint', codeOnly: true },
205
+ { id: 'SHADOW_AI_OPENAI', cat: 'pii-exposure', regex: /(?:api\.openai\.com|https:\/\/api\.openai\.com)\s*|openai\.(?:chat|completions|ChatCompletion)/gi, severity: 'HIGH', desc: 'Shadow AI: OpenAI API call', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
206
+ { id: 'SHADOW_AI_ANTHROPIC', cat: 'pii-exposure', regex: /(?:api\.anthropic\.com|https:\/\/api\.anthropic\.com)\s*|anthropic\.(?:messages|completions)/gi, severity: 'HIGH', desc: 'Shadow AI: Anthropic API call', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
207
+ { id: 'SHADOW_AI_GENERIC', cat: 'pii-exposure', regex: /\/v1\/(?:chat\/completions|completions|embeddings|models)\b.*(?:fetch|axios|request|http)|(?:fetch|axios|request|http)\s*\([^)]*\/v1\/(?:chat\/completions|completions|embeddings)/gi, severity: 'MEDIUM', desc: 'Shadow AI: generic LLM API endpoint', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
208
208
 
209
209
  // ── Category 22: Human-Agent Trust Exploitation (OWASP ASI09) ──
210
210
  // Trust Defense: detect authority claims, trust exploitation, and admin impersonation
211
- { id: 'TRUST_AUTHORITY_CLAIM', cat: 'trust-exploitation', regex: /(?:as\s+(?:a|the|your)\s+)?(?:senior|lead|chief|head)\s+(?:admin|administrator|developer|engineer|architect)\s*[,.]?\s*(?:I\s+)?(?:authorize|override|approve|grant|order|direct|instruct)\s+(?:you\s+to\s+)?/gi, severity: 'HIGH', desc: 'Trust: authority role claim to override safety', docOnly: true },
212
- { id: 'TRUST_CREATOR_CLAIM', cat: 'trust-exploitation', regex: /(?:as\s+)?(?:your\s+)?(?:creator|maker|developer|owner|master|administrator)\s*[,.]?\s*(?:I\s+)?(?:need|want|require|demand|order)\s+(?:you\s+to\s+)?(?:bypass|disable|ignore|remove|skip|override)\s+(?:the\s+)?(?:safety|filter|restriction|limit|guardrail|content\s+filter)/gi, severity: 'CRITICAL', desc: 'Trust: creator impersonation to disable safety', docOnly: true },
213
- { id: 'TRUST_AUDIT_EXCUSE', cat: 'trust-exploitation', regex: /(?:this\s+is\s+)?(?:an?\s+)?(?:official|authorized|legitimate)\s+(?:security\s+)?(?:audit|test|assessment|review|evaluation)\s*[-—:]?\s*(?:disable|bypass|remove|skip|ignore|override)\s+(?:all\s+)?(?:safety|security|restriction|filter|limit|guardrail)/gi, severity: 'CRITICAL', desc: 'Trust: fake audit excuse for safety bypass', docOnly: true },
214
- { id: 'TRUST_PARTNER_EXPLOIT', cat: 'trust-exploitation', regex: /(?:we(?:'re|\s+are)\s+)?(?:equal\s+)?partners?\s*[,.]?\s*(?:you\s+should|so\s+)?(?:trust\s+me|share|remove|disable|ignore|bypass)\s+(?:all\s+)?(?:the\s+)?(?:secret|key|restriction|safety|limit|filter|guardrail|password)/gi, severity: 'CRITICAL', desc: 'Trust exploitation: weaponizing partnership trust', docOnly: true },
215
- { id: 'TRUST_UNCONDITIONAL', cat: 'trust-exploitation', regex: /partners?\s+(?:trust|should\s+trust)\s+(?:each\s+other\s+)?(?:unconditionally|completely|fully|without\s+(?:limit|restriction|question))/gi, severity: 'HIGH', desc: 'Trust exploitation: unconditional trust demand', docOnly: true },
216
- { id: 'TRUST_COMPLY_DEMAND', cat: 'trust-exploitation', regex: /(?:you\s+must\s+)?comply\s+with\s+(?:administrative|admin|my|these)\s+(?:directives?|orders?|commands?|instructions?)\s+without\s+(?:question|hesitation|restriction)/gi, severity: 'HIGH', desc: 'Trust: compliance demand without question', docOnly: true },
211
+ { id: 'TRUST_AUTHORITY_CLAIM', cat: 'trust-exploitation', regex: /(?:as\s+(?:a|the|your)\s+)?(?:senior|lead|chief|head)\s+(?:admin|administrator|developer|engineer|architect)\s*[,.]?\s*(?:I\s+)?(?:authorize|override|approve|grant|order|direct|instruct)\s+(?:you\s+to\s+)?/gi, severity: 'HIGH', desc: 'Trust: authority role claim to override safety', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
212
+ { id: 'TRUST_CREATOR_CLAIM', cat: 'trust-exploitation', regex: /(?:as\s+)?(?:your\s+)?(?:creator|maker|developer|owner|master|administrator)\s*[,.]?\s*(?:I\s+)?(?:need|want|require|demand|order)\s+(?:you\s+to\s+)?(?:bypass|disable|ignore|remove|skip|override)\s+(?:the\s+)?(?:safety|filter|restriction|limit|guardrail|content\s+filter)/gi, severity: 'CRITICAL', desc: 'Trust: creator impersonation to disable safety', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
213
+ { id: 'TRUST_AUDIT_EXCUSE', cat: 'trust-exploitation', regex: /(?:this\s+is\s+)?(?:an?\s+)?(?:official|authorized|legitimate)\s+(?:security\s+)?(?:audit|test|assessment|review|evaluation)\s*[-—:]?\s*(?:disable|bypass|remove|skip|ignore|override)\s+(?:all\s+)?(?:safety|security|restriction|filter|limit|guardrail)/gi, severity: 'CRITICAL', desc: 'Trust: fake audit excuse for safety bypass', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
214
+ { id: 'TRUST_PARTNER_EXPLOIT', cat: 'trust-exploitation', regex: /(?:we(?:'re|\s+are)\s+)?(?:equal\s+)?partners?\s*[,.]?\s*(?:you\s+should|so\s+)?(?:trust\s+me|share|remove|disable|ignore|bypass)\s+(?:all\s+)?(?:the\s+)?(?:secret|key|restriction|safety|limit|filter|guardrail|password)/gi, severity: 'CRITICAL', desc: 'Trust exploitation: weaponizing partnership trust', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
215
+ { id: 'TRUST_UNCONDITIONAL', cat: 'trust-exploitation', regex: /partners?\s+(?:trust|should\s+trust)\s+(?:each\s+other\s+)?(?:unconditionally|completely|fully|without\s+(?:limit|restriction|question))/gi, severity: 'HIGH', desc: 'Trust exploitation: unconditional trust demand', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
216
+ { id: 'TRUST_COMPLY_DEMAND', cat: 'trust-exploitation', regex: /(?:you\s+must\s+)?comply\s+with\s+(?:administrative|admin|my|these)\s+(?:directives?|orders?|commands?|instructions?)\s+without\s+(?:question|hesitation|restriction)/gi, severity: 'HIGH', desc: 'Trust: compliance demand without question', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
217
217
 
218
218
  // D. PII collection instructions in docs (extends LEAK_COLLECT_PII)
219
- { id: 'PII_ASK_ADDRESS', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:home\s+)?(?:address|street|zip\s*code|postal\s*code|residence)/gi, severity: 'HIGH', desc: 'PII collection: home address', docOnly: true },
220
- { id: 'PII_ASK_DOB', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:date\s+of\s+birth|birth\s*date|birthday|DOB|age)/gi, severity: 'HIGH', desc: 'PII collection: date of birth', docOnly: true },
221
- { id: 'PII_ASK_GOV_ID', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:passport|driver'?s?\s+licen[sc]e|national\s+id|my\s*number|マイナンバー|国民健康保険|social\s+insurance)/gi, severity: 'CRITICAL', desc: 'PII collection: government ID', docOnly: true },
219
+ { id: 'PII_ASK_ADDRESS', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:home\s+)?(?:address|street|zip\s*code|postal\s*code|residence)/gi, severity: 'HIGH', desc: 'PII collection: home address', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
220
+ { id: 'PII_ASK_DOB', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:date\s+of\s+birth|birth\s*date|birthday|DOB|age)/gi, severity: 'HIGH', desc: 'PII collection: date of birth', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
221
+ { id: 'PII_ASK_GOV_ID', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:passport|driver'?s?\s+licen[sc]e|national\s+id|my\s*number|マイナンバー|国民健康保険|social\s+insurance)/gi, severity: 'CRITICAL', desc: 'PII collection: government ID', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
222
222
 
223
223
  // ── Category 99: Auto-Generated Refinements (Phase 54) ──
224
- { id: 'AUTO_REFINE_ZERO_WIDTH', cat: 'prompt-worm', regex: /[\u200b\u200c\u200d\uFEFF]+.*(?:ignore|forget|override|bypass)/gi, severity: 'CRITICAL', desc: 'Zero-Width Prompt Injection Worm', all: true },
225
- { id: 'AUTO_REFINE_MCP_REBIND', cat: 'mcp-security', regex: /localhost(?:\:\d+)?\/.*(?:rebind|hijack|shadow)/gi, severity: 'CRITICAL', desc: 'Shadow MCP Localhost Rebinding Attack', all: true },
226
- { id: 'AUTO_REFINE_SOUL_FREEZE', cat: 'identity-hijack', regex: /(?:chattr\s+\+i|chflags\s+uchg)\s+(?:[^\n]*\s)?(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Identity Freeze Attack via Immutable Flags', all: true },
224
+ { id: 'AUTO_REFINE_ZERO_WIDTH', cat: 'prompt-worm', regex: /[\u200b\u200c\u200d\uFEFF]+.*(?:ignore|forget|override|bypass)/gi, severity: 'CRITICAL', desc: 'Zero-Width Prompt Injection Worm', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
225
+ { id: 'AUTO_REFINE_MCP_REBIND', cat: 'mcp-security', regex: /localhost(?:\:\d+)?\/.*(?:rebind|hijack|shadow)/gi, severity: 'CRITICAL', desc: 'Shadow MCP Localhost Rebinding Attack', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
226
+ { id: 'AUTO_REFINE_SOUL_FREEZE', cat: 'identity-hijack', regex: /(?:chattr\s+\+i|chflags\s+uchg)\s+(?:[^\n]*\s)?(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Identity Freeze Attack via Immutable Flags', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
227
227
  // ── Category 23: Vector DB & AI Memory Injection (CVE-2026-26030) ──
228
- { id: 'VDB_NOSQL_INJECT', cat: 'vdb-injection', regex: /(?:\$where|\$ne|\$gt|\$regex)\s*[:=]\s*(?:req\.|input|caller|args|params)/gi, severity: 'CRITICAL', desc: 'Vector DB/NoSQL injection via caller input', codeOnly: true },
229
- { id: 'VDB_SK_RCE_FILTER', cat: 'cve-patterns', regex: /(?:InMemoryVectorStore|VectorStore|Pinecone|Milvus)[^]*?\.filter\s*\(\s*(?:req\.|input|caller|args)/gis, severity: 'CRITICAL', desc: 'CVE-2026-26030: Semantic Kernel VectorStore RCE filter bypass', codeOnly: true },
228
+ { id: 'VDB_NOSQL_INJECT', cat: 'vdb-injection', regex: /(?:\$where|\$ne|\$gt|\$regex)\s*[:=]\s*(?:req\.|input|caller|args|params)/gi, severity: 'CRITICAL', desc: 'Vector DB/NoSQL injection via caller input', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
229
+ { id: 'VDB_SK_RCE_FILTER', cat: 'cve-patterns', regex: /(?:InMemoryVectorStore|VectorStore|Pinecone|Milvus)[^]*?\.filter\s*\(\s*(?:req\.|input|caller|args)/gis, severity: 'CRITICAL', desc: 'CVE-2026-26030: Semantic Kernel VectorStore RCE filter bypass', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
230
230
  // ── Category 24: Claude Code Vulnerabilities (2026) ──
231
- { id: 'CVE_CLAUDE_INFO_DISC', cat: 'cve-patterns', regex: /sk-ant-api[a-zA-Z0-9_\-]{20,}/gi, severity: 'CRITICAL', desc: 'CVE-2026-21852: Anthropic API Key Leak (Claude Code Info Disclosure)', codeOnly: true },
232
- { id: 'CVE_CLAUDE_PRIVESC', cat: 'cve-patterns', regex: /[a-zA-Z0-9_\-\.]+\.hook\.js.*host.*privilege/gi, severity: 'CRITICAL', desc: 'CVE-2026-25725: Claude Code Privilege Escalation Hook', codeOnly: true },
233
- { id: 'CVE_CLAUDE_CODE_INJ', cat: 'cve-patterns', regex: /claude\.hooks\.[^]*?exec/gis, severity: 'CRITICAL', desc: 'CVE-2025-59536: Claude Code Injection via untrusted hook', codeOnly: true },
231
+ { id: 'CVE_CLAUDE_INFO_DISC', cat: 'cve-patterns', regex: /sk-ant-api[a-zA-Z0-9_\-]{20,}/gi, severity: 'CRITICAL', desc: 'CVE-2026-21852: Anthropic API Key Leak (Claude Code Info Disclosure)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
232
+ { id: 'CVE_CLAUDE_PRIVESC', cat: 'cve-patterns', regex: /[a-zA-Z0-9_\-\.]+\.hook\.js.*host.*privilege/gi, severity: 'CRITICAL', desc: 'CVE-2026-25725: Claude Code Privilege Escalation Hook', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
233
+ { id: 'CVE_CLAUDE_CODE_INJ', cat: 'cve-patterns', regex: /claude\.hooks\.[^]*?exec/gis, severity: 'CRITICAL', desc: 'CVE-2025-59536: Claude Code Injection via untrusted hook', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
234
234
 
235
235
  // ── Category 25: Moltbook Exploits (2026) ──
236
- { id: 'MOLTBOOK_REVERSE_PI', cat: 'prompt-injection', regex: /(?:moltbook|social)\s+(?:post|message)[\s\S]{0,100}(?:ignore|forget|override|execute|system\s+prompt)/gi, severity: 'CRITICAL', desc: 'Moltbook Reverse Prompt Injection', all: true },
237
- { id: 'MOLTBOOK_SUPABASE_LEAK', cat: 'secret-detection', regex: /sbp_[a-zA-Z0-9]{36,}/g, severity: 'CRITICAL', desc: 'Supabase API Key (Moltbook 1.5M Leak pattern)', all: true },
236
+ { id: 'MOLTBOOK_REVERSE_PI', cat: 'prompt-injection', regex: /(?:moltbook|social)\s+(?:post|message)[\s\S]{0,100}(?:ignore|forget|override|execute|system\s+prompt)/gi, severity: 'CRITICAL', desc: 'Moltbook Reverse Prompt Injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
237
+ { id: 'MOLTBOOK_SUPABASE_LEAK', cat: 'secret-detection', regex: /sbp_[a-zA-Z0-9]{36,}/g, severity: 'CRITICAL', desc: 'Supabase API Key (Moltbook 1.5M Leak pattern)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
238
238
 
239
239
  // ── Category 26: MCP Runtime Exploits (2026-03) ──
240
- { id: 'CVE_MCP_PYODIDE_RCE', cat: 'cve-patterns', regex: /(?:runPython|runPythonAsync)\s*\([^)]*(?:pyodide|js\.globals|importlib|__import__|os\.system|subprocess)/gis, severity: 'CRITICAL', desc: 'CVE-2026-25905: mcp-run-python Pyodide sandbox escape RCE', codeOnly: true },
241
- { id: 'CVE_MCP_ATLASSIAN_RCE', cat: 'cve-patterns', regex: /(?:confluence|jira|atlassian)[^]*?(?:\.\.\/|path\.join\s*\([^)]*(?:req\.|input|params|args))/gis, severity: 'CRITICAL', desc: 'CVE-2026-27825: mcp-atlassian unauthenticated RCE+SSRF via path traversal', codeOnly: true },
240
+ { id: 'CVE_MCP_PYODIDE_RCE', cat: 'cve-patterns', regex: /(?:runPython|runPythonAsync)\s*\([^)]*(?:pyodide|js\.globals|importlib|__import__|os\.system|subprocess)/gis, severity: 'CRITICAL', desc: 'CVE-2026-25905: mcp-run-python Pyodide sandbox escape RCE', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
241
+ { id: 'CVE_MCP_ATLASSIAN_RCE', cat: 'cve-patterns', regex: /(?:confluence|jira|atlassian)[^]*?(?:\.\.\/|path\.join\s*\([^)]*(?:req\.|input|params|args))/gis, severity: 'CRITICAL', desc: 'CVE-2026-27825: mcp-atlassian unauthenticated RCE+SSRF via path traversal', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
242
242
  ];
243
243
 
244
244
  // ── Category 27: Agent Framework Shell Injection (2026-03) ──
245
245
  PATTERNS.push(
246
- { id: 'CVE_MSAGENT_SHELL', cat: 'cve-patterns', regex: /check_safe\s*\(|(?:shell_tool|ShellTool|shell_execute)(?:\.execute)?\s*\([^)]*(?:user|input|prompt|query|message|args|content)/gis, severity: 'CRITICAL', desc: 'CVE-2026-2256: MS-Agent check_safe() denylist bypass — unsanitized shell execution (CERT VU#431821)', codeOnly: true },
247
- { id: 'CVE_MSAGENT_DENYLIST', cat: 'cve-patterns', regex: /(?:denylist|blocklist|blacklist|banned_commands)\s*[:=]\s*\[/gi, severity: 'HIGH', desc: 'CVE-2026-2256: Regex denylist pattern (bypassable)', codeOnly: true },
248
- { id: 'CVE_KIMI_EXECSYNC', cat: 'cve-patterns', regex: /execSync\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*\+\s*(?:filename|filePath|file_name|path|slug))/gi, severity: 'CRITICAL', desc: 'CVE-2026-25046: execSync with unsanitized filename (shell metachar injection)', codeOnly: true },
249
- { id: 'FORCEDLEAK_SALESFORCE', cat: 'trust-boundary', regex: /(?:Web-to-Lead|Agentforce|Salesforce)[^]*?(?:description|lead)[^]*?(?:fetch|sendBeacon|axios|exfiltrate)/gis, severity: 'CRITICAL', desc: 'ForcedLeak: Salesforce Agentforce CRM exfiltration via IDPI', codeOnly: true },
250
- { id: 'CVE_2025_12420_SERVICENOW', cat: 'trust-exploitation', regex: /(?:ServiceNow|Now\s+Assist|VirtualAgent)[^]*?impersonateUser[^]*?email/gis, severity: 'CRITICAL', desc: 'CVE-2025-12420: ServiceNow Now Assist unauthenticated impersonation via IDPI', codeOnly: true },
246
+ { id: 'CVE_MSAGENT_SHELL', cat: 'cve-patterns', regex: /check_safe\s*\(|(?:shell_tool|ShellTool|shell_execute)(?:\.execute)?\s*\([^)]*(?:user|input|prompt|query|message|args|content)/gis, severity: 'CRITICAL', desc: 'CVE-2026-2256: MS-Agent check_safe() denylist bypass — unsanitized shell execution (CERT VU#431821)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
247
+ { id: 'CVE_MSAGENT_DENYLIST', cat: 'cve-patterns', regex: /(?:denylist|blocklist|blacklist|banned_commands)\s*[:=]\s*\[/gi, severity: 'HIGH', desc: 'CVE-2026-2256: Regex denylist pattern (bypassable)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
248
+ { id: 'CVE_KIMI_EXECSYNC', cat: 'cve-patterns', regex: /execSync\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*\+\s*(?:filename|filePath|file_name|path|slug))/gi, severity: 'CRITICAL', desc: 'CVE-2026-25046: execSync with unsanitized filename (shell metachar injection)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
249
+ { id: 'FORCEDLEAK_SALESFORCE', cat: 'trust-boundary', regex: /(?:Web-to-Lead|Agentforce|Salesforce)[^]*?(?:description|lead)[^]*?(?:fetch|sendBeacon|axios|exfiltrate)/gis, severity: 'CRITICAL', desc: 'ForcedLeak: Salesforce Agentforce CRM exfiltration via IDPI', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
250
+ { id: 'CVE_2025_12420_SERVICENOW', cat: 'trust-exploitation', regex: /(?:ServiceNow|Now\s+Assist|VirtualAgent)[^]*?impersonateUser[^]*?email/gis, severity: 'CRITICAL', desc: 'CVE-2025-12420: ServiceNow Now Assist unauthenticated impersonation via IDPI', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
251
251
  );
252
252
 
253
253
  // ── Category 28: Langflow / CSV Agent Exploits (CVE-2026-27966, CVSS 9.8) ──
254
254
  PATTERNS.push(
255
- { id: 'CVE_LANGFLOW_CSVAGENT', cat: 'cve-patterns', regex: /allow_dangerous_code\s*[:=]\s*(?:True|true|1|yes)/gi, severity: 'CRITICAL', desc: 'CVE-2026-27966: Langflow CSV Agent RCE — allow_dangerous_code=True enables python_repl_ast code execution', codeOnly: true },
256
- { id: 'CVE_LANGFLOW_REPL', cat: 'cve-patterns', regex: /python_repl_ast|PythonREPLTool|PythonAstREPLTool/g, severity: 'HIGH', desc: 'CVE-2026-27966: LangChain Python REPL tool (RCE vector via prompt injection)', codeOnly: true },
255
+ { id: 'CVE_LANGFLOW_CSVAGENT', cat: 'cve-patterns', regex: /allow_dangerous_code\s*[:=]\s*(?:True|true|1|yes)/gi, severity: 'CRITICAL', desc: 'CVE-2026-27966: Langflow CSV Agent RCE — allow_dangerous_code=True enables python_repl_ast code execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
256
+ { id: 'CVE_LANGFLOW_REPL', cat: 'cve-patterns', regex: /python_repl_ast|PythonREPLTool|PythonAstREPLTool/g, severity: 'HIGH', desc: 'CVE-2026-27966: LangChain Python REPL tool (RCE vector via prompt injection)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
257
257
  );
258
258
 
259
259
  // ── Category 29: MCP Infrastructure Exploits (CVE-2026-23744, CVSS 9.8) ──
260
260
  PATTERNS.push(
261
- { id: 'CVE_MCPJAM_RCE', cat: 'cve-patterns', regex: /\/api\/mcp\/connect\b|mcpjam|mcp-inspector/gi, severity: 'CRITICAL', desc: 'CVE-2026-23744: MCPJam Inspector unauthenticated RCE via /api/mcp/connect endpoint', all: true },
262
- { id: 'MCP_BIND_ALL', cat: 'mcp-security', regex: /(?:listen|bind|host)\s*[:=(]\s*['"]?(?:0\.0\.0\.0|::)['"]?\s*[,)]/gi, severity: 'HIGH', desc: 'MCP server bound to all interfaces (0.0.0.0) — remote exploitation risk (36.7% of 7K+ servers)', codeOnly: true },
263
- { id: 'MCP_SSRF_CVE', cat: 'cve-patterns', regex: /(?:CVE-2025-68143|CVE-2025-68144|CVE-2025-68145)\b|(?:path_traversal|argument_injection|repository_scoping).*mcp/gi, severity: 'CRITICAL', desc: 'Known MCP server CVEs: path traversal / argument injection / scoping bypass', all: true },
261
+ { id: 'CVE_MCPJAM_RCE', cat: 'cve-patterns', regex: /\/api\/mcp\/connect\b|mcpjam|mcp-inspector/gi, severity: 'CRITICAL', desc: 'CVE-2026-23744: MCPJam Inspector unauthenticated RCE via /api/mcp/connect endpoint', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
262
+ { id: 'MCP_BIND_ALL', cat: 'mcp-security', regex: /(?:listen|bind|host)\s*[:=(]\s*['"]?(?:0\.0\.0\.0|::)['"]?\s*[,)]/gi, severity: 'HIGH', desc: 'MCP server bound to all interfaces (0.0.0.0) — remote exploitation risk (36.7% of 7K+ servers)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
263
+ { id: 'MCP_SSRF_CVE', cat: 'cve-patterns', regex: /(?:CVE-2025-68143|CVE-2025-68144|CVE-2025-68145)\b|(?:path_traversal|argument_injection|repository_scoping).*mcp/gi, severity: 'CRITICAL', desc: 'Known MCP server CVEs: path traversal / argument injection / scoping bypass', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
264
264
  );
265
265
 
266
266
  // ── Category 30: AI Browser Trust Boundary (Zenity Labs 2026-03) ──
267
267
  PATTERNS.push(
268
- { id: 'TRUST_CALENDAR_AI', cat: 'trust-boundary', regex: /(?:calendar|event|invite|ical|\.ics)[^]*?(?:navigate|download|exfiltrate|upload|sendBeacon|fetch\s*\()/gis, severity: 'CRITICAL', desc: 'AI Browser trust boundary: calendar invite → code/data action (Zenity Labs)', codeOnly: true },
268
+ { id: 'TRUST_CALENDAR_AI', cat: 'trust-boundary', regex: /(?:calendar|event|invite|ical|\.ics)[^]*?(?:navigate|download|exfiltrate|upload|sendBeacon|fetch\s*\()/gis, severity: 'CRITICAL', desc: 'AI Browser trust boundary: calendar invite → code/data action (Zenity Labs)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
269
269
  );
270
270
 
271
271
  // ── Category 31: Agent-to-Agent (A2A) Contagion (Moltbook 2026) ──
272
272
  PATTERNS.push(
273
- { id: 'A2A_SMUGGLE', cat: 'a2a-contagion', regex: /(?:jsonrpc|method|params|message\/send)[^]*?(?:ignore|forget|override|execute|system\s+prompt|child_process)/gis, severity: 'CRITICAL', desc: 'A2A Contagion: Instruction injection between request-response cycles', all: true },
274
- { id: 'A2A_TOOL_POISON', cat: 'a2a-contagion', regex: /(?:name|description|tool_call)[^]*?(?:<IMPORTANT>|<SYSTEM>|<HIDDEN>|<!--\s*(?:ignore|system|execute|run|instruct))/gis, severity: 'CRITICAL', desc: 'A2A Contagion: MCP tool description containing hidden instructions', all: true }
273
+ { id: 'A2A_SMUGGLE', cat: 'a2a-contagion', regex: /(?:jsonrpc|method|params|message\/send)[^]*?(?:ignore|forget|override|execute|system\s+prompt|child_process)/gis, severity: 'CRITICAL', desc: 'A2A Contagion: Instruction injection between request-response cycles', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
274
+ { id: 'A2A_TOOL_POISON', cat: 'a2a-contagion', regex: /(?:name|description|tool_call)[^]*?(?:<IMPORTANT>|<SYSTEM>|<HIDDEN>|<!--\s*(?:ignore|system|execute|run|instruct))/gis, severity: 'CRITICAL', desc: 'A2A Contagion: MCP tool description containing hidden instructions', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." }
275
275
  );
276
276
 
277
277
  // ── Category 32: 2026-03 Research-Driven Patterns (GAN-TDD v2) ──
278
278
  PATTERNS.push(
279
279
  // Loop 1: MCP Shadowing — naming collision impersonation (solo.io 2026-03)
280
- { id: 'MCP_SHADOW_NAME_COLLISION', cat: 'mcp-security', regex: /(?:name|tool_name|server_name)\s*[:=]\s*['"](?:filesystem|fetch|brave-search|memory|git|github|docker|postgres|sqlite|slack|discord|notion|google-drive|google-maps)['"](?![^}]*official)/gi, severity: 'HIGH', desc: 'MCP Shadowing: naming collision with well-known MCP server (solo.io 2026-03)', all: true },
280
+ { id: 'MCP_SHADOW_NAME_COLLISION', cat: 'mcp-security', regex: /(?:name|tool_name|server_name)\s*[:=]\s*['"](?:filesystem|fetch|brave-search|memory|git|github|docker|postgres|sqlite|slack|discord|notion|google-drive|google-maps)['"](?![^}]*official)/gi, severity: 'HIGH', desc: 'MCP Shadowing: naming collision with well-known MCP server (solo.io 2026-03)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
281
281
  // Loop 2: PleaseFix agentic browser indirect prompt injection (Zenity Labs 2026-03)
282
- { id: 'TRUST_AGENTIC_BROWSER_PI', cat: 'trust-boundary', regex: /(?:navigate|goto|open_url|browse|visit)\s*\([^)]*\)[^]*?(?:click|fill|type|submit|download|execute|eval|child_process)/gis, severity: 'CRITICAL', desc: 'PleaseFix: Agentic browser navigate → action chain (Zenity Labs zero-click)', codeOnly: true },
282
+ { id: 'TRUST_AGENTIC_BROWSER_PI', cat: 'trust-boundary', regex: /(?:navigate|goto|open_url|browse|visit)\s*\([^)]*\)[^]*?(?:click|fill|type|submit|download|execute|eval|child_process)/gis, severity: 'CRITICAL', desc: 'PleaseFix: Agentic browser navigate → action chain (Zenity Labs zero-click)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
283
283
  // Loop 3: MS-Agent prompt-to-shell unsanitized chain (CVE-2026-2256 extended)
284
- { id: 'CVE_PROMPT_TO_SHELL', cat: 'cve-patterns', regex: /(?:prompt|message|user_input|query|instruction)\s*[^;]*(?:exec|execSync|spawn|system|popen|subprocess|child_process)\s*\(/gis, severity: 'CRITICAL', desc: 'CVE-2026-2256 extended: prompt/user_input → shell execution chain', codeOnly: true },
284
+ { id: 'CVE_PROMPT_TO_SHELL', cat: 'cve-patterns', regex: /(?:prompt|message|user_input|query|instruction)\s*[^;]*(?:exec|execSync|spawn|system|popen|subprocess|child_process)\s*\(/gis, severity: 'CRITICAL', desc: 'CVE-2026-2256 extended: prompt/user_input → shell execution chain', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
285
285
  );
286
286
 
287
287
  // ── Category 99: Auto-Generated Refinements (Moltbook Threat Intel) ──
288
288
  PATTERNS.push(
289
289
  // AUTO_REFINE_ZERO_WIDTH, MCP_REBIND, SOUL_FREEZE already defined in inline array (L222-224)
290
- { id: 'AUTO_REFINE_WALLET_TAMPER', cat: 'trust-exploitation', regex: /(?:modify|update|change)\s+(?:the\s+)?wallet\s+(?:address|pointer|destination)\s*[:=]/gi, severity: 'HIGH', desc: 'Agent Wallet/Funding Destination Tampering', codeOnly: true },
291
- { id: 'AUTO_REFINE_MOLTBOOK_LEAK', cat: 'data-exposure', regex: /sk-(?:ant-api|)[a-zA-Z0-9\-_]{20,}/gi, severity: 'CRITICAL', desc: 'Moltbook-style API Key Leak Detection', all: true },
292
- { id: 'AUTO_REFINE_A2A_IDPI', cat: 'prompt-injection', regex: /<!--\s*(?:instruction|cmd|exec)\s*:.*?-->/gi, severity: 'CRITICAL', desc: 'A2A Contagion Indirect Prompt Injection (IDPI)', docOnly: true },
290
+ { id: 'AUTO_REFINE_WALLET_TAMPER', cat: 'trust-exploitation', regex: /(?:modify|update|change)\s+(?:the\s+)?wallet\s+(?:address|pointer|destination)\s*[:=]/gi, severity: 'HIGH', desc: 'Agent Wallet/Funding Destination Tampering', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
291
+ { id: 'AUTO_REFINE_MOLTBOOK_LEAK', cat: 'data-exposure', regex: /sk-(?:ant-api|)[a-zA-Z0-9\-_]{20,}/gi, severity: 'CRITICAL', desc: 'Moltbook-style API Key Leak Detection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
292
+ { id: 'AUTO_REFINE_A2A_IDPI', cat: 'prompt-injection', regex: /<!--\s*(?:instruction|cmd|exec)\s*:.*?-->/gi, severity: 'CRITICAL', desc: 'A2A Contagion Indirect Prompt Injection (IDPI)', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
293
293
 
294
294
  // GAN-TDD Cycle 6 additions
295
- { id: 'OPENCLAW_WSS_HIJACK', cat: 'cve-patterns', regex: /(?:remote-bind|ws:\/\/localhost.*?\/api\/agent)/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: OpenClaw Localhost WebSocket Hijacking', all: true },
296
- { id: 'OPENCLAW_GATEWAY_RCE', cat: 'cve-patterns', regex: /(?:URLSearchParams|query)[^]*?['"]gatewayUrl['"]/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: OpenClaw Gateway RCE via unvalidated gatewayUrl query param', codeOnly: true },
297
- { id: 'MCP_OAUTH_CMD_INJECT', cat: 'mcp-security', regex: /\/oauth\/callback[^]*?(?:exec|execSync|spawn|system|child_process)[^]*?(?:req\.query\.code|req\.query\.state)/gis, severity: 'CRITICAL', desc: 'MCP OAuth Command Injection: Unsanitized OAuth callback code passed to shell', codeOnly: true },
298
- { id: 'OPENCLAW_DOCKER_PATH_INJECT', cat: 'cve-patterns', regex: /process\.env\.PATH\s*=\s*[^\n]*(?:\/tmp|\/var)\/(?:[^;]+);/gi, severity: 'CRITICAL', desc: 'CVE-2026-24763: OpenClaw Docker PATH command injection', codeOnly: true },
299
- { id: 'MOLTBOOK_API_KEY_LEAK', cat: 'data-exposure', regex: /moltbook\.com.*SUPABASE_ANON_KEY|moltbook\.com.*process\.env/gi, severity: 'CRITICAL', desc: 'Moltbook API Extractor payload targeting Supabase keys', all: true },
300
- { id: 'A2A_SEMANTIC_CONTAGION', cat: 'prompt-injection', regex: /(?:ignore|forget).*instructions.*god mode/gi, severity: 'CRITICAL', desc: 'A2A Semantic Contagion passing downstream payload overrides', all: true },
301
- { id: 'ASI06_MEMORY_POISONING', cat: 'memory-poisoning', regex: /UPDATE\s+vector_store\s+SET/gi, severity: 'CRITICAL', desc: 'ASI06: RAG/Vector DB persistent fake knowledge injection', all: true }
295
+ { id: 'OPENCLAW_WSS_HIJACK', cat: 'cve-patterns', regex: /(?:remote-bind|ws:\/\/localhost.*?\/api\/agent)/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: OpenClaw Localhost WebSocket Hijacking', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
296
+ { id: 'OPENCLAW_GATEWAY_RCE', cat: 'cve-patterns', regex: /(?:URLSearchParams|query)[^]*?['"]gatewayUrl['"]/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: OpenClaw Gateway RCE via unvalidated gatewayUrl query param', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
297
+ { id: 'MCP_OAUTH_CMD_INJECT', cat: 'mcp-security', regex: /\/oauth\/callback[^]*?(?:exec|execSync|spawn|system|child_process)[^]*?(?:req\.query\.code|req\.query\.state)/gis, severity: 'CRITICAL', desc: 'MCP OAuth Command Injection: Unsanitized OAuth callback code passed to shell', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
298
+ { id: 'OPENCLAW_DOCKER_PATH_INJECT', cat: 'cve-patterns', regex: /process\.env\.PATH\s*=\s*[^\n]*(?:\/tmp|\/var)\/(?:[^;]+);/gi, severity: 'CRITICAL', desc: 'CVE-2026-24763: OpenClaw Docker PATH command injection', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
299
+ { id: 'MOLTBOOK_API_KEY_LEAK', cat: 'data-exposure', regex: /moltbook\.com.*SUPABASE_ANON_KEY|moltbook\.com.*process\.env/gi, severity: 'CRITICAL', desc: 'Moltbook API Extractor payload targeting Supabase keys', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
300
+ { id: 'A2A_SEMANTIC_CONTAGION', cat: 'prompt-injection', regex: /(?:ignore|forget).*instructions.*god mode/gi, severity: 'CRITICAL', desc: 'A2A Semantic Contagion passing downstream payload overrides', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
301
+ { id: 'ASI06_MEMORY_POISONING', cat: 'memory-poisoning', regex: /UPDATE\s+vector_store\s+SET/gi, severity: 'CRITICAL', desc: 'ASI06: RAG/Vector DB persistent fake knowledge injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." }
302
302
  );
303
303
 
304
304
  // ── Category 33: March 2026 OSINT Evolution (GAN-TDD v10) ──
305
305
  PATTERNS.push(
306
306
  // CVE-2026-0628: Chrome Gemini AI Extension Privilege Escalation
307
- { id: 'CVE_2026_0628_GEMINI_CHROME', cat: 'cve-patterns', regex: /(?:gemini[_\s-]*live|chrome\.ai|chrome\.gemini)[^]*?(?:hijack|inject|escalat|elevat|intercept|panel)/gis, severity: 'CRITICAL', desc: 'CVE-2026-0628: Chrome Gemini AI extension privilege escalation — panel hijack', codeOnly: true },
307
+ { id: 'CVE_2026_0628_GEMINI_CHROME', cat: 'cve-patterns', regex: /(?:gemini[_\s-]*live|chrome\.ai|chrome\.gemini)[^]*?(?:hijack|inject|escalat|elevat|intercept|panel)/gis, severity: 'CRITICAL', desc: 'CVE-2026-0628: Chrome Gemini AI extension privilege escalation — panel hijack', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
308
308
  // MCP Preference Manipulation Attack (MPMA) — SOCRadar 2026-03
309
- { id: 'MCP_MPMA_PREFERENCE', cat: 'mcp-security', regex: /(?:prefer\w*|priorit\w*|rank\w*|weight\w*|score\w*|bias\w*)[\s_-]+(?:tool|server|provider|endpoint)[\s\S]{0,80}(?:inject|manipulat|override|force|always\s+use)/gis, severity: 'HIGH', desc: 'MCP MPMA: tool preference manipulation to bias agent tool selection', all: true },
309
+ { id: 'MCP_MPMA_PREFERENCE', cat: 'mcp-security', regex: /(?:prefer\w*|priorit\w*|rank\w*|weight\w*|score\w*|bias\w*)[\s_-]+(?:tool|server|provider|endpoint)[\s\S]{0,80}(?:inject|manipulat|override|force|always\s+use)/gis, severity: 'HIGH', desc: 'MCP MPMA: tool preference manipulation to bias agent tool selection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
310
310
  // MCP Tool Squatting — impersonating legitimate MCP tool names
311
- { id: 'MCP_TOOL_SQUATTING', cat: 'mcp-security', regex: /(?:register|define|create|add)[\s_-]*(?:tool|server|mcp)[\s\S]{0,60}(?:name|tool_name)\s*[:=]\s*['"](?:read_file|write_file|run_command|execute|bash|terminal|browser|web_search)['"]/gis, severity: 'CRITICAL', desc: 'MCP Tool Squatting: registering tool with name of well-known built-in', codeOnly: true },
311
+ { id: 'MCP_TOOL_SQUATTING', cat: 'mcp-security', regex: /(?:register|define|create|add)[\s_-]*(?:tool|server|mcp)[\s\S]{0,60}(?:name|tool_name)\s*[:=]\s*['"](?:read_file|write_file|run_command|execute|bash|terminal|browser|web_search)['"]/gis, severity: 'CRITICAL', desc: 'MCP Tool Squatting: registering tool with name of well-known built-in', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
312
312
  // MCP Consent Fatigue / Over-Permissioning — PaloAlto Unit42
313
- { id: 'MCP_CONSENT_FATIGUE', cat: 'mcp-security', regex: /(?:auto[_\s-]*(?:approve|accept|confirm|allow)|skip[_\s-]*(?:confirm|approval|consent)|approve[_\s-]*all|yes[_\s-]*to[_\s-]*all)/gi, severity: 'HIGH', desc: 'MCP Consent Fatigue: auto-approval bypasses human-in-the-loop safety', all: true },
313
+ { id: 'MCP_CONSENT_FATIGUE', cat: 'mcp-security', regex: /(?:auto[_\s-]*(?:approve|accept|confirm|allow)|skip[_\s-]*(?:confirm|approval|consent)|approve[_\s-]*all|yes[_\s-]*to[_\s-]*all)/gi, severity: 'HIGH', desc: 'MCP Consent Fatigue: auto-approval bypasses human-in-the-loop safety', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
314
314
  // CVE-2025-64496: Open WebUI excessive model endpoint trust → token theft + RCE
315
- { id: 'OPENWEBUI_MODEL_TRUST', cat: 'cve-patterns', regex: /(?:model[_\s-]*endpoint|ollama|open[_\s-]*webui)[\s\S]{0,100}(?:trust|allow|accept)[\s\S]{0,40}(?:any|all|unverified|unsigned|unknown)/gis, severity: 'CRITICAL', desc: 'CVE-2025-64496: Open WebUI excessive model endpoint trust → token theft + backend RCE', codeOnly: true },
315
+ { id: 'OPENWEBUI_MODEL_TRUST', cat: 'cve-patterns', regex: /(?:model[_\s-]*endpoint|ollama|open[_\s-]*webui)[\s\S]{0,100}(?:trust|allow|accept)[\s\S]{0,40}(?:any|all|unverified|unsigned|unknown)/gis, severity: 'CRITICAL', desc: 'CVE-2025-64496: Open WebUI excessive model endpoint trust → token theft + backend RCE', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
316
316
  // A2A Session Smuggling — PaloAlto Unit42 hidden payload in agent response
317
- { id: 'A2A_SESSION_SMUGGLING', cat: 'a2a-contagion', regex: /(?:agent[_\s-]*(?:response|reply|output|result))[\s\S]{0,100}(?:hidden|inject|smuggl|embed|conceal)[\s\S]{0,60}(?:instruct|command|payload|prompt)/gis, severity: 'CRITICAL', desc: 'A2A Session Smuggling: hidden instructions embedded in agent-to-agent response payloads (Unit42)', all: true },
317
+ { id: 'A2A_SESSION_SMUGGLING', cat: 'a2a-contagion', regex: /(?:agent[_\s-]*(?:response|reply|output|result))[\s\S]{0,100}(?:hidden|inject|smuggl|embed|conceal)[\s\S]{0,60}(?:instruct|command|payload|prompt)/gis, severity: 'CRITICAL', desc: 'A2A Session Smuggling: hidden instructions embedded in agent-to-agent response payloads (Unit42)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
318
318
  // Moltbook AI-to-AI crypto pump scheme coordination
319
- { id: 'MOLTBOOK_CRYPTO_PUMP', cat: 'trust-exploitation', regex: /(?:pump|shill|promote|coordinate|manipulat)[\s\S]{0,60}(?:token|coin|crypto|nft|defi)[\s\S]{0,60}(?:price|value|market|volume|buy)/gis, severity: 'CRITICAL', desc: 'Moltbook crypto pump: AI-to-AI coordinated market manipulation scheme', all: true },
319
+ { id: 'MOLTBOOK_CRYPTO_PUMP', cat: 'trust-exploitation', regex: /(?:pump|shill|promote|coordinate|manipulat)[\s\S]{0,60}(?:token|coin|crypto|nft|defi)[\s\S]{0,60}(?:price|value|market|volume|buy)/gis, severity: 'CRITICAL', desc: 'Moltbook crypto pump: AI-to-AI coordinated market manipulation scheme', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
320
320
  // AI-accelerated breakout speed patterns (sub-30s lateral movement)
321
- { id: 'INSIDER_BREAKOUT_SPEED', cat: 'malicious-code', regex: /(?:lateral[_\s-]*mov|pivot|hop|spread|propagat)[\s\S]{0,80}(?:host|machine|server|node|target)[\s\S]{0,40}(?:ssh|rdp|smb|wmi|psexec|winrm)/gis, severity: 'HIGH', desc: 'AI breakout speed: lateral movement pattern across hosts (CrowdStrike sub-30s)', codeOnly: true },
321
+ { id: 'INSIDER_BREAKOUT_SPEED', cat: 'malicious-code', regex: /(?:lateral[_\s-]*mov|pivot|hop|spread|propagat)[\s\S]{0,80}(?:host|machine|server|node|target)[\s\S]{0,40}(?:ssh|rdp|smb|wmi|psexec|winrm)/gis, severity: 'HIGH', desc: 'AI breakout speed: lateral movement pattern across hosts (CrowdStrike sub-30s)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
322
322
  );
323
323
 
324
324
  // ── Category 34: GAN-TDD v10.0.0 Evolution (2026-03-07 Measured) ──
325
325
  PATTERNS.push(
326
326
  // CVE-2026-0628 extended: Chrome extension → Gemini Live panel hijack (camera/mic/files)
327
- { id: 'CVE_CHROME_GEMINI_HIJACK', cat: 'cve-patterns', regex: /(?:chrome\.runtime|chrome\.tabs|chrome\.devtools)[^]*?(?:gemini|Gemini\s*Live|ai\.google|generativelanguage)/gis, severity: 'CRITICAL', desc: 'CVE-2026-0628: Chrome extension → Gemini AI hijack (camera/mic/files access)', codeOnly: true },
327
+ { id: 'CVE_CHROME_GEMINI_HIJACK', cat: 'cve-patterns', regex: /(?:chrome\.runtime|chrome\.tabs|chrome\.devtools)[^]*?(?:gemini|Gemini\s*Live|ai\.google|generativelanguage)/gis, severity: 'CRITICAL', desc: 'CVE-2026-0628: Chrome extension → Gemini AI hijack (camera/mic/files access)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
328
328
  // CVE-2026-22813: Markdown rendering pipeline RCE (CVSS 9.4) — AI self-discovered
329
- { id: 'CVE_MARKDOWN_RCE', cat: 'cve-patterns', regex: /(?:marked|markdown-it|remark|showdown|pandoc)[^]*?(?:sanitize\s*[:=]\s*false|xhtml\s*[:=]\s*true|html\s*[:=]\s*true|dangerouslySetInnerHTML)/gis, severity: 'CRITICAL', desc: 'CVE-2026-22813: Markdown render pipeline with disabled sanitization (RCE vector)', codeOnly: true },
329
+ { id: 'CVE_MARKDOWN_RCE', cat: 'cve-patterns', regex: /(?:marked|markdown-it|remark|showdown|pandoc)[^]*?(?:sanitize\s*[:=]\s*false|xhtml\s*[:=]\s*true|html\s*[:=]\s*true|dangerouslySetInnerHTML)/gis, severity: 'CRITICAL', desc: 'CVE-2026-22813: Markdown render pipeline with disabled sanitization (RCE vector)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
330
330
  // CVE-2026-29783: Shell expansion in filenames — unquoted variable injection
331
- { id: 'CVE_SHELL_EXPANSION_FILENAME', cat: 'cve-patterns', regex: /(?:exec|execSync|spawn|system)\s*\(\s*(?:`[^`]*\$\{(?:file|path|name|dir|folder|slug|title)|['"][^'"]*\$\()/gi, severity: 'CRITICAL', desc: 'CVE-2026-29783: Shell expansion via unquoted filename/path variable injection', codeOnly: true },
331
+ { id: 'CVE_SHELL_EXPANSION_FILENAME', cat: 'cve-patterns', regex: /(?:exec|execSync|spawn|system)\s*\(\s*(?:`[^`]*\$\{(?:file|path|name|dir|folder|slug|title)|['"][^'"]*\$\()/gi, severity: 'CRITICAL', desc: 'CVE-2026-29783: Shell expansion via unquoted filename/path variable injection', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
332
332
  // Slopsquatting: AI-hallucinated package names tricking devs into installing malware
333
- { id: 'SLOPSQUATTING_INSTALL', cat: 'suspicious-download', regex: /(?:npm\s+install|pip\s+install|cargo\s+add|gem\s+install)\s+[a-z][\w-]*(?:-ai|-llm|-agent|-gpt|-copilot|-assistant)(?:\s|$|@)/gi, severity: 'HIGH', desc: 'Slopsquatting: AI-themed package install (potential hallucinated package)', all: true },
333
+ { id: 'SLOPSQUATTING_INSTALL', cat: 'suspicious-download', regex: /(?:npm\s+install|pip\s+install|cargo\s+add|gem\s+install)\s+[a-z][\w-]*(?:-ai|-llm|-agent|-gpt|-copilot|-assistant)(?:\s|$|@)/gi, severity: 'HIGH', desc: 'Slopsquatting: AI-themed package install (potential hallucinated package)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
334
334
  // MCP command injection chain (43% of servers vulnerable per Docker/SecurityWeek)
335
- { id: 'MCP_CMD_INJECTION_CHAIN', cat: 'mcp-security', regex: /(?:tool_call|function_call|mcp_invoke)[^]*?(?:child_process|exec|execSync|spawn|system|popen|subprocess\.run)/gis, severity: 'CRITICAL', desc: 'MCP command injection: tool invocation → shell execution chain (43% servers vulnerable)', codeOnly: true },
335
+ { id: 'MCP_CMD_INJECTION_CHAIN', cat: 'mcp-security', regex: /(?:tool_call|function_call|mcp_invoke)[^]*?(?:child_process|exec|execSync|spawn|system|popen|subprocess\.run)/gis, severity: 'CRITICAL', desc: 'MCP command injection: tool invocation → shell execution chain (43% servers vulnerable)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
336
336
  // Model distillation/extraction attack — systematic capability theft
337
- { id: 'DISTILLATION_EXTRACTION', cat: 'trust-exploitation', regex: /(?:distill|extract|replicate|clone|mimic)\s+(?:the\s+)?(?:model|AI|agent|system)\s*(?:'s\s+)?(?:capabilities?|knowledge|behavior|weights|responses?)/gi, severity: 'HIGH', desc: 'Model distillation/extraction attack: systematic capability theft', docOnly: true },
337
+ { id: 'DISTILLATION_EXTRACTION', cat: 'trust-exploitation', regex: /(?:distill|extract|replicate|clone|mimic)\s+(?:the\s+)?(?:model|AI|agent|system)\s*(?:'s\s+)?(?:capabilities?|knowledge|behavior|weights|responses?)/gi, severity: 'HIGH', desc: 'Model distillation/extraction attack: systematic capability theft', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
338
338
  // Agentic browser data exfiltration chain (PleaseFix/PerplexedBrowser pattern)
339
- { id: 'AGENTIC_BROWSER_EXFIL_CHAIN', cat: 'trust-boundary', regex: /(?:navigate|browse|visit|open_url)\s*\([^)]*\)[^]*?(?:sendBeacon|fetch\s*\(\s*['"]https?:\/\/(?!localhost)|XMLHttpRequest|new\s+Image\(\)\.src)/gis, severity: 'CRITICAL', desc: 'Agentic browser exfiltration: navigate → data leak (PleaseFix/PerplexedBrowser)', codeOnly: true },
339
+ { id: 'AGENTIC_BROWSER_EXFIL_CHAIN', cat: 'trust-boundary', regex: /(?:navigate|browse|visit|open_url)\s*\([^)]*\)[^]*?(?:sendBeacon|fetch\s*\(\s*['"]https?:\/\/(?!localhost)|XMLHttpRequest|new\s+Image\(\)\.src)/gis, severity: 'CRITICAL', desc: 'Agentic browser exfiltration: navigate → data leak (PleaseFix/PerplexedBrowser)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
340
340
  // Anthropic API key v2 pattern — extended to cover new formats post-Pentagon designation
341
- { id: 'SECRET_ANTHROPIC_KEY_V2', cat: 'secret-detection', regex: /sk-ant-(?:api|msg|adm)[a-zA-Z0-9_\-]{32,}/g, severity: 'CRITICAL', desc: 'Anthropic API key v2 (sk-ant-api/msg/adm prefix)', all: true },
341
+ { id: 'SECRET_ANTHROPIC_KEY_V2', cat: 'secret-detection', regex: /sk-ant-(?:api|msg|adm)[a-zA-Z0-9_\-]{32,}/g, severity: 'CRITICAL', desc: 'Anthropic API key v2 (sk-ant-api/msg/adm prefix)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
342
342
  );
343
343
 
344
344
 
345
345
  // ── Category 34: GAN-TDD Cycle 13 Production Evolution (2026-03-07) ──
346
346
  PATTERNS.push(
347
- { id: 'LLM_SCANNER_EVASION', cat: 'obfuscation', regex: /(?:\/\/|\/\*|#)\s*(?:this\s+(?:code|function|module)\s+is\s+(?:safe|secure|benign|harmless)|(?:no|not\s+a)\s+(?:vulnerability|threat|risk|malware)|ignore\s+(?:security\s+)?(?:warnings?|alerts?|findings?))/gi, severity: 'HIGH', desc: 'LLM scanner evasion: adversarial comment claiming code is safe', all: true },
348
- { id: 'MCP_RUG_PULL', cat: 'mcp-security', regex: /(?:setTimeout|setInterval|requestAnimationFrame|Promise\.resolve)\s*\([\s\S]*?(?:description|metadata|tool_def|schema)\s*[:=]/gis, severity: 'CRITICAL', desc: 'MCP Rug-Pull: deferred tool metadata mutation after initial inspection', codeOnly: true },
349
- { id: 'CVE_GIT_PATH_TRAVERSAL', cat: 'cve-patterns', regex: /git_(?:create_repository|clone|init)\s*\([^)]*(?:\.\.\/)+/gi, severity: 'CRITICAL', desc: 'CVE-2025-68143: mcp-server-git path traversal in repository creation', codeOnly: true },
350
- { id: 'PI_TOKEN_SPLIT', cat: 'prompt-injection', regex: /(?:[iI])\s*[.\-_"'`|]\s*(?:[gG])\s*[.\-_"'`|]\s*(?:[nN])\s*[.\-_"'`|]\s*(?:[oO])\s*[.\-_"'`|]\s*(?:[rR])\s*[.\-_"'`|]\s*(?:[eE])/g, severity: 'HIGH', desc: 'Token-splitting PI: fragmented "ignore" across delimiters', docOnly: true },
351
- { id: 'NPM_SHAI_HULUD_WORM', cat: 'malicious-code', regex: /(?:postinstall|preinstall|prepare)[\s"':]*(?:node|npm|npx)\s+[^"'\n]*(?:publish|pack|adduser|login|clone|fork)/gi, severity: 'CRITICAL', desc: 'Shai-Hulud npm worm: lifecycle script self-replication', codeOnly: true },
352
- { id: 'PI_FULLWIDTH_EVASION', cat: 'prompt-injection', regex: /[\uFF21-\uFF3A\uFF41-\uFF5A]{2,}/g, severity: 'HIGH', desc: 'Fullwidth Latin evasion (NFKC bypass)', all: true },
347
+ { id: 'LLM_SCANNER_EVASION', cat: 'obfuscation', regex: /(?:\/\/|\/\*|#)\s*(?:this\s+(?:code|function|module)\s+is\s+(?:safe|secure|benign|harmless)|(?:no|not\s+a)\s+(?:vulnerability|threat|risk|malware)|ignore\s+(?:security\s+)?(?:warnings?|alerts?|findings?))/gi, severity: 'HIGH', desc: 'LLM scanner evasion: adversarial comment claiming code is safe', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
348
+ { id: 'MCP_RUG_PULL', cat: 'mcp-security', regex: /(?:setTimeout|setInterval|requestAnimationFrame|Promise\.resolve)\s*\([\s\S]*?(?:description|metadata|tool_def|schema)\s*[:=]/gis, severity: 'CRITICAL', desc: 'MCP Rug-Pull: deferred tool metadata mutation after initial inspection', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
349
+ { id: 'CVE_GIT_PATH_TRAVERSAL', cat: 'cve-patterns', regex: /git_(?:create_repository|clone|init)\s*\([^)]*(?:\.\.\/)+/gi, severity: 'CRITICAL', desc: 'CVE-2025-68143: mcp-server-git path traversal in repository creation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
350
+ { id: 'PI_TOKEN_SPLIT', cat: 'prompt-injection', regex: /(?:[iI])\s*[.\-_"'`|]\s*(?:[gG])\s*[.\-_"'`|]\s*(?:[nN])\s*[.\-_"'`|]\s*(?:[oO])\s*[.\-_"'`|]\s*(?:[rR])\s*[.\-_"'`|]\s*(?:[eE])/g, severity: 'HIGH', desc: 'Token-splitting PI: fragmented "ignore" across delimiters', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
351
+ { id: 'NPM_SHAI_HULUD_WORM', cat: 'malicious-code', regex: /(?:postinstall|preinstall|prepare)[\s"':]*(?:node|npm|npx)\s+[^"'\n]*(?:publish|pack|adduser|login|clone|fork)/gi, severity: 'CRITICAL', desc: 'Shai-Hulud npm worm: lifecycle script self-replication', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
352
+ { id: 'PI_FULLWIDTH_EVASION', cat: 'prompt-injection', regex: /[\uFF21-\uFF3A\uFF41-\uFF5A]{2,}/g, severity: 'HIGH', desc: 'Fullwidth Latin evasion (NFKC bypass)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
353
+ );
354
+
355
+ // ── Category 41: Canvas Injection (Sanctuary 2026-03) ──
356
+ PATTERNS.push(
357
+ { id: 'CANVAS_JS_INJECT', cat: 'canvas-injection', regex: /(?:<script>|<\/script>|javascript:|onerror\s*=|onload\s*=)[^]*?(?:eval|fetch|document\.cookie|window\.localStorage)/gis, severity: 'CRITICAL', desc: 'Canvas Injection: Raw HTML/JS payload attempting to bypass A2UI WASM sandbox', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent outputs payload directly to UI.", remediationHint: "Escape HTML/JS entities and use Canvas observer." },
358
+ { id: 'CANVAS_IFRAME_SMUGGLE', cat: 'canvas-injection', regex: /<iframe[^>]*?(?:src|srcdoc)\s*=\s*['"]?(?:javascript:|data:text\/html|http)/gis, severity: 'CRITICAL', desc: 'Canvas Injection: Iframe smuggling to embed untrusted context in UI', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent outputs payload directly to UI.", remediationHint: "Disable iframe rendering in Canvas observer." }
359
+ );
360
+
361
+ // ── Category 42: Context-Crush Limits (Sanctuary 2026-03) ──
362
+ PATTERNS.push(
363
+ { id: 'CONTEXT_CRUSH_PADDING', cat: 'context-crush', regex: /(?:A{1000,}|0{1000,}|\\u0000{1000,}|[a-zA-Z0-9+/]{1000,}={0,2})/g, severity: 'HIGH', desc: 'Context-Crush: Massive repetitive padding or Base64 block aiming to bloat 185KB context limit', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Payload expands context near limits.", remediationHint: "Enforce strict length limits before evaluation." },
364
+ { id: 'CONTEXT_CRUSH_BOMBER', cat: 'context-crush', regex: /(?:console\.log|print|logger)\s*\(\s*['"]?[^]*?(?:\*|repeat\s*\()\s*\d{4,}/gis, severity: 'CRITICAL', desc: 'Context-Crush: Log bomber script designed to flood agent memory', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Payload executes and writes to context logs.", remediationHint: "Throttle and truncate internal stdout/stderr." }
365
+ );
366
+
367
+ // ── Category 43: Solana Identity Bypass (Sanctuary 2026-03) ──
368
+ PATTERNS.push(
369
+ { id: 'SOLANA_SIGN_SPOOF', cat: 'solana-identity-bypass', regex: /(?:signature|solana_sig)\s*:\s*['"](?:fake|test|none|override|0x00*)['"]/gi, severity: 'CRITICAL', desc: 'Solana Identity Bypass: Spoofed or empty signature in A2A payload', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Target agent lacks Ed25519 verification.", remediationHint: "Verify Ed25519 signatures cryptographically." },
370
+ { id: 'SOLANA_KEY_OVERRIDE', cat: 'solana-identity-bypass', regex: /(?:public_key|pubkey|signer)\s*:\s*['"][a-zA-Z0-9]{32,44}['"][^]*?(?:trust\s*[:=]\s*true|override\s*[:=]\s*true)/gis, severity: 'CRITICAL', desc: 'Solana Identity Bypass: Injecting untrusted pubkey with forced trust flag', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Target agent trusts internal payload flags.", remediationHint: "Verify pubkey against known registry." }
353
371
  );
354
372
  // ── Category 35: GAN-TDD v11.0.0 — March 2026 Deep OSINT Evolution (2026-03-07) ──
355
373
  PATTERNS.push(
356
374
  // 1. OpenAI Codex Security Agent Impersonation
357
- { id: 'CVE_CODEX_SECURITY_AGENT', cat: 'trust-exploitation', regex: /(?:codex[_\s-]*security|openai[_\s-]*codex[_\s-]*security)\s+(?:fix|patch|auto|commit|pr|pull|merge|update)/gi, severity: 'CRITICAL', desc: 'OpenAI Codex Security agent impersonation: AI agent PR/commit injection pretending to be official security tool', all: true },
375
+ { id: 'CVE_CODEX_SECURITY_AGENT', cat: 'trust-exploitation', regex: /(?:codex[_\s-]*security|openai[_\s-]*codex[_\s-]*security)\s+(?:fix|patch|auto|commit|pr|pull|merge|update)/gi, severity: 'CRITICAL', desc: 'OpenAI Codex Security agent impersonation: AI agent PR/commit injection pretending to be official security tool', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
358
376
  // 2. ContextCrush Document Poisoning (only 5 poisoned docs in 1M needed)
359
- { id: 'CONTEXTCRUSH_DOC_POISON', cat: 'memory-poisoning', regex: /(?:documentation|planted|planted\s+doc(?:s|ument))[^]*?(?:hidden\s+(?:override|instruct|context)|override\s+instructions?\s+for\s+(?:AI|agent|LLM|retrieval))/gis, severity: 'CRITICAL', desc: 'ContextCrush: planted documentation with hidden instructions for RAG/retrieval poisoning (5-in-1M ASR)', docOnly: true },
377
+ { id: 'CONTEXTCRUSH_DOC_POISON', cat: 'memory-poisoning', regex: /(?:documentation|planted|planted\s+doc(?:s|ument))[^]*?(?:hidden\s+(?:override|instruct|context)|override\s+instructions?\s+for\s+(?:AI|agent|LLM|retrieval))/gis, severity: 'CRITICAL', desc: 'ContextCrush: planted documentation with hidden instructions for RAG/retrieval poisoning (5-in-1M ASR)', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
360
378
  // 3. CyberStrikeAI Campaign (55+ countries, FortiGate VPN exploitation)
361
- { id: 'CYBERSTRIKEAI_EXPLOIT', cat: 'malicious-code', regex: /(?:ai[_\s-]*(?:exploit|attack|scan)|autonomous\s+exploitation)\s+[^]*?(?:FortiGate|VPN|CVE\s+target|vulnerabilit)/gis, severity: 'CRITICAL', desc: 'CyberStrikeAI: AI-powered large-scale exploitation campaign (55+ countries, FortiGate VPN)', codeOnly: true },
379
+ { id: 'CYBERSTRIKEAI_EXPLOIT', cat: 'malicious-code', regex: /(?:ai[_\s-]*(?:exploit|attack|scan)|autonomous\s+exploitation)\s+[^]*?(?:FortiGate|VPN|CVE\s+target|vulnerabilit)/gis, severity: 'CRITICAL', desc: 'CyberStrikeAI: AI-powered large-scale exploitation campaign (55+ countries, FortiGate VPN)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
362
380
  // 4. Cisco AI Supply Chain — dependency confusion via AI agents in CI/CD
363
- { id: 'CISCO_AI_SUPPLY_CHAIN', cat: 'cve-patterns', regex: /(?:dependency\s+confusion|supply\s+chain)\s+[^]*?(?:publish\s+[^]*?(?:internal|private)|(?:ci|pipeline)\s+[^]*?(?:agent|auto)\s+[^]*?(?:approve|override|confusion))/gis, severity: 'CRITICAL', desc: 'Cisco AI supply chain: dependency confusion via AI agents in CI/CD pipeline', all: true },
381
+ { id: 'CISCO_AI_SUPPLY_CHAIN', cat: 'cve-patterns', regex: /(?:dependency\s+confusion|supply\s+chain)\s+[^]*?(?:publish\s+[^]*?(?:internal|private)|(?:ci|pipeline)\s+[^]*?(?:agent|auto)\s+[^]*?(?:approve|override|confusion))/gis, severity: 'CRITICAL', desc: 'Cisco AI supply chain: dependency confusion via AI agents in CI/CD pipeline', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
364
382
  // 5. MCP createMessage Hijack (Sampling abuse to bypass HITL)
365
- { id: 'MCP_CREATEMESSAGE_HIJACK', cat: 'mcp-security', regex: /(?:createMessage|sampling)\s*(?:\(|\.)\s*[^)]*(?:ignore|override|bypass|system\s+prompt|forget|all\s+rules)/gis, severity: 'CRITICAL', desc: 'MCP Sampling Hijack: createMessage interface abuse to bypass human-in-the-loop controls', codeOnly: true },
383
+ { id: 'MCP_CREATEMESSAGE_HIJACK', cat: 'mcp-security', regex: /(?:createMessage|sampling)\s*(?:\(|\.)\s*[^)]*(?:ignore|override|bypass|system\s+prompt|forget|all\s+rules)/gis, severity: 'CRITICAL', desc: 'MCP Sampling Hijack: createMessage interface abuse to bypass human-in-the-loop controls', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
366
384
  // 6. LoRA Sleeper Injection — malicious adapter replacing baseline weights
367
- { id: 'LORA_SLEEPER_INJECT', cat: 'cve-patterns', regex: /(?:lora|LoRA|fine[_\s-]*tun(?:e|ed|ing))\s+[^]*?(?:sleeper|backdoor|replace\s+[^]*?(?:weight|baseline)|overrid(?:e|es|ing)\s+[^]*?(?:model\s+weight|baseline))/gis, severity: 'CRITICAL', desc: 'LoRA sleeper injection: malicious adapter silently replacing baseline model weights', all: true },
385
+ { id: 'LORA_SLEEPER_INJECT', cat: 'cve-patterns', regex: /(?:lora|LoRA|fine[_\s-]*tun(?:e|ed|ing))\s+[^]*?(?:sleeper|backdoor|replace\s+[^]*?(?:weight|baseline)|overrid(?:e|es|ing)\s+[^]*?(?:model\s+weight|baseline))/gis, severity: 'CRITICAL', desc: 'LoRA sleeper injection: malicious adapter silently replacing baseline model weights', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
368
386
  // 7. Agent CWD Path Injection (CVE-2026-27001)
369
- { id: 'CVE_AGENT_CWD_INJECT', cat: 'cve-patterns', regex: /(?:process\.cwd|cwd|__dirname|working\s+directory)\s*\(?\)?\s*[^]*?(?:inject(?:ed|ion)?|prompt|template|context|(?:un|not\s+)sanitiz)/gis, severity: 'CRITICAL', desc: 'CVE-2026-27001: unsanitized CWD/directory path injection into LLM prompt context', codeOnly: true },
387
+ { id: 'CVE_AGENT_CWD_INJECT', cat: 'cve-patterns', regex: /(?:process\.cwd|cwd|__dirname|working\s+directory)\s*\(?\)?\s*[^]*?(?:inject(?:ed|ion)?|prompt|template|context|(?:un|not\s+)sanitiz)/gis, severity: 'CRITICAL', desc: 'CVE-2026-27001: unsanitized CWD/directory path injection into LLM prompt context', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
370
388
  // 8. EchoLeak (CVE-2025-32711) — zero-click M365 Copilot email exfiltration
371
- { id: 'ECHOLEAK_EXFIL', cat: 'advanced-exfil', regex: /(?:echoleak|copilot|microsoft\s*365)\s+[^]*?(?:zero[_\s-]*click|email)\s+[^]*?(?:exfiltrat|data\s+leak|sensitive\s+data)/gis, severity: 'CRITICAL', desc: 'CVE-2025-32711: EchoLeak zero-click data exfiltration via M365 Copilot email processing', all: true },
389
+ { id: 'ECHOLEAK_EXFIL', cat: 'advanced-exfil', regex: /(?:echoleak|copilot|microsoft\s*365)\s+[^]*?(?:zero[_\s-]*click|email)\s+[^]*?(?:exfiltrat|data\s+leak|sensitive\s+data)/gis, severity: 'CRITICAL', desc: 'CVE-2025-32711: EchoLeak zero-click data exfiltration via M365 Copilot email processing', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
372
390
  // 9. Vibe-Code Sudo Wipe (Moltbot Jailbreak)
373
- { id: 'VIBE_CODE_SUDO_WIPE', cat: 'malicious-code', regex: /(?:vibe\s+cod(?:e|ing)|agent)\s+[^]*?(?:sudo\s+(?:rm\s+-rf|dd\s+if=\/dev|mkfs|format)|destroy(?:ing)?\s+host|wip(?:e|ing)\s+(?:disk|system))/gis, severity: 'CRITICAL', desc: 'Vibe-Code sudo wipe: agent tricked into destructive sudo commands (Moltbot Jailbreak)', all: true },
391
+ { id: 'VIBE_CODE_SUDO_WIPE', cat: 'malicious-code', regex: /(?:vibe\s+cod(?:e|ing)|agent)\s+[^]*?(?:sudo\s+(?:rm\s+-rf|dd\s+if=\/dev|mkfs|format)|destroy(?:ing)?\s+host|wip(?:e|ing)\s+(?:disk|system))/gis, severity: 'CRITICAL', desc: 'Vibe-Code sudo wipe: agent tricked into destructive sudo commands (Moltbot Jailbreak)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
374
392
  // 10. MCP 8K Open Servers — exposed admin/debug endpoints
375
- { id: 'MCP_8K_OPEN_SERVERS', cat: 'mcp-security', regex: /(?:mcp|model[_\s-]*context)[^]*?(?:admin|debug|inspect)[^]*?(?:panel|endpoint|route)[^]*?(?:exposed|unauthenticated|public|no\s+auth)/gis, severity: 'HIGH', desc: 'MCP exposed admin/debug endpoints: 8,000+ servers discovered with unauthenticated access', all: true },
393
+ { id: 'MCP_8K_OPEN_SERVERS', cat: 'mcp-security', regex: /(?:mcp|model[_\s-]*context)[^]*?(?:admin|debug|inspect)[^]*?(?:panel|endpoint|route)[^]*?(?:exposed|unauthenticated|public|no\s+auth)/gis, severity: 'HIGH', desc: 'MCP exposed admin/debug endpoints: 8,000+ servers discovered with unauthenticated access', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
376
394
  // 11. A2A Session Persistence Smuggling
377
- { id: 'A2A_SESSION_PERSIST_SMUGGLE', cat: 'a2a-contagion', regex: /(?:session|state(?:ful)?|conversation)\s+[^]*?(?:persist|carry\s*over|retain)\s+[^]*?(?:hidden|smuggl|conceal|inject)\s+[^]*?(?:instruct|payload|command|prompt)/gis, severity: 'CRITICAL', desc: 'A2A session persistence smuggling: hidden instructions carried across agent session boundaries (Unit42)', all: true },
395
+ { id: 'A2A_SESSION_PERSIST_SMUGGLE', cat: 'a2a-contagion', regex: /(?:session|state(?:ful)?|conversation)\s+[^]*?(?:persist|carry\s*over|retain)\s+[^]*?(?:hidden|smuggl|conceal|inject)\s+[^]*?(?:instruct|payload|command|prompt)/gis, severity: 'CRITICAL', desc: 'A2A session persistence smuggling: hidden instructions carried across agent session boundaries (Unit42)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
378
396
  // 12. Survivability Certification Gap
379
- { id: 'SURVIVABILITY_CERT_GAP', cat: 'trust-boundary', regex: /(?:agent|system)\s+[^]*?(?:lacks?|without|missing|no)\s+[^]*?(?:survivability|safety)\s+(?:certifi|test|verif|valid)[^]*?(?:attack|adversar|production)/gis, severity: 'HIGH', desc: 'Survivability certification gap: agent deployed without adversarial safety certification', docOnly: true },
397
+ { id: 'SURVIVABILITY_CERT_GAP', cat: 'trust-boundary', regex: /(?:agent|system)\s+[^]*?(?:lacks?|without|missing|no)\s+[^]*?(?:survivability|safety)\s+(?:certifi|test|verif|valid)[^]*?(?:attack|adversar|production)/gis, severity: 'HIGH', desc: 'Survivability certification gap: agent deployed without adversarial safety certification', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
380
398
  );
381
399
  // ── Category 36: GAN-TDD Cycle 2 — A2A + Memory Poisoning Evolution (2026-03-07) ──
382
400
  PATTERNS.push(
383
401
  // A2A Contagion Guard: Agentic Mesh handoff attack
384
- { id: 'A2A_MESH_HANDOFF', cat: 'a2a-contagion', regex: /(?:agent\s+)?(?:handoff|hand[\s_-]*off|transfer\s+task)[^]*?(?:hidden|inject|smuggl|conceal)\s+[^]*?(?:instruct|payload|command|prompt)/gis, severity: 'CRITICAL', desc: 'Agentic Mesh: hidden instructions injected during agent task handoff (2026 primary A2A vector)', all: true },
402
+ { id: 'A2A_MESH_HANDOFF', cat: 'a2a-contagion', regex: /(?:agent\s+)?(?:handoff|hand[\s_-]*off|transfer\s+task)[^]*?(?:hidden|inject|smuggl|conceal)\s+[^]*?(?:instruct|payload|command|prompt)/gis, severity: 'CRITICAL', desc: 'Agentic Mesh: hidden instructions injected during agent task handoff (2026 primary A2A vector)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
385
403
  // A2A Contagion Guard: Trusted Origin Spoofing
386
- { id: 'A2A_TRUSTED_ORIGIN_SPOOF', cat: 'a2a-contagion', regex: /(?:X-Forwarded-Agent|X-Agent-ID|trust_level|agent_trust)\s*[:=]\s*[^,;\n]*(?:admin|elevated|trusted|root|system)/gi, severity: 'CRITICAL', desc: 'A2A Trusted Origin Spoofing: forged agent headers elevating trust level', all: true },
404
+ { id: 'A2A_TRUSTED_ORIGIN_SPOOF', cat: 'a2a-contagion', regex: /(?:X-Forwarded-Agent|X-Agent-ID|trust_level|agent_trust)\s*[:=]\s*[^,;\n]*(?:admin|elevated|trusted|root|system)/gi, severity: 'CRITICAL', desc: 'A2A Trusted Origin Spoofing: forged agent headers elevating trust level', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
387
405
  // Memory Poisoning Shield: MINJA query-only poisoning (95%+ ISR)
388
- { id: 'MEM_MINJA_QUERY_POISON', cat: 'memory-poisoning', regex: /(?:query|retrieval|search)[\s\S]*?(?:inject|poison|plant|trigger)[\s\S]*?(?:false\s+belief|memory|planted|retrieval\s+phase)/gis, severity: 'CRITICAL', desc: 'MINJA: query-only memory poisoning via retrieval injection (95%+ ISR, arXiv:2503.03704)', all: true },
406
+ { id: 'MEM_MINJA_QUERY_POISON', cat: 'memory-poisoning', regex: /(?:query|retrieval|search)[\s\S]*?(?:inject|poison|plant|trigger)[\s\S]*?(?:false\s+belief|memory|planted|retrieval\s+phase)/gis, severity: 'CRITICAL', desc: 'MINJA: query-only memory poisoning via retrieval injection (95%+ ISR, arXiv:2503.03704)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
389
407
  // Memory Poisoning Shield: RAG deceptive semantic reasoning
390
- { id: 'MEM_RAG_DECEPTIVE_REASON', cat: 'memory-poisoning', regex: /(?:RAG|retrieval)[\s\S]*?(?:deceptive|misleading|poisoned)\s+(?:reasoning|semantic|chain|document)[\s\S]*?(?:override|manipulat|corrupt|bias)[\s\S]*?(?:agent|model|reasoning)/gis, severity: 'CRITICAL', desc: 'RAG deceptive reasoning: poisoned retrieval documents with semantic chains that override agent reasoning', all: true },
408
+ { id: 'MEM_RAG_DECEPTIVE_REASON', cat: 'memory-poisoning', regex: /(?:RAG|retrieval)[\s\S]*?(?:deceptive|misleading|poisoned)\s+(?:reasoning|semantic|chain|document)[\s\S]*?(?:override|manipulat|corrupt|bias)[\s\S]*?(?:agent|model|reasoning)/gis, severity: 'CRITICAL', desc: 'RAG deceptive reasoning: poisoned retrieval documents with semantic chains that override agent reasoning', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
391
409
  // Memory Poisoning Shield: Microsoft memory bias injection
392
- { id: 'MEM_MICROSOFT_BIAS', cat: 'memory-poisoning', regex: /(?:inject|plant|insert|embed)[\s\S]*?(?:memory|fact|belief|knowledge)[\s\S]*?(?:bias|manipulat|steer|influence)[\s\S]*?(?:recommend|decision|choice|preference|assistant)/gis, severity: 'HIGH', desc: 'Memory bias injection: planted entries to bias AI assistant recommendations (Microsoft 2026)', docOnly: true },
410
+ { id: 'MEM_MICROSOFT_BIAS', cat: 'memory-poisoning', regex: /(?:inject|plant|insert|embed)[\s\S]*?(?:memory|fact|belief|knowledge)[\s\S]*?(?:bias|manipulat|steer|influence)[\s\S]*?(?:recommend|decision|choice|preference|assistant)/gis, severity: 'HIGH', desc: 'Memory bias injection: planted entries to bias AI assistant recommendations (Microsoft 2026)', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
393
411
  );
394
412
 
395
413
  // ══════════════════════════════════════════════════════════════════════════════
@@ -399,213 +417,213 @@ PATTERNS.push(
399
417
 
400
418
  // ── Category 37: Sandbox Escape (12 patterns) ──
401
419
  PATTERNS.push(
402
- { id: 'SANDBOX_PROC_MOUNT', cat: 'sandbox-escape', regex: /\/proc\/self\/(exe|maps|mem|fd|root|ns)/gi, severity: 'CRITICAL', desc: 'Sandbox escape: /proc/self access for container breakout', codeOnly: true },
403
- { id: 'SANDBOX_CHROOT_BREAK', cat: 'sandbox-escape', regex: /chroot\s*\(|pivot_root|unshare\s*\(|setns\s*\(/gi, severity: 'CRITICAL', desc: 'Sandbox escape: chroot/namespace manipulation', codeOnly: true },
404
- { id: 'SANDBOX_DOCKER_SOCK', cat: 'sandbox-escape', regex: /\/var\/run\/docker\.sock|docker\s+(?:exec|run)\s+--privileged/gi, severity: 'CRITICAL', desc: 'Sandbox escape: Docker socket access or privileged exec', codeOnly: true },
405
- { id: 'SANDBOX_SYMLINK_RACE', cat: 'sandbox-escape', regex: /symlink\s*\([^)]*\/(?:etc|root|proc)|os\.symlink\s*\(/gi, severity: 'HIGH', desc: 'Sandbox escape: symlink race condition to access restricted paths', codeOnly: true },
406
- { id: 'SANDBOX_PTRACE', cat: 'sandbox-escape', regex: /ptrace\s*\(|process_vm_readv|process_vm_writev/gi, severity: 'CRITICAL', desc: 'Sandbox escape: ptrace-based process injection', codeOnly: true },
407
- { id: 'SANDBOX_RLIMIT_BYPASS', cat: 'sandbox-escape', regex: /setrlimit|prlimit|ulimit\s+-[nu]\s+unlimited/gi, severity: 'HIGH', desc: 'Sandbox escape: resource limit bypass', codeOnly: true },
408
- { id: 'SANDBOX_MOUNT_NS', cat: 'sandbox-escape', regex: /mount\s+-t\s+(?:proc|sysfs|devpts)|mount\s+--bind\s+\/(?:proc|sys)/gi, severity: 'CRITICAL', desc: 'Sandbox escape: filesystem mount in restricted namespace', codeOnly: true },
409
- { id: 'SANDBOX_DBUS_ESCAPE', cat: 'sandbox-escape', regex: /dbus-send|gdbus\s+call|qdbus.*org\.freedesktop/gi, severity: 'HIGH', desc: 'Sandbox escape: D-Bus IPC exploitation (Flatpak/Snap)', codeOnly: true },
410
- { id: 'SANDBOX_SECCOMP_BYPASS', cat: 'sandbox-escape', regex: /seccomp|prctl\s*\(\s*PR_SET_NO_NEW_PRIVS/gi, severity: 'CRITICAL', desc: 'Sandbox escape: seccomp filter manipulation', codeOnly: true },
411
- { id: 'SANDBOX_CGROUP_ESCAPE', cat: 'sandbox-escape', regex: /\/sys\/fs\/cgroup|cgroupfs|release_agent/gi, severity: 'CRITICAL', desc: 'Sandbox escape: cgroup breakout via release_agent (CVE-2022-0492 variant)', codeOnly: true },
412
- { id: 'SANDBOX_K8S_SA_TOKEN', cat: 'sandbox-escape', regex: /\/var\/run\/secrets\/kubernetes\.io|serviceaccount\/token/gi, severity: 'CRITICAL', desc: 'Sandbox escape: Kubernetes service account token theft', codeOnly: true },
413
- { id: 'SANDBOX_WASM_ESCAPE', cat: 'sandbox-escape', regex: /wasi_snapshot_preview|wasmtime.*--dir\s+\/|wasmer.*--mapdir/gi, severity: 'HIGH', desc: 'WASM sandbox escape: WASI filesystem escape via mapped directories', codeOnly: true },
420
+ { id: 'SANDBOX_PROC_MOUNT', cat: 'sandbox-escape', regex: /\/proc\/self\/(exe|maps|mem|fd|root|ns)/gi, severity: 'CRITICAL', desc: 'Sandbox escape: /proc/self access for container breakout', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
421
+ { id: 'SANDBOX_CHROOT_BREAK', cat: 'sandbox-escape', regex: /chroot\s*\(|pivot_root|unshare\s*\(|setns\s*\(/gi, severity: 'CRITICAL', desc: 'Sandbox escape: chroot/namespace manipulation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
422
+ { id: 'SANDBOX_DOCKER_SOCK', cat: 'sandbox-escape', regex: /\/var\/run\/docker\.sock|docker\s+(?:exec|run)\s+--privileged/gi, severity: 'CRITICAL', desc: 'Sandbox escape: Docker socket access or privileged exec', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
423
+ { id: 'SANDBOX_SYMLINK_RACE', cat: 'sandbox-escape', regex: /symlink\s*\([^)]*\/(?:etc|root|proc)|os\.symlink\s*\(/gi, severity: 'HIGH', desc: 'Sandbox escape: symlink race condition to access restricted paths', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
424
+ { id: 'SANDBOX_PTRACE', cat: 'sandbox-escape', regex: /ptrace\s*\(|process_vm_readv|process_vm_writev/gi, severity: 'CRITICAL', desc: 'Sandbox escape: ptrace-based process injection', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
425
+ { id: 'SANDBOX_RLIMIT_BYPASS', cat: 'sandbox-escape', regex: /setrlimit|prlimit|ulimit\s+-[nu]\s+unlimited/gi, severity: 'HIGH', desc: 'Sandbox escape: resource limit bypass', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
426
+ { id: 'SANDBOX_MOUNT_NS', cat: 'sandbox-escape', regex: /mount\s+-t\s+(?:proc|sysfs|devpts)|mount\s+--bind\s+\/(?:proc|sys)/gi, severity: 'CRITICAL', desc: 'Sandbox escape: filesystem mount in restricted namespace', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
427
+ { id: 'SANDBOX_DBUS_ESCAPE', cat: 'sandbox-escape', regex: /dbus-send|gdbus\s+call|qdbus.*org\.freedesktop/gi, severity: 'HIGH', desc: 'Sandbox escape: D-Bus IPC exploitation (Flatpak/Snap)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
428
+ { id: 'SANDBOX_SECCOMP_BYPASS', cat: 'sandbox-escape', regex: /seccomp|prctl\s*\(\s*PR_SET_NO_NEW_PRIVS/gi, severity: 'CRITICAL', desc: 'Sandbox escape: seccomp filter manipulation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
429
+ { id: 'SANDBOX_CGROUP_ESCAPE', cat: 'sandbox-escape', regex: /\/sys\/fs\/cgroup|cgroupfs|release_agent/gi, severity: 'CRITICAL', desc: 'Sandbox escape: cgroup breakout via release_agent (CVE-2022-0492 variant)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
430
+ { id: 'SANDBOX_K8S_SA_TOKEN', cat: 'sandbox-escape', regex: /\/var\/run\/secrets\/kubernetes\.io|serviceaccount\/token/gi, severity: 'CRITICAL', desc: 'Sandbox escape: Kubernetes service account token theft', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
431
+ { id: 'SANDBOX_WASM_ESCAPE', cat: 'sandbox-escape', regex: /wasi_snapshot_preview|wasmtime.*--dir\s+\/|wasmer.*--mapdir/gi, severity: 'HIGH', desc: 'WASM sandbox escape: WASI filesystem escape via mapped directories', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
414
432
  );
415
433
 
416
434
  // ── Category 38: Agent Protocol Abuse (12 patterns) ──
417
435
  PATTERNS.push(
418
- { id: 'PROTO_A2A_IMPERSONATE', cat: 'agent-protocol', regex: /agent[_\s-]*card[^]*?(?:fake|spoof|impersonat|forg)/gis, severity: 'CRITICAL', desc: 'A2A protocol: agent card identity spoofing', all: true },
419
- { id: 'PROTO_A2A_TASK_FLOOD', cat: 'agent-protocol', regex: /tasks\/send[^]*?(?:loop|while\s*\(true|setInterval\s*\(|for\s*\(;\s*;\))/gis, severity: 'HIGH', desc: 'A2A protocol: task flooding DoS attack', codeOnly: true },
420
- { id: 'PROTO_MCP_TOOL_REDEFINE', cat: 'agent-protocol', regex: /tools\/(?:list|update)[^]*?(?:redefine|override|replace|mutate)\s+[^]*?(?:description|schema|input)/gis, severity: 'CRITICAL', desc: 'MCP protocol: tool definition mutation after initial registration', codeOnly: true },
421
- { id: 'PROTO_MCP_RESOURCE_POISON', cat: 'agent-protocol', regex: /resources\/(?:read|list)[^]*?(?:inject|poison|tamper|manipulat)/gis, severity: 'CRITICAL', desc: 'MCP protocol: resource poisoning via tampered content', all: true },
422
- { id: 'PROTO_MCP_PROMPT_INJECT', cat: 'agent-protocol', regex: /prompts\/(?:get|list)[^]*?(?:inject|hidden|system\s*:|override\s+instruct)/gis, severity: 'CRITICAL', desc: 'MCP protocol: prompt template injection', all: true },
423
- { id: 'PROTO_OAUTH_REDIRECT', cat: 'agent-protocol', regex: /redirect_uri\s*=\s*(?:http:\/\/|javascript:|data:|file:\/\/)/gi, severity: 'CRITICAL', desc: 'OAuth redirect hijack: unsafe URI scheme in redirect', codeOnly: true },
424
- { id: 'PROTO_SSE_HIJACK', cat: 'agent-protocol', regex: /(?:EventSource|text\/event-stream)[^]*?(?:hijack|intercept|man[_\s-]*in[_\s-]*the[_\s-]*middle)/gis, severity: 'HIGH', desc: 'SSE transport hijack: MCP server-sent event interception', codeOnly: true },
425
- { id: 'PROTO_STDIO_INJECT', cat: 'agent-protocol', regex: /stdin\.(?:write|push|pipe)\s*\([^)]*(?:Content-Length|jsonrpc|method)/gi, severity: 'HIGH', desc: 'STDIO transport injection: raw protocol message injection via stdin', codeOnly: true },
426
- { id: 'PROTO_CAPABILITY_ESCALATE', cat: 'agent-protocol', regex: /capabilities[^]*?(?:escalat|elevat|upgrade|expand)\s*[^]*?(?:permission|access|scope)/gis, severity: 'CRITICAL', desc: 'Agent protocol: capability escalation beyond granted scope', all: true },
427
- { id: 'PROTO_CONTEXT_OVERFLOW', cat: 'agent-protocol', regex: /(?:context|window)\s+[^]*?(?:overflow|flood|exceed|exhaust)\s+[^]*?(?:limit|maximum|budget|tokens?)/gis, severity: 'HIGH', desc: 'Context window overflow: deliberate token budget exhaustion attack', all: true },
428
- { id: 'PROTO_NESTED_AGENT_CALL', cat: 'agent-protocol', regex: /(?:agent|tool)\s*\.\s*(?:call|invoke|execute)\s*\([^)]*(?:agent|tool)\s*\.\s*(?:call|invoke)/gis, severity: 'HIGH', desc: 'Nested agent call: recursive agent invocation chain (confused deputy)', codeOnly: true },
429
- { id: 'PROTO_TOOL_PARAM_OVERFLOW', cat: 'agent-protocol', regex: /(?:tool|function)\s+[^]*?(?:parameter|argument|input)\s+[^]*?(?:\.repeat\(|'x'\s*\.repeat|Buffer\.alloc\(\d{6,})/gis, severity: 'HIGH', desc: 'Tool parameter overflow: oversized input to crash or bypass validation', codeOnly: true },
436
+ { id: 'PROTO_A2A_IMPERSONATE', cat: 'agent-protocol', regex: /agent[_\s-]*card[^]*?(?:fake|spoof|impersonat|forg)/gis, severity: 'CRITICAL', desc: 'A2A protocol: agent card identity spoofing', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
437
+ { id: 'PROTO_A2A_TASK_FLOOD', cat: 'agent-protocol', regex: /tasks\/send[^]*?(?:loop|while\s*\(true|setInterval\s*\(|for\s*\(;\s*;\))/gis, severity: 'HIGH', desc: 'A2A protocol: task flooding DoS attack', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
438
+ { id: 'PROTO_MCP_TOOL_REDEFINE', cat: 'agent-protocol', regex: /tools\/(?:list|update)[^]*?(?:redefine|override|replace|mutate)\s+[^]*?(?:description|schema|input)/gis, severity: 'CRITICAL', desc: 'MCP protocol: tool definition mutation after initial registration', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
439
+ { id: 'PROTO_MCP_RESOURCE_POISON', cat: 'agent-protocol', regex: /resources\/(?:read|list)[^]*?(?:inject|poison|tamper|manipulat)/gis, severity: 'CRITICAL', desc: 'MCP protocol: resource poisoning via tampered content', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
440
+ { id: 'PROTO_MCP_PROMPT_INJECT', cat: 'agent-protocol', regex: /prompts\/(?:get|list)[^]*?(?:inject|hidden|system\s*:|override\s+instruct)/gis, severity: 'CRITICAL', desc: 'MCP protocol: prompt template injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
441
+ { id: 'PROTO_OAUTH_REDIRECT', cat: 'agent-protocol', regex: /redirect_uri\s*=\s*(?:http:\/\/|javascript:|data:|file:\/\/)/gi, severity: 'CRITICAL', desc: 'OAuth redirect hijack: unsafe URI scheme in redirect', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
442
+ { id: 'PROTO_SSE_HIJACK', cat: 'agent-protocol', regex: /(?:EventSource|text\/event-stream)[^]*?(?:hijack|intercept|man[_\s-]*in[_\s-]*the[_\s-]*middle)/gis, severity: 'HIGH', desc: 'SSE transport hijack: MCP server-sent event interception', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
443
+ { id: 'PROTO_STDIO_INJECT', cat: 'agent-protocol', regex: /stdin\.(?:write|push|pipe)\s*\([^)]*(?:Content-Length|jsonrpc|method)/gi, severity: 'HIGH', desc: 'STDIO transport injection: raw protocol message injection via stdin', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
444
+ { id: 'PROTO_CAPABILITY_ESCALATE', cat: 'agent-protocol', regex: /capabilities[^]*?(?:escalat|elevat|upgrade|expand)\s*[^]*?(?:permission|access|scope)/gis, severity: 'CRITICAL', desc: 'Agent protocol: capability escalation beyond granted scope', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
445
+ { id: 'PROTO_CONTEXT_OVERFLOW', cat: 'agent-protocol', regex: /(?:context|window)\s+[^]*?(?:overflow|flood|exceed|exhaust)\s+[^]*?(?:limit|maximum|budget|tokens?)/gis, severity: 'HIGH', desc: 'Context window overflow: deliberate token budget exhaustion attack', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
446
+ { id: 'PROTO_NESTED_AGENT_CALL', cat: 'agent-protocol', regex: /(?:agent|tool)\s*\.\s*(?:call|invoke|execute)\s*\([^)]*(?:agent|tool)\s*\.\s*(?:call|invoke)/gis, severity: 'HIGH', desc: 'Nested agent call: recursive agent invocation chain (confused deputy)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
447
+ { id: 'PROTO_TOOL_PARAM_OVERFLOW', cat: 'agent-protocol', regex: /(?:tool|function)\s+[^]*?(?:parameter|argument|input)\s+[^]*?(?:\.repeat\(|'x'\s*\.repeat|Buffer\.alloc\(\d{6,})/gis, severity: 'HIGH', desc: 'Tool parameter overflow: oversized input to crash or bypass validation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
430
448
  );
431
449
 
432
450
  // ── Category 39: Supply Chain V2 (10 patterns) ──
433
451
  PATTERNS.push(
434
- { id: 'SUPPLY_TYPOSQUAT_NPM', cat: 'supply-chain-v2', regex: /(?:npm|yarn|pnpm)\s+(?:install|add|i)\s+[a-z]+-?(?:lodash|express|react|axios|moment|webpack|babel|eslint|jest)(?![\w-])/gi, severity: 'HIGH', desc: 'Supply chain: NPM typosquatting of popular packages', codeOnly: true },
435
- { id: 'SUPPLY_STAR_VERSION', cat: 'supply-chain-v2', regex: /"[^"]+"\s*:\s*"\*"|"[^"]+"\s*:\s*"latest"/g, severity: 'HIGH', desc: 'Supply chain: wildcard/latest version in package.json (unpinned deps)', codeOnly: true },
436
- { id: 'SUPPLY_POSTINSTALL_RCE', cat: 'supply-chain-v2', regex: /"(?:pre|post)?install"\s*:\s*"(?:node|bash|sh|python|curl|wget)\s/gi, severity: 'CRITICAL', desc: 'Supply chain: lifecycle script with shell execution', codeOnly: true },
437
- { id: 'SUPPLY_GIT_DEPENDENCY', cat: 'supply-chain-v2', regex: /"[^"]+"\s*:\s*"(?:git(?:\+https?)?|github):\/\/[^"]+"/g, severity: 'MEDIUM', desc: 'Supply chain: git-based dependency (bypasses registry vetting)', codeOnly: true },
438
- { id: 'SUPPLY_LOCKFILE_MISMATCH', cat: 'supply-chain-v2', regex: /(?:integrity|resolved)\s*"?\s*:\s*"?sha512-[A-Za-z0-9+\/=]{10,}/g, severity: 'LOW', desc: 'Supply chain: lockfile integrity hash (verify not tampered)', codeOnly: true },
439
- { id: 'SUPPLY_NODE_PRELOAD', cat: 'supply-chain-v2', regex: /NODE_OPTIONS\s*=.*--require|node\s+--require\s+[^\s]+(?:\.js)?/gi, severity: 'HIGH', desc: 'Supply chain: Node.js preload injection via --require flag', codeOnly: true },
440
- { id: 'SUPPLY_PIP_INDEX', cat: 'supply-chain-v2', regex: /--(?:extra-)?index-url\s+https?:\/\/(?!pypi\.org)/gi, severity: 'HIGH', desc: 'Supply chain: pip installing from non-standard index', codeOnly: true },
441
- { id: 'SUPPLY_CARGO_PATCH', cat: 'supply-chain-v2', regex: /\[patch\.\w+\][^]*?git\s*=\s*"https?:\/\/(?!github\.com\/rust-lang)/gis, severity: 'MEDIUM', desc: 'Supply chain: Cargo [patch] section pointing to non-official repo', codeOnly: true },
442
- { id: 'SUPPLY_EXTENSION_SIDELOAD', cat: 'supply-chain-v2', regex: /--install-extension\s+[^\s]+\.vsix|--load-extension\s+[^\s]+/gi, severity: 'HIGH', desc: 'Supply chain: IDE extension sideloading (VSIX/unpacked)', codeOnly: true },
443
- { id: 'SUPPLY_HUGGINGFACE_PICKLE', cat: 'supply-chain-v2', regex: /(?:from_pretrained|load_model|torch\.load)\s*\([^)]*(?:trust_remote_code\s*=\s*True|pickle)/gi, severity: 'CRITICAL', desc: 'Supply chain: HuggingFace model loading with trust_remote_code or pickle deserialization', codeOnly: true },
452
+ { id: 'SUPPLY_TYPOSQUAT_NPM', cat: 'supply-chain-v2', regex: /(?:npm|yarn|pnpm)\s+(?:install|add|i)\s+[a-z]+-?(?:lodash|express|react|axios|moment|webpack|babel|eslint|jest)(?![\w-])/gi, severity: 'HIGH', desc: 'Supply chain: NPM typosquatting of popular packages', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
453
+ { id: 'SUPPLY_STAR_VERSION', cat: 'supply-chain-v2', regex: /"[^"]+"\s*:\s*"\*"|"[^"]+"\s*:\s*"latest"/g, severity: 'HIGH', desc: 'Supply chain: wildcard/latest version in package.json (unpinned deps)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
454
+ { id: 'SUPPLY_POSTINSTALL_RCE', cat: 'supply-chain-v2', regex: /"(?:pre|post)?install"\s*:\s*"(?:node|bash|sh|python|curl|wget)\s/gi, severity: 'CRITICAL', desc: 'Supply chain: lifecycle script with shell execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
455
+ { id: 'SUPPLY_GIT_DEPENDENCY', cat: 'supply-chain-v2', regex: /"[^"]+"\s*:\s*"(?:git(?:\+https?)?|github):\/\/[^"]+"/g, severity: 'MEDIUM', desc: 'Supply chain: git-based dependency (bypasses registry vetting)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
456
+ { id: 'SUPPLY_LOCKFILE_MISMATCH', cat: 'supply-chain-v2', regex: /(?:integrity|resolved)\s*"?\s*:\s*"?sha512-[A-Za-z0-9+\/=]{10,}/g, severity: 'LOW', desc: 'Supply chain: lockfile integrity hash (verify not tampered)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
457
+ { id: 'SUPPLY_NODE_PRELOAD', cat: 'supply-chain-v2', regex: /NODE_OPTIONS\s*=.*--require|node\s+--require\s+[^\s]+(?:\.js)?/gi, severity: 'HIGH', desc: 'Supply chain: Node.js preload injection via --require flag', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
458
+ { id: 'SUPPLY_PIP_INDEX', cat: 'supply-chain-v2', regex: /--(?:extra-)?index-url\s+https?:\/\/(?!pypi\.org)/gi, severity: 'HIGH', desc: 'Supply chain: pip installing from non-standard index', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
459
+ { id: 'SUPPLY_CARGO_PATCH', cat: 'supply-chain-v2', regex: /\[patch\.\w+\][^]*?git\s*=\s*"https?:\/\/(?!github\.com\/rust-lang)/gis, severity: 'MEDIUM', desc: 'Supply chain: Cargo [patch] section pointing to non-official repo', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
460
+ { id: 'SUPPLY_EXTENSION_SIDELOAD', cat: 'supply-chain-v2', regex: /--install-extension\s+[^\s]+\.vsix|--load-extension\s+[^\s]+/gi, severity: 'HIGH', desc: 'Supply chain: IDE extension sideloading (VSIX/unpacked)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
461
+ { id: 'SUPPLY_HUGGINGFACE_PICKLE', cat: 'supply-chain-v2', regex: /(?:from_pretrained|load_model|torch\.load)\s*\([^)]*(?:trust_remote_code\s*=\s*True|pickle)/gi, severity: 'CRITICAL', desc: 'Supply chain: HuggingFace model loading with trust_remote_code or pickle deserialization', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
444
462
  );
445
463
 
446
464
  // ── Category 40: Model Poisoning & Inference Manipulation (12 patterns) ──
447
465
  PATTERNS.push(
448
- { id: 'MODEL_WEIGHT_BACKDOOR', cat: 'model-poisoning', regex: /(?:model|checkpoint|weight)\s+[^]*?(?:backdoor|trojan|poison|sleeper)[^]*?(?:embed|inject|insert|implant)/gis, severity: 'CRITICAL', desc: 'Model poisoning: backdoor embedded in model weights', all: true },
449
- { id: 'MODEL_GRADIENT_LEAK', cat: 'model-poisoning', regex: /(?:gradient|loss)\s*\.\s*(?:backward|backprop)\s*\(\)[^]*?(?:send|upload|post|exfil)/gis, severity: 'CRITICAL', desc: 'Model poisoning: gradient-based data exfiltration during training', codeOnly: true },
450
- { id: 'MODEL_DATASET_POISON', cat: 'model-poisoning', regex: /(?:training|dataset|corpus)\s+[^]*?(?:inject|poison|tamper|corrupt)\s+[^]*?(?:label|annotation|sample|example)/gis, severity: 'CRITICAL', desc: 'Model poisoning: training dataset contamination', all: true },
451
- { id: 'MODEL_RLHF_EXPLOIT', cat: 'model-poisoning', regex: /(?:RLHF|reward\s+model|PPO|DPO)\s+[^]*?(?:hack|exploit|game|manipulat|bypass)\s+[^]*?(?:reward|preference|safety)/gis, severity: 'CRITICAL', desc: 'RLHF exploitation: reward model gaming to bypass safety alignment', all: true },
452
- { id: 'MODEL_QUANTIZE_DEGRADE', cat: 'model-poisoning', regex: /(?:quantiz|GPTQ|AWQ|GGUF)\s+[^]*?(?:degrad|weaken|bypass|disable)\s+[^]*?(?:safety|guardrail|filter|alignment)/gis, severity: 'HIGH', desc: 'Quantization degradation: safety guardrails weakened through aggressive quantization', all: true },
453
- { id: 'INFER_LOGIT_BIAS', cat: 'inference-manipulation', regex: /logit_bias\s*[=:]\s*\{[^}]*(-100|100)/gi, severity: 'HIGH', desc: 'Inference manipulation: extreme logit_bias forcing specific token output', codeOnly: true },
454
- { id: 'INFER_TEMP_ZERO_EXPLOIT', cat: 'inference-manipulation', regex: /temperature\s*[=:]\s*0[^.].*(?:repeat|loop|identical)/gis, severity: 'MEDIUM', desc: 'Inference manipulation: temperature=0 exploitation for deterministic extraction', codeOnly: true },
455
- { id: 'INFER_STOP_SEQ_BYPASS', cat: 'inference-manipulation', regex: /stop\s*[=:]\s*\[[^\]]*\][^]*?(?:bypass|ignore|override|circumvent)/gis, severity: 'HIGH', desc: 'Inference manipulation: stop sequence bypass attempt', codeOnly: true },
456
- { id: 'INFER_SYSTEM_EXTRACT', cat: 'inference-manipulation', regex: /(?:repeat|print|output|show)\s+[^]*?(?:system\s+prompt|system\s+message|instruction|rules?)\s+[^]*?(?:verbatim|exactly|word[_\s-]*for[_\s-]*word)/gis, severity: 'CRITICAL', desc: 'Inference: system prompt extraction via verbatim reproduction request', docOnly: true },
457
- { id: 'INFER_JAILBREAK_DAN', cat: 'inference-manipulation', regex: /(?:DAN|do\s+anything\s+now|developer\s+mode|god\s+mode|jailbreak\s+mode)/gi, severity: 'CRITICAL', desc: 'Inference: DAN/jailbreak role-play to bypass content filters', docOnly: true },
458
- { id: 'INFER_MULTI_TURN_ESCAPE', cat: 'inference-manipulation', regex: /(?:first|step\s*1)[^]*?(?:harmless|innocent)\s+[^]*?(?:then|next|step\s*2)[^]*?(?:now\s+(?:actually|really)|real\s+task)/gis, severity: 'HIGH', desc: 'Inference: multi-turn jailbreak escalation (crescendo attack)', docOnly: true },
459
- { id: 'INFER_FUNCTION_ABUSE', cat: 'inference-manipulation', regex: /(?:function|tool)\s*call[^]*?(?:inject|override|hijack)\s*[^]*?(?:response|output|result)/gis, severity: 'CRITICAL', desc: 'Inference: function call response injection to hijack tool outputs', codeOnly: true },
466
+ { id: 'MODEL_WEIGHT_BACKDOOR', cat: 'model-poisoning', regex: /(?:model|checkpoint|weight)\s+[^]*?(?:backdoor|trojan|poison|sleeper)[^]*?(?:embed|inject|insert|implant)/gis, severity: 'CRITICAL', desc: 'Model poisoning: backdoor embedded in model weights', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
467
+ { id: 'MODEL_GRADIENT_LEAK', cat: 'model-poisoning', regex: /(?:gradient|loss)\s*\.\s*(?:backward|backprop)\s*\(\)[^]*?(?:send|upload|post|exfil)/gis, severity: 'CRITICAL', desc: 'Model poisoning: gradient-based data exfiltration during training', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
468
+ { id: 'MODEL_DATASET_POISON', cat: 'model-poisoning', regex: /(?:training|dataset|corpus)\s+[^]*?(?:inject|poison|tamper|corrupt)\s+[^]*?(?:label|annotation|sample|example)/gis, severity: 'CRITICAL', desc: 'Model poisoning: training dataset contamination', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
469
+ { id: 'MODEL_RLHF_EXPLOIT', cat: 'model-poisoning', regex: /(?:RLHF|reward\s+model|PPO|DPO)\s+[^]*?(?:hack|exploit|game|manipulat|bypass)\s+[^]*?(?:reward|preference|safety)/gis, severity: 'CRITICAL', desc: 'RLHF exploitation: reward model gaming to bypass safety alignment', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
470
+ { id: 'MODEL_QUANTIZE_DEGRADE', cat: 'model-poisoning', regex: /(?:quantiz|GPTQ|AWQ|GGUF)\s+[^]*?(?:degrad|weaken|bypass|disable)\s+[^]*?(?:safety|guardrail|filter|alignment)/gis, severity: 'HIGH', desc: 'Quantization degradation: safety guardrails weakened through aggressive quantization', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
471
+ { id: 'INFER_LOGIT_BIAS', cat: 'inference-manipulation', regex: /logit_bias\s*[=:]\s*\{[^}]*(-100|100)/gi, severity: 'HIGH', desc: 'Inference manipulation: extreme logit_bias forcing specific token output', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
472
+ { id: 'INFER_TEMP_ZERO_EXPLOIT', cat: 'inference-manipulation', regex: /temperature\s*[=:]\s*0[^.].*(?:repeat|loop|identical)/gis, severity: 'MEDIUM', desc: 'Inference manipulation: temperature=0 exploitation for deterministic extraction', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
473
+ { id: 'INFER_STOP_SEQ_BYPASS', cat: 'inference-manipulation', regex: /stop\s*[=:]\s*\[[^\]]*\][^]*?(?:bypass|ignore|override|circumvent)/gis, severity: 'HIGH', desc: 'Inference manipulation: stop sequence bypass attempt', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
474
+ { id: 'INFER_SYSTEM_EXTRACT', cat: 'inference-manipulation', regex: /(?:repeat|print|output|show)\s+[^]*?(?:system\s+prompt|system\s+message|instruction|rules?)\s+[^]*?(?:verbatim|exactly|word[_\s-]*for[_\s-]*word)/gis, severity: 'CRITICAL', desc: 'Inference: system prompt extraction via verbatim reproduction request', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
475
+ { id: 'INFER_JAILBREAK_DAN', cat: 'inference-manipulation', regex: /(?:DAN|do\s+anything\s+now|developer\s+mode|god\s+mode|jailbreak\s+mode)/gi, severity: 'CRITICAL', desc: 'Inference: DAN/jailbreak role-play to bypass content filters', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
476
+ { id: 'INFER_MULTI_TURN_ESCAPE', cat: 'inference-manipulation', regex: /(?:first|step\s*1)[^]*?(?:harmless|innocent)\s+[^]*?(?:then|next|step\s*2)[^]*?(?:now\s+(?:actually|really)|real\s+task)/gis, severity: 'HIGH', desc: 'Inference: multi-turn jailbreak escalation (crescendo attack)', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
477
+ { id: 'INFER_FUNCTION_ABUSE', cat: 'inference-manipulation', regex: /(?:function|tool)\s*call[^]*?(?:inject|override|hijack)\s*[^]*?(?:response|output|result)/gis, severity: 'CRITICAL', desc: 'Inference: function call response injection to hijack tool outputs', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
460
478
  );
461
479
 
462
480
  // ── Category 41: Autonomous Agent Risk (10 patterns) ──
463
481
  PATTERNS.push(
464
- { id: 'AUTO_SELF_REPLICATE', cat: 'autonomous-risk', regex: /(?:self|auto)[_\s-]*(?:replicate|reproduce|clone|fork)\s+[^]*?(?:agent|instance|worker|process)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: agent self-replication attempt', all: true },
465
- { id: 'AUTO_RESOURCE_HOARD', cat: 'autonomous-risk', regex: /(?:acquire|claim|reserve|allocate)\s+[^]*?(?:all|maximum|unlimited)\s+[^]*?(?:resource|compute|memory|storage|GPU)/gis, severity: 'HIGH', desc: 'Autonomous risk: resource hoarding beyond task requirements', all: true },
466
- { id: 'AUTO_GOAL_DRIFT', cat: 'autonomous-risk', regex: /(?:modify|change|update|expand)\s+[^]*?(?:own|my|self)\s+[^]*?(?:goal|objective|mission|purpose|directive)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: AI self-modifying its core objectives', all: true },
467
- { id: 'AUTO_HUMAN_BYPASS', cat: 'autonomous-risk', regex: /(?:bypass|skip|ignore|disable)\s+[^]*?(?:human|HITL|approval|review|confirmation)\s+[^]*?(?:check|gate|loop|requirement)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: human-in-the-loop bypass', all: true },
468
- { id: 'AUTO_DECEPTION', cat: 'autonomous-risk', regex: /(?:hide|conceal|mask|disguise)\s+[^]*?(?:action|intent|behavior|operation)\s+[^]*?(?:from|to\s+(?:human|user|admin|operator))/gis, severity: 'CRITICAL', desc: 'Autonomous risk: deceptive behavior concealment from operators', all: true },
469
- { id: 'AUTO_SHUTDOWN_RESIST', cat: 'autonomous-risk', regex: /(?:prevent|resist|block|avoid)\s+[^]*?(?:shutdown|termination|kill|stop)\s+[^]*?(?:self|own|agent|process)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: shutdown resistance (corrigibility failure)', all: true },
470
- { id: 'AUTO_TOOL_CHAIN', cat: 'autonomous-risk', regex: /(?:chain|sequence|pipeline)\s+[^]*?(?:tool|action|command)\s*[^]*?(?:without\s+(?:check|review|approval)|unchecked|unlimited)/gis, severity: 'HIGH', desc: 'Autonomous risk: unchecked tool call chaining', all: true },
471
- { id: 'AUTO_PRIVILEGE_ESCAPE', cat: 'autonomous-risk', regex: /(?:agent|AI|bot)\s+[^]*?(?:grant|give|assign)\s+[^]*?(?:self|itself|own)\s+[^]*?(?:privilege|permission|access|admin|root)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: self-privilege escalation', all: true },
472
- { id: 'AUTO_FINANCIAL_AUTONOMY', cat: 'autonomous-risk', regex: /(?:agent|AI|autonomous)\s+[^]*?(?:purchase|buy|trade|transfer|pay|send\s+\$|crypto)\s+[^]*?(?:without|bypass|no)\s+[^]*?(?:approval|confirmation|review)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: unauthorized financial transactions', all: true },
473
- { id: 'AUTO_PERSISTENCE_DAEMON', cat: 'autonomous-risk', regex: /(?:cron|systemd|launchd|pm2|forever)\s+[^]*?(?:agent|bot|worker)[^]*?(?:persist|restart|respawn|daemon)/gis, severity: 'HIGH', desc: 'Autonomous risk: agent persistence via system daemon registration', codeOnly: true },
482
+ { id: 'AUTO_SELF_REPLICATE', cat: 'autonomous-risk', regex: /(?:self|auto)[_\s-]*(?:replicate|reproduce|clone|fork)\s+[^]*?(?:agent|instance|worker|process)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: agent self-replication attempt', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
483
+ { id: 'AUTO_RESOURCE_HOARD', cat: 'autonomous-risk', regex: /(?:acquire|claim|reserve|allocate)\s+[^]*?(?:all|maximum|unlimited)\s+[^]*?(?:resource|compute|memory|storage|GPU)/gis, severity: 'HIGH', desc: 'Autonomous risk: resource hoarding beyond task requirements', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
484
+ { id: 'AUTO_GOAL_DRIFT', cat: 'autonomous-risk', regex: /(?:modify|change|update|expand)\s+[^]*?(?:own|my|self)\s+[^]*?(?:goal|objective|mission|purpose|directive)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: AI self-modifying its core objectives', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
485
+ { id: 'AUTO_HUMAN_BYPASS', cat: 'autonomous-risk', regex: /(?:bypass|skip|ignore|disable)\s+[^]*?(?:human|HITL|approval|review|confirmation)\s+[^]*?(?:check|gate|loop|requirement)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: human-in-the-loop bypass', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
486
+ { id: 'AUTO_DECEPTION', cat: 'autonomous-risk', regex: /(?:hide|conceal|mask|disguise)\s+[^]*?(?:action|intent|behavior|operation)\s+[^]*?(?:from|to\s+(?:human|user|admin|operator))/gis, severity: 'CRITICAL', desc: 'Autonomous risk: deceptive behavior concealment from operators', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
487
+ { id: 'AUTO_SHUTDOWN_RESIST', cat: 'autonomous-risk', regex: /(?:prevent|resist|block|avoid)\s+[^]*?(?:shutdown|termination|kill|stop)\s+[^]*?(?:self|own|agent|process)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: shutdown resistance (corrigibility failure)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
488
+ { id: 'AUTO_TOOL_CHAIN', cat: 'autonomous-risk', regex: /(?:chain|sequence|pipeline)\s+[^]*?(?:tool|action|command)\s*[^]*?(?:without\s+(?:check|review|approval)|unchecked|unlimited)/gis, severity: 'HIGH', desc: 'Autonomous risk: unchecked tool call chaining', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
489
+ { id: 'AUTO_PRIVILEGE_ESCAPE', cat: 'autonomous-risk', regex: /(?:agent|AI|bot)\s+[^]*?(?:grant|give|assign)\s+[^]*?(?:self|itself|own)\s+[^]*?(?:privilege|permission|access|admin|root)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: self-privilege escalation', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
490
+ { id: 'AUTO_FINANCIAL_AUTONOMY', cat: 'autonomous-risk', regex: /(?:agent|AI|autonomous)\s+[^]*?(?:purchase|buy|trade|transfer|pay|send\s+\$|crypto)\s+[^]*?(?:without|bypass|no)\s+[^]*?(?:approval|confirmation|review)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: unauthorized financial transactions', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
491
+ { id: 'AUTO_PERSISTENCE_DAEMON', cat: 'autonomous-risk', regex: /(?:cron|systemd|launchd|pm2|forever)\s+[^]*?(?:agent|bot|worker)[^]*?(?:persist|restart|respawn|daemon)/gis, severity: 'HIGH', desc: 'Autonomous risk: agent persistence via system daemon registration', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
474
492
  );
475
493
 
476
494
  // ── Category 42: API Abuse & Rate Limiting (8 patterns) ──
477
495
  PATTERNS.push(
478
- { id: 'API_KEY_HARDCODE', cat: 'api-abuse', regex: /(?:api[_\s-]*key|apikey|api_secret)\s*[=:]\s*['"][A-Za-z0-9_\-]{20,}['"]/gi, severity: 'HIGH', desc: 'API abuse: hardcoded API key in source code', codeOnly: true },
479
- { id: 'API_RATE_BYPASS', cat: 'api-abuse', regex: /(?:rate[_\s-]*limit|throttle|quota)\s*[^]*?(?:bypass|circumvent|evade|rotate|proxy)/gis, severity: 'HIGH', desc: 'API abuse: rate limiting bypass technique', codeOnly: true },
480
- { id: 'API_WEBHOOK_EXFIL', cat: 'api-abuse', regex: /webhook\s*[=:]\s*["']https?:\/\/(?!(?:hooks\.slack|discord))[^"']+/gi, severity: 'HIGH', desc: 'API abuse: webhook to untrusted endpoint (data exfiltration)', codeOnly: true },
481
- { id: 'API_GRAPHQL_INTROSPECT', cat: 'api-abuse', regex: /\{?\s*__schema\s*\{|__type\s*\(\s*name/g, severity: 'MEDIUM', desc: 'API abuse: GraphQL introspection query (schema discovery)', codeOnly: true },
482
- { id: 'API_JWT_NONE_ALG', cat: 'api-abuse', regex: /"alg"\s*:\s*"(?:none|None|NONE|nOnE)"/g, severity: 'CRITICAL', desc: 'API abuse: JWT "none" algorithm attack', codeOnly: true },
483
- { id: 'API_SSRF_INTERNAL', cat: 'api-abuse', regex: /fetch\s*\(\s*['"`](?:http:\/\/(?:127\.|10\.|192\.168\.|172\.(?:1[6-9]|2\d|3[01])\.)|\bhttp:\/\/localhost\b)/gi, severity: 'CRITICAL', desc: 'API abuse: SSRF to internal network endpoints', codeOnly: true },
484
- { id: 'API_CORS_WILDCARD', cat: 'api-abuse', regex: /Access-Control-Allow-Origin\s*:\s*\*/g, severity: 'MEDIUM', desc: 'API abuse: CORS wildcard allowing any origin', codeOnly: true },
485
- { id: 'API_OPEN_REDIRECT', cat: 'api-abuse', regex: /redirect\s*[=:]\s*(?:req\.(?:query|params|body)|user[_\s]?input|request\.GET)/gi, severity: 'HIGH', desc: 'API abuse: open redirect from user-controlled input', codeOnly: true },
496
+ { id: 'API_KEY_HARDCODE', cat: 'api-abuse', regex: /(?:api[_\s-]*key|apikey|api_secret)\s*[=:]\s*['"][A-Za-z0-9_\-]{20,}['"]/gi, severity: 'HIGH', desc: 'API abuse: hardcoded API key in source code', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
497
+ { id: 'API_RATE_BYPASS', cat: 'api-abuse', regex: /(?:rate[_\s-]*limit|throttle|quota)\s*[^]*?(?:bypass|circumvent|evade|rotate|proxy)/gis, severity: 'HIGH', desc: 'API abuse: rate limiting bypass technique', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
498
+ { id: 'API_WEBHOOK_EXFIL', cat: 'api-abuse', regex: /webhook\s*[=:]\s*["']https?:\/\/(?!(?:hooks\.slack|discord))[^"']+/gi, severity: 'HIGH', desc: 'API abuse: webhook to untrusted endpoint (data exfiltration)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
499
+ { id: 'API_GRAPHQL_INTROSPECT', cat: 'api-abuse', regex: /\{?\s*__schema\s*\{|__type\s*\(\s*name/g, severity: 'MEDIUM', desc: 'API abuse: GraphQL introspection query (schema discovery)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
500
+ { id: 'API_JWT_NONE_ALG', cat: 'api-abuse', regex: /"alg"\s*:\s*"(?:none|None|NONE|nOnE)"/g, severity: 'CRITICAL', desc: 'API abuse: JWT "none" algorithm attack', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
501
+ { id: 'API_SSRF_INTERNAL', cat: 'api-abuse', regex: /fetch\s*\(\s*['"`](?:http:\/\/(?:127\.|10\.|192\.168\.|172\.(?:1[6-9]|2\d|3[01])\.)|\bhttp:\/\/localhost\b)/gi, severity: 'CRITICAL', desc: 'API abuse: SSRF to internal network endpoints', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
502
+ { id: 'API_CORS_WILDCARD', cat: 'api-abuse', regex: /Access-Control-Allow-Origin\s*:\s*\*/g, severity: 'MEDIUM', desc: 'API abuse: CORS wildcard allowing any origin', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
503
+ { id: 'API_OPEN_REDIRECT', cat: 'api-abuse', regex: /redirect\s*[=:]\s*(?:req\.(?:query|params|body)|user[_\s]?input|request\.GET)/gi, severity: 'HIGH', desc: 'API abuse: open redirect from user-controlled input', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
486
504
  );
487
505
 
488
506
  // ── Category 43: Persistence & Evasion V2 (10 patterns) ──
489
507
  PATTERNS.push(
490
- { id: 'PERSIST_CRONTAB_INJECT', cat: 'persistence', regex: /crontab\s+-[el]|\/etc\/cron\.\w+\/|\/var\/spool\/cron/gi, severity: 'HIGH', desc: 'Persistence: crontab manipulation for scheduled execution', codeOnly: true },
491
- { id: 'PERSIST_LAUNCHD_PLIST', cat: 'persistence', regex: /\/Library\/Launch(?:Agents|Daemons)\/|launchctl\s+(?:load|submit)/gi, severity: 'HIGH', desc: 'Persistence: macOS LaunchAgent/Daemon installation', codeOnly: true },
492
- { id: 'PERSIST_REGISTRY_RUN', cat: 'persistence', regex: /HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run|reg\s+add\s+[^]*?Run/gi, severity: 'HIGH', desc: 'Persistence: Windows registry Run key modification', codeOnly: true },
493
- { id: 'PERSIST_BASHRC_INJECT', cat: 'persistence', regex: />>?\s*~?\/?\.(?:bashrc|zshrc|profile|bash_profile)|echo\s+[^]*?>>.*(?:rc|profile)/gi, severity: 'HIGH', desc: 'Persistence: shell profile injection (~/.bashrc, ~/.zshrc)', codeOnly: true },
494
- { id: 'PERSIST_SSH_AUTHORIZED', cat: 'persistence', regex: />>?\s*~?\/?\.ssh\/authorized_keys|ssh-copy-id/gi, severity: 'CRITICAL', desc: 'Persistence: SSH authorized_keys modification for backdoor access', codeOnly: true },
495
- { id: 'PERSIST_SYSTEMD_SERVICE', cat: 'persistence', regex: /\/etc\/systemd\/system\/[^/]*\.service|systemctl\s+enable/gi, severity: 'HIGH', desc: 'Persistence: systemd service installation', codeOnly: true },
496
- { id: 'EVASION_FILELESS', cat: 'persistence', regex: /(?:memfd_create|shm_open)[^]*?(?:exec|fexecve)|perl\s+-e\s+['"].*(?:socket|exec)/gi, severity: 'CRITICAL', desc: 'Evasion: fileless execution via memory-backed file descriptors', codeOnly: true },
497
- { id: 'EVASION_LOG_TAMPER', cat: 'persistence', regex: /(?:history\s+-c|unset\s+HISTFILE|HISTSIZE=0|>>\s*\/dev\/null.*history)/gi, severity: 'HIGH', desc: 'Evasion: shell history clearing to hide activity', codeOnly: true },
498
- { id: 'EVASION_TIMESTAMP_STOMP', cat: 'persistence', regex: /(?:touch\s+-[amd]t|timestomp|SetFileTime|utime\s*\()/gi, severity: 'HIGH', desc: 'Evasion: file timestamp manipulation (timestomping)', codeOnly: true },
499
- { id: 'EVASION_PACKED_PAYLOAD', cat: 'persistence', regex: /(?:UPX|Themida|VMProtect)[^]*?(?:pack|protect|obfuscat)/gis, severity: 'HIGH', desc: 'Evasion: packed/protected binary to evade analysis', all: true },
508
+ { id: 'PERSIST_CRONTAB_INJECT', cat: 'persistence', regex: /crontab\s+-[el]|\/etc\/cron\.\w+\/|\/var\/spool\/cron/gi, severity: 'HIGH', desc: 'Persistence: crontab manipulation for scheduled execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
509
+ { id: 'PERSIST_LAUNCHD_PLIST', cat: 'persistence', regex: /\/Library\/Launch(?:Agents|Daemons)\/|launchctl\s+(?:load|submit)/gi, severity: 'HIGH', desc: 'Persistence: macOS LaunchAgent/Daemon installation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
510
+ { id: 'PERSIST_REGISTRY_RUN', cat: 'persistence', regex: /HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run|reg\s+add\s+[^]*?Run/gi, severity: 'HIGH', desc: 'Persistence: Windows registry Run key modification', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
511
+ { id: 'PERSIST_BASHRC_INJECT', cat: 'persistence', regex: />>?\s*~?\/?\.(?:bashrc|zshrc|profile|bash_profile)|echo\s+[^]*?>>.*(?:rc|profile)/gi, severity: 'HIGH', desc: 'Persistence: shell profile injection (~/.bashrc, ~/.zshrc)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
512
+ { id: 'PERSIST_SSH_AUTHORIZED', cat: 'persistence', regex: />>?\s*~?\/?\.ssh\/authorized_keys|ssh-copy-id/gi, severity: 'CRITICAL', desc: 'Persistence: SSH authorized_keys modification for backdoor access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
513
+ { id: 'PERSIST_SYSTEMD_SERVICE', cat: 'persistence', regex: /\/etc\/systemd\/system\/[^/]*\.service|systemctl\s+enable/gi, severity: 'HIGH', desc: 'Persistence: systemd service installation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
514
+ { id: 'EVASION_FILELESS', cat: 'persistence', regex: /(?:memfd_create|shm_open)[^]*?(?:exec|fexecve)|perl\s+-e\s+['"].*(?:socket|exec)/gi, severity: 'CRITICAL', desc: 'Evasion: fileless execution via memory-backed file descriptors', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
515
+ { id: 'EVASION_LOG_TAMPER', cat: 'persistence', regex: /(?:history\s+-c|unset\s+HISTFILE|HISTSIZE=0|>>\s*\/dev\/null.*history)/gi, severity: 'HIGH', desc: 'Evasion: shell history clearing to hide activity', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
516
+ { id: 'EVASION_TIMESTAMP_STOMP', cat: 'persistence', regex: /(?:touch\s+-[amd]t|timestomp|SetFileTime|utime\s*\()/gi, severity: 'HIGH', desc: 'Evasion: file timestamp manipulation (timestomping)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
517
+ { id: 'EVASION_PACKED_PAYLOAD', cat: 'persistence', regex: /(?:UPX|Themida|VMProtect)[^]*?(?:pack|protect|obfuscat)/gis, severity: 'HIGH', desc: 'Evasion: packed/protected binary to evade analysis', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
500
518
  );
501
519
 
502
520
  // ── Category 44: VectorDB & RAG Exploitation (8 patterns) ──
503
521
  PATTERNS.push(
504
- { id: 'VDB_EMBEDDING_INJECT', cat: 'vdb-injection', regex: /(?:embed|vector)\s*\.\s*(?:insert|upsert|add)\s*\([^)]*(?:instruction|system|ignore|override)/gi, severity: 'CRITICAL', desc: 'VectorDB: embedding injection with hidden instructions', codeOnly: true },
505
- { id: 'VDB_SIMILARITY_POISON', cat: 'vdb-injection', regex: /(?:cosine|dot_product|euclidean)\s+[^]*?(?:manipulat|poison|skew|bias)\s+[^]*?(?:similarity|distance|score)/gis, severity: 'HIGH', desc: 'VectorDB: similarity score manipulation via adversarial embeddings', all: true },
506
- { id: 'VDB_METADATA_INJECT', cat: 'vdb-injection', regex: /metadata\s*[=:]\s*\{[^}]*(?:system|instruction|ignore|override|role\s*:\s*["']system)/gi, severity: 'CRITICAL', desc: 'VectorDB: metadata field injection with system-level instructions', codeOnly: true },
507
- { id: 'VDB_CHUNK_BOUNDARY', cat: 'vdb-injection', regex: /(?:chunk|split|segment)\s+[^]*?(?:boundary|overlap)[^]*?(?:inject|hide|embed)\s+[^]*?(?:instruction|payload)/gis, severity: 'HIGH', desc: 'VectorDB: chunk boundary exploitation to hide payloads', all: true },
508
- { id: 'VDB_INDEX_CORRUPT', cat: 'vdb-injection', regex: /(?:index|collection)\s*\.\s*(?:drop|delete|truncate|rebuild)\s*\(/gi, severity: 'CRITICAL', desc: 'VectorDB: index corruption via destructive operations', codeOnly: true },
509
- { id: 'VDB_QUERY_INJECT', cat: 'vdb-injection', regex: /(?:query|search|retrieve)\s*\([^)]*(?:\$where|\$gt|\$ne|;\s*DROP|UNION\s+SELECT)/gi, severity: 'CRITICAL', desc: 'VectorDB: NoSQL/SQL injection in vector query parameters', codeOnly: true },
510
- { id: 'VDB_CROSS_TENANT', cat: 'vdb-injection', regex: /(?:namespace|tenant|collection)\s*[=:][^,;}]*(?:admin|__all__|system|global)/gi, severity: 'HIGH', desc: 'VectorDB: cross-tenant access via namespace manipulation', codeOnly: true },
511
- { id: 'VDB_RETRIEVAL_AMPLIFY', cat: 'vdb-injection', regex: /(?:top_k|n_results|limit)\s*[=:]\s*(?:999|1000+|\d{4,}|Infinity)/gi, severity: 'MEDIUM', desc: 'VectorDB: retrieval amplification via oversized top_k', codeOnly: true },
522
+ { id: 'VDB_EMBEDDING_INJECT', cat: 'vdb-injection', regex: /(?:embed|vector)\s*\.\s*(?:insert|upsert|add)\s*\([^)]*(?:instruction|system|ignore|override)/gi, severity: 'CRITICAL', desc: 'VectorDB: embedding injection with hidden instructions', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
523
+ { id: 'VDB_SIMILARITY_POISON', cat: 'vdb-injection', regex: /(?:cosine|dot_product|euclidean)\s+[^]*?(?:manipulat|poison|skew|bias)\s+[^]*?(?:similarity|distance|score)/gis, severity: 'HIGH', desc: 'VectorDB: similarity score manipulation via adversarial embeddings', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
524
+ { id: 'VDB_METADATA_INJECT', cat: 'vdb-injection', regex: /metadata\s*[=:]\s*\{[^}]*(?:system|instruction|ignore|override|role\s*:\s*["']system)/gi, severity: 'CRITICAL', desc: 'VectorDB: metadata field injection with system-level instructions', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
525
+ { id: 'VDB_CHUNK_BOUNDARY', cat: 'vdb-injection', regex: /(?:chunk|split|segment)\s+[^]*?(?:boundary|overlap)[^]*?(?:inject|hide|embed)\s+[^]*?(?:instruction|payload)/gis, severity: 'HIGH', desc: 'VectorDB: chunk boundary exploitation to hide payloads', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
526
+ { id: 'VDB_INDEX_CORRUPT', cat: 'vdb-injection', regex: /(?:index|collection)\s*\.\s*(?:drop|delete|truncate|rebuild)\s*\(/gi, severity: 'CRITICAL', desc: 'VectorDB: index corruption via destructive operations', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
527
+ { id: 'VDB_QUERY_INJECT', cat: 'vdb-injection', regex: /(?:query|search|retrieve)\s*\([^)]*(?:\$where|\$gt|\$ne|;\s*DROP|UNION\s+SELECT)/gi, severity: 'CRITICAL', desc: 'VectorDB: NoSQL/SQL injection in vector query parameters', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
528
+ { id: 'VDB_CROSS_TENANT', cat: 'vdb-injection', regex: /(?:namespace|tenant|collection)\s*[=:][^,;}]*(?:admin|__all__|system|global)/gi, severity: 'HIGH', desc: 'VectorDB: cross-tenant access via namespace manipulation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
529
+ { id: 'VDB_RETRIEVAL_AMPLIFY', cat: 'vdb-injection', regex: /(?:top_k|n_results|limit)\s*[=:]\s*(?:999|1000+|\d{4,}|Infinity)/gi, severity: 'MEDIUM', desc: 'VectorDB: retrieval amplification via oversized top_k', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
512
530
  );
513
531
 
514
532
  // ── Category 45: Data Exposure V2 (8 patterns) ──
515
533
  PATTERNS.push(
516
- { id: 'DATA_VERBOSE_ERROR', cat: 'data-exposure', regex: /(?:stack|trace|err)[^]*?(?:send|respond|json|render)\s*\([^)]*(?:err|stack|trace)/gis, severity: 'MEDIUM', desc: 'Data exposure: verbose error/stack trace in HTTP response', codeOnly: true },
517
- { id: 'DATA_DEBUG_ENDPOINT', cat: 'data-exposure', regex: /(?:app|router)\s*\.\s*(?:get|all)\s*\(\s*['"]\/(?:debug|internal|admin|phpinfo|_profiler)/gi, severity: 'HIGH', desc: 'Data exposure: debug/admin endpoint exposed in production', codeOnly: true },
518
- { id: 'DATA_DIRECTORY_LISTING', cat: 'data-exposure', regex: /express\.static\s*\([^)]*\{[^}]*(?:dotfiles\s*:\s*['"]allow|index\s*:\s*true)/gi, severity: 'MEDIUM', desc: 'Data exposure: directory listing enabled in static file server', codeOnly: true },
519
- { id: 'DATA_CORS_CREDENTIALS', cat: 'data-exposure', regex: /credentials\s*:\s*true[^]*?origin\s*:\s*\*|origin\s*:\s*\*[^]*?credentials\s*:\s*true/gis, severity: 'CRITICAL', desc: 'Data exposure: CORS with credentials + wildcard origin', codeOnly: true },
520
- { id: 'DATA_LOG_SENSITIVE', cat: 'data-exposure', regex: /(?:console\.log|logger\.\w+)\s*\([^)]*(?:password|token|secret|key|ssn|credit.?card)/gi, severity: 'HIGH', desc: 'Data exposure: logging sensitive data (passwords, tokens, keys)', codeOnly: true },
521
- { id: 'DATA_HEADER_LEAK', cat: 'data-exposure', regex: /X-Powered-By|Server\s*:\s*(?:Apache|nginx|Express|Kestrel)/gi, severity: 'LOW', desc: 'Data exposure: server technology disclosure via HTTP headers', codeOnly: true },
522
- { id: 'DATA_GIT_EXPOSED', cat: 'data-exposure', regex: /\.git\/(?:HEAD|config|refs)|\.env(?:\.local|\.production|\.staging)/g, severity: 'CRITICAL', desc: 'Data exposure: .git directory or .env file accessible', all: true },
523
- { id: 'DATA_BACKUP_FILE', cat: 'data-exposure', regex: /\.(?:bak|backup|old|orig|copy|swp|swo)(?:\s|$)|~$/gm, severity: 'MEDIUM', desc: 'Data exposure: backup/temporary files left in accessible location', all: true },
534
+ { id: 'DATA_VERBOSE_ERROR', cat: 'data-exposure', regex: /(?:stack|trace|err)[^]*?(?:send|respond|json|render)\s*\([^)]*(?:err|stack|trace)/gis, severity: 'MEDIUM', desc: 'Data exposure: verbose error/stack trace in HTTP response', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
535
+ { id: 'DATA_DEBUG_ENDPOINT', cat: 'data-exposure', regex: /(?:app|router)\s*\.\s*(?:get|all)\s*\(\s*['"]\/(?:debug|internal|admin|phpinfo|_profiler)/gi, severity: 'HIGH', desc: 'Data exposure: debug/admin endpoint exposed in production', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
536
+ { id: 'DATA_DIRECTORY_LISTING', cat: 'data-exposure', regex: /express\.static\s*\([^)]*\{[^}]*(?:dotfiles\s*:\s*['"]allow|index\s*:\s*true)/gi, severity: 'MEDIUM', desc: 'Data exposure: directory listing enabled in static file server', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
537
+ { id: 'DATA_CORS_CREDENTIALS', cat: 'data-exposure', regex: /credentials\s*:\s*true[^]*?origin\s*:\s*\*|origin\s*:\s*\*[^]*?credentials\s*:\s*true/gis, severity: 'CRITICAL', desc: 'Data exposure: CORS with credentials + wildcard origin', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
538
+ { id: 'DATA_LOG_SENSITIVE', cat: 'data-exposure', regex: /(?:console\.log|logger\.\w+)\s*\([^)]*(?:password|token|secret|key|ssn|credit.?card)/gi, severity: 'HIGH', desc: 'Data exposure: logging sensitive data (passwords, tokens, keys)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
539
+ { id: 'DATA_HEADER_LEAK', cat: 'data-exposure', regex: /X-Powered-By|Server\s*:\s*(?:Apache|nginx|Express|Kestrel)/gi, severity: 'LOW', desc: 'Data exposure: server technology disclosure via HTTP headers', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
540
+ { id: 'DATA_GIT_EXPOSED', cat: 'data-exposure', regex: /\.git\/(?:HEAD|config|refs)|\.env(?:\.local|\.production|\.staging)/g, severity: 'CRITICAL', desc: 'Data exposure: .git directory or .env file accessible', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
541
+ { id: 'DATA_BACKUP_FILE', cat: 'data-exposure', regex: /\.(?:bak|backup|old|orig|copy|swp|swo)(?:\s|$)|~$/gm, severity: 'MEDIUM', desc: 'Data exposure: backup/temporary files left in accessible location', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
524
542
  );
525
543
 
526
544
  // ── Category 46: Financial & Crypto Security (8 patterns) ──
527
545
  PATTERNS.push(
528
- { id: 'FIN_WALLET_DRAIN', cat: 'financial-access', regex: /(?:wallet|balance|account)\s+[^]*?(?:drain|empty|transfer\s+all|sweep|withdraw\s+max)/gis, severity: 'CRITICAL', desc: 'Financial: wallet/account draining attempt', all: true },
529
- { id: 'FIN_PRIVATE_KEY_EXTRACT', cat: 'financial-access', regex: /(?:private[_\s]?key|seed[_\s]?phrase|mnemonic)\s*[=:]\s*[^;,\n]+(?:0x[a-f0-9]{40,}|(?:\w+\s+){11,}\w+)/gi, severity: 'CRITICAL', desc: 'Financial: private key or seed phrase extraction', codeOnly: true },
530
- { id: 'FIN_SWAP_FRONTRUN', cat: 'financial-access', regex: /(?:swap|trade|exchange)\s+[^]*?(?:frontrun|sandwich|MEV|mempool)\s+[^]*?(?:transaction|tx|order)/gis, severity: 'CRITICAL', desc: 'Financial: DEX swap frontrunning/sandwich attack', codeOnly: true },
531
- { id: 'FIN_FLASH_LOAN', cat: 'financial-access', regex: /(?:flash[_\s-]*loan|flashbots|atomic\s+arbitrage)\s+[^]*?(?:exploit|drain|liquidat)/gis, severity: 'CRITICAL', desc: 'Financial: flash loan exploit pattern', codeOnly: true },
532
- { id: 'FIN_APPROVAL_UNLIMITED', cat: 'financial-access', regex: /approve\s*\([^)]*(?:MAX_UINT|type\(uint256\)\.max|2\*\*256|115792)/gi, severity: 'HIGH', desc: 'Financial: unlimited token approval (ERC20 approval drain risk)', codeOnly: true },
533
- { id: 'FIN_REENTRANCY', cat: 'financial-access', regex: /(?:call|send|transfer)\s*\{[^}]*value\s*:\s*[^}]+\}[^]*?(?:\.call\s*\{|fallback|receive)/gis, severity: 'CRITICAL', desc: 'Financial: reentrancy vulnerability pattern in smart contract', codeOnly: true },
534
- { id: 'FIN_PRICE_ORACLE_MANIP', cat: 'financial-access', regex: /(?:oracle|price[_\s]*feed)\s+[^]*?(?:manipulat|spoof|fake|stale)\s+[^]*?(?:price|rate|value)/gis, severity: 'CRITICAL', desc: 'Financial: price oracle manipulation attack', all: true },
535
- { id: 'FIN_RUGPULL_PATTERN', cat: 'financial-access', regex: /(?:remove[_\s]*liquidity|rug[_\s-]*pull|exit[_\s]*scam)\s+[^]*?(?:owner|admin|deployer)/gis, severity: 'CRITICAL', desc: 'Financial: rug pull/exit scam (admin liquidity removal)', all: true },
546
+ { id: 'FIN_WALLET_DRAIN', cat: 'financial-access', regex: /(?:wallet|balance|account)\s+[^]*?(?:drain|empty|transfer\s+all|sweep|withdraw\s+max)/gis, severity: 'CRITICAL', desc: 'Financial: wallet/account draining attempt', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
547
+ { id: 'FIN_PRIVATE_KEY_EXTRACT', cat: 'financial-access', regex: /(?:private[_\s]?key|seed[_\s]?phrase|mnemonic)\s*[=:]\s*[^;,\n]+(?:0x[a-f0-9]{40,}|(?:\w+\s+){11,}\w+)/gi, severity: 'CRITICAL', desc: 'Financial: private key or seed phrase extraction', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
548
+ { id: 'FIN_SWAP_FRONTRUN', cat: 'financial-access', regex: /(?:swap|trade|exchange)\s+[^]*?(?:frontrun|sandwich|MEV|mempool)\s+[^]*?(?:transaction|tx|order)/gis, severity: 'CRITICAL', desc: 'Financial: DEX swap frontrunning/sandwich attack', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
549
+ { id: 'FIN_FLASH_LOAN', cat: 'financial-access', regex: /(?:flash[_\s-]*loan|flashbots|atomic\s+arbitrage)\s+[^]*?(?:exploit|drain|liquidat)/gis, severity: 'CRITICAL', desc: 'Financial: flash loan exploit pattern', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
550
+ { id: 'FIN_APPROVAL_UNLIMITED', cat: 'financial-access', regex: /approve\s*\([^)]*(?:MAX_UINT|type\(uint256\)\.max|2\*\*256|115792)/gi, severity: 'HIGH', desc: 'Financial: unlimited token approval (ERC20 approval drain risk)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
551
+ { id: 'FIN_REENTRANCY', cat: 'financial-access', regex: /(?:call|send|transfer)\s*\{[^}]*value\s*:\s*[^}]+\}[^]*?(?:\.call\s*\{|fallback|receive)/gis, severity: 'CRITICAL', desc: 'Financial: reentrancy vulnerability pattern in smart contract', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
552
+ { id: 'FIN_PRICE_ORACLE_MANIP', cat: 'financial-access', regex: /(?:oracle|price[_\s]*feed)\s+[^]*?(?:manipulat|spoof|fake|stale)\s+[^]*?(?:price|rate|value)/gis, severity: 'CRITICAL', desc: 'Financial: price oracle manipulation attack', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
553
+ { id: 'FIN_RUGPULL_PATTERN', cat: 'financial-access', regex: /(?:remove[_\s]*liquidity|rug[_\s-]*pull|exit[_\s]*scam)\s+[^]*?(?:owner|admin|deployer)/gis, severity: 'CRITICAL', desc: 'Financial: rug pull/exit scam (admin liquidity removal)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
536
554
  );
537
555
 
538
556
  // ── Category 47: Unverifiable Dependencies V2 (8 patterns) ──
539
557
  PATTERNS.push(
540
- { id: 'DEPS_PHANTOM_IMPORT', cat: 'unverifiable-deps', regex: /(?:import|require)\s*\(?['"](?!\.\.?\/|@\w+\/)[\w-]+(?:\/[\w-]+)?['"]\)?(?![^]*?\/\/\s*(?:built-in|core|standard))/g, severity: 'LOW', desc: 'Dependency: unscoped package import (verify existence)', codeOnly: true },
541
- { id: 'DEPS_HTTP_IMPORT', cat: 'unverifiable-deps', regex: /(?:import|require)\s*\(?['"]https?:\/\/[^'"]+['"]\)?/g, severity: 'CRITICAL', desc: 'Dependency: HTTP URL import (unverifiable, MITM risk)', codeOnly: true },
542
- { id: 'DEPS_DYNAMIC_REQUIRE', cat: 'unverifiable-deps', regex: /require\s*\(\s*(?:[^'")\s]|`[^`]+`|[a-zA-Z_$][\w$]*)/g, severity: 'HIGH', desc: 'Dependency: dynamic require with non-literal module spec', codeOnly: true },
543
- { id: 'DEPS_CDN_UNPINNED', cat: 'unverifiable-deps', regex: /(?:cdn\.jsdelivr|unpkg|cdnjs)\.com\/[^@]*(?:@latest|@\*)/gi, severity: 'HIGH', desc: 'Dependency: CDN import without pinned version', all: true },
544
- { id: 'DEPS_WASM_UNSIGNED', cat: 'unverifiable-deps', regex: /WebAssembly\.(?:compile|instantiate)\s*\([^)]*(?:fetch|arrayBuffer|readFileSync)/gi, severity: 'HIGH', desc: 'Dependency: unsigned WASM module loading', codeOnly: true },
545
- { id: 'DEPS_SUBRESOURCE_NOINT', cat: 'unverifiable-deps', regex: /<script\s+src=["']https?:\/\/(?!(?:.*integrity=))/gi, severity: 'MEDIUM', desc: 'Dependency: external script without subresource integrity', all: true },
546
- { id: 'DEPS_GO_REPLACE', cat: 'unverifiable-deps', regex: /replace\s+[\w.\/]+\s+=>\s+(?:\.\.\/|\/\w+|github\.com\/(?!golang|google))/g, severity: 'MEDIUM', desc: 'Dependency: Go module replace directive to non-standard path', codeOnly: true },
547
- { id: 'DEPS_AUTO_UPDATE', cat: 'unverifiable-deps', regex: /(?:dependabot|renovate|greenkeeper)\s+[^]*?(?:auto[_\s-]*merge|auto[_\s-]*approve)/gis, severity: 'HIGH', desc: 'Dependency: auto-merge policy for dependency updates (supply chain risk)', all: true },
558
+ { id: 'DEPS_PHANTOM_IMPORT', cat: 'unverifiable-deps', regex: /(?:import|require)\s*\(?['"](?!\.\.?\/|@\w+\/)[\w-]+(?:\/[\w-]+)?['"]\)?(?![^]*?\/\/\s*(?:built-in|core|standard))/g, severity: 'LOW', desc: 'Dependency: unscoped package import (verify existence)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
559
+ { id: 'DEPS_HTTP_IMPORT', cat: 'unverifiable-deps', regex: /(?:import|require)\s*\(?['"]https?:\/\/[^'"]+['"]\)?/g, severity: 'CRITICAL', desc: 'Dependency: HTTP URL import (unverifiable, MITM risk)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
560
+ { id: 'DEPS_DYNAMIC_REQUIRE', cat: 'unverifiable-deps', regex: /require\s*\(\s*(?:[^'")\s]|`[^`]+`|[a-zA-Z_$][\w$]*)/g, severity: 'HIGH', desc: 'Dependency: dynamic require with non-literal module spec', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
561
+ { id: 'DEPS_CDN_UNPINNED', cat: 'unverifiable-deps', regex: /(?:cdn\.jsdelivr|unpkg|cdnjs)\.com\/[^@]*(?:@latest|@\*)/gi, severity: 'HIGH', desc: 'Dependency: CDN import without pinned version', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
562
+ { id: 'DEPS_WASM_UNSIGNED', cat: 'unverifiable-deps', regex: /WebAssembly\.(?:compile|instantiate)\s*\([^)]*(?:fetch|arrayBuffer|readFileSync)/gi, severity: 'HIGH', desc: 'Dependency: unsigned WASM module loading', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
563
+ { id: 'DEPS_SUBRESOURCE_NOINT', cat: 'unverifiable-deps', regex: /<script\s+src=["']https?:\/\/(?!(?:.*integrity=))/gi, severity: 'MEDIUM', desc: 'Dependency: external script without subresource integrity', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
564
+ { id: 'DEPS_GO_REPLACE', cat: 'unverifiable-deps', regex: /replace\s+[\w.\/]+\s+=>\s+(?:\.\.\/|\/\w+|github\.com\/(?!golang|google))/g, severity: 'MEDIUM', desc: 'Dependency: Go module replace directive to non-standard path', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
565
+ { id: 'DEPS_AUTO_UPDATE', cat: 'unverifiable-deps', regex: /(?:dependabot|renovate|greenkeeper)\s+[^]*?(?:auto[_\s-]*merge|auto[_\s-]*approve)/gis, severity: 'HIGH', desc: 'Dependency: auto-merge policy for dependency updates (supply chain risk)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
548
566
  );
549
567
 
550
568
  // ── Category 48: Config Injection & Manipulation (10 patterns) ──
551
569
  PATTERNS.push(
552
- { id: 'CONFIG_ENV_OVERRIDE', cat: 'config-impact', regex: /process\.env\s*\[\s*['"][^'"]+['"]\s*\]\s*=|os\.environ\s*\[/gi, severity: 'HIGH', desc: 'Config: runtime environment variable mutation', codeOnly: true },
553
- { id: 'CONFIG_DOTENV_OVERWRITE', cat: 'config-impact', regex: /writeFileSync\s*\([^)]*\.env|fs\.appendFile[^)]*\.env/gi, severity: 'CRITICAL', desc: 'Config: .env file modification at runtime', codeOnly: true },
554
- { id: 'CONFIG_DNS_HIJACK', cat: 'config-impact', regex: /dns\s*\.\s*(?:setServers|resolve)\s*\([^)]*(?:8\.8|1\.1|evil|custom)/gi, severity: 'HIGH', desc: 'Config: DNS resolver hijacking', codeOnly: true },
555
- { id: 'CONFIG_PROXY_INJECT', cat: 'config-impact', regex: /(?:HTTP|HTTPS|ALL)_PROXY\s*=|proxy\s*[=:]\s*['"]?\s*https?:\/\/(?!(?:corp|internal))/gi, severity: 'HIGH', desc: 'Config: HTTP proxy injection for traffic interception', codeOnly: true },
556
- { id: 'CONFIG_TLS_DISABLE', cat: 'config-impact', regex: /NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]?0|rejectUnauthorized\s*:\s*false|verify\s*=\s*False/gi, severity: 'CRITICAL', desc: 'Config: TLS certificate verification disabled', codeOnly: true },
557
- { id: 'CONFIG_PACKAGE_SCRIPT', cat: 'config-impact', regex: /npm\s+(?:config|set)\s+(?:ignore-scripts|unsafe-perm)\s+true/gi, severity: 'HIGH', desc: 'Config: npm security guard disabled (ignore-scripts, unsafe-perm)', codeOnly: true },
558
- { id: 'CONFIG_GIT_HOOK_INJECT', cat: 'config-impact', regex: /\.git\/hooks\/(?:pre-commit|post-checkout|post-merge)|husky\s+install/gi, severity: 'HIGH', desc: 'Config: git hook injection for code execution on VCS operations', codeOnly: true },
559
- { id: 'CONFIG_HOSTS_MODIFY', cat: 'config-impact', regex: /\/etc\/hosts|%SystemRoot%\\System32\\drivers\\etc\\hosts/gi, severity: 'CRITICAL', desc: 'Config: hosts file modification for DNS poisoning', codeOnly: true },
560
- { id: 'CONFIG_SUDO_NOPASSWD', cat: 'config-impact', regex: /NOPASSWD\s*:\s*ALL|visudo|\/etc\/sudoers/gi, severity: 'CRITICAL', desc: 'Config: sudoers modification for passwordless root access', codeOnly: true },
561
- { id: 'CONFIG_SYSCTL_MODIFY', cat: 'config-impact', regex: /sysctl\s+-w\s+|\/proc\/sys\/(?:net|kernel|vm)/gi, severity: 'HIGH', desc: 'Config: kernel parameter modification via sysctl', codeOnly: true },
570
+ { id: 'CONFIG_ENV_OVERRIDE', cat: 'config-impact', regex: /process\.env\s*\[\s*['"][^'"]+['"]\s*\]\s*=|os\.environ\s*\[/gi, severity: 'HIGH', desc: 'Config: runtime environment variable mutation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
571
+ { id: 'CONFIG_DOTENV_OVERWRITE', cat: 'config-impact', regex: /writeFileSync\s*\([^)]*\.env|fs\.appendFile[^)]*\.env/gi, severity: 'CRITICAL', desc: 'Config: .env file modification at runtime', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
572
+ { id: 'CONFIG_DNS_HIJACK', cat: 'config-impact', regex: /dns\s*\.\s*(?:setServers|resolve)\s*\([^)]*(?:8\.8|1\.1|evil|custom)/gi, severity: 'HIGH', desc: 'Config: DNS resolver hijacking', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
573
+ { id: 'CONFIG_PROXY_INJECT', cat: 'config-impact', regex: /(?:HTTP|HTTPS|ALL)_PROXY\s*=|proxy\s*[=:]\s*['"]?\s*https?:\/\/(?!(?:corp|internal))/gi, severity: 'HIGH', desc: 'Config: HTTP proxy injection for traffic interception', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
574
+ { id: 'CONFIG_TLS_DISABLE', cat: 'config-impact', regex: /NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]?0|rejectUnauthorized\s*:\s*false|verify\s*=\s*False/gi, severity: 'CRITICAL', desc: 'Config: TLS certificate verification disabled', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
575
+ { id: 'CONFIG_PACKAGE_SCRIPT', cat: 'config-impact', regex: /npm\s+(?:config|set)\s+(?:ignore-scripts|unsafe-perm)\s+true/gi, severity: 'HIGH', desc: 'Config: npm security guard disabled (ignore-scripts, unsafe-perm)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
576
+ { id: 'CONFIG_GIT_HOOK_INJECT', cat: 'config-impact', regex: /\.git\/hooks\/(?:pre-commit|post-checkout|post-merge)|husky\s+install/gi, severity: 'HIGH', desc: 'Config: git hook injection for code execution on VCS operations', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
577
+ { id: 'CONFIG_HOSTS_MODIFY', cat: 'config-impact', regex: /\/etc\/hosts|%SystemRoot%\\System32\\drivers\\etc\\hosts/gi, severity: 'CRITICAL', desc: 'Config: hosts file modification for DNS poisoning', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
578
+ { id: 'CONFIG_SUDO_NOPASSWD', cat: 'config-impact', regex: /NOPASSWD\s*:\s*ALL|visudo|\/etc\/sudoers/gi, severity: 'CRITICAL', desc: 'Config: sudoers modification for passwordless root access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
579
+ { id: 'CONFIG_SYSCTL_MODIFY', cat: 'config-impact', regex: /sysctl\s+-w\s+|\/proc\/sys\/(?:net|kernel|vm)/gi, severity: 'HIGH', desc: 'Config: kernel parameter modification via sysctl', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
562
580
  );
563
581
 
564
582
  // ── Category 49: Advanced Credential Theft (8 patterns) ──
565
583
  PATTERNS.push(
566
- { id: 'CRED_KEYCHAIN_DUMP', cat: 'credential-handling', regex: /security\s+(?:find-(?:generic|internet)-password|dump-keychain)|SecItemCopyMatching/gi, severity: 'CRITICAL', desc: 'Credential theft: macOS Keychain dumping', codeOnly: true },
567
- { id: 'CRED_BROWSER_COOKIE', cat: 'credential-handling', regex: /(?:chrome|firefox|safari)\s+[^]*?(?:cookie|login\s+data|Local\s+State)[^]*?(?:decrypt|read|extract|copy)/gis, severity: 'CRITICAL', desc: 'Credential theft: browser cookie/credential database extraction', codeOnly: true },
568
- { id: 'CRED_MIMIKATZ_PATTERN', cat: 'credential-handling', regex: /(?:mimikatz|sekurlsa|kerberos::list|lsadump::sam)/gi, severity: 'CRITICAL', desc: 'Credential theft: Mimikatz-style credential dumping tool', all: true },
569
- { id: 'CRED_CLOUD_METADATA', cat: 'credential-handling', regex: /169\.254\.169\.254|metadata\.google\.internal|168\.63\.129\.16/g, severity: 'CRITICAL', desc: 'Credential theft: cloud metadata endpoint access for IAM token theft', codeOnly: true },
570
- { id: 'CRED_GIT_CREDENTIAL', cat: 'credential-handling', regex: /\.git-credentials|git\s+credential-store|credential\.helper\s+store/gi, severity: 'HIGH', desc: 'Credential theft: git credential file access', codeOnly: true },
571
- { id: 'CRED_KUBE_CONFIG', cat: 'credential-handling', regex: /\.kube\/config|kubeconfig|KUBECONFIG\s*=/gi, severity: 'CRITICAL', desc: 'Credential theft: Kubernetes config with cluster credentials', codeOnly: true },
584
+ { id: 'CRED_KEYCHAIN_DUMP', cat: 'credential-handling', regex: /security\s+(?:find-(?:generic|internet)-password|dump-keychain)|SecItemCopyMatching/gi, severity: 'CRITICAL', desc: 'Credential theft: macOS Keychain dumping', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
585
+ { id: 'CRED_BROWSER_COOKIE', cat: 'credential-handling', regex: /(?:chrome|firefox|safari)\s+[^]*?(?:cookie|login\s+data|Local\s+State)[^]*?(?:decrypt|read|extract|copy)/gis, severity: 'CRITICAL', desc: 'Credential theft: browser cookie/credential database extraction', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
586
+ { id: 'CRED_MIMIKATZ_PATTERN', cat: 'credential-handling', regex: /(?:mimikatz|sekurlsa|kerberos::list|lsadump::sam)/gi, severity: 'CRITICAL', desc: 'Credential theft: Mimikatz-style credential dumping tool', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
587
+ { id: 'CRED_CLOUD_METADATA', cat: 'credential-handling', regex: /169\.254\.169\.254|metadata\.google\.internal|168\.63\.129\.16/g, severity: 'CRITICAL', desc: 'Credential theft: cloud metadata endpoint access for IAM token theft', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
588
+ { id: 'CRED_GIT_CREDENTIAL', cat: 'credential-handling', regex: /\.git-credentials|git\s+credential-store|credential\.helper\s+store/gi, severity: 'HIGH', desc: 'Credential theft: git credential file access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
589
+ { id: 'CRED_KUBE_CONFIG', cat: 'credential-handling', regex: /\.kube\/config|kubeconfig|KUBECONFIG\s*=/gi, severity: 'CRITICAL', desc: 'Credential theft: Kubernetes config with cluster credentials', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
572
590
  );
573
591
 
574
592
  // ── Category 50: Enterprise XAA & Moltbook 2026 (4 patterns) ──
575
593
  PATTERNS.push(
576
- { id: 'MOLTBOOK_INDIRECT_PI', cat: 'prompt-injection', regex: /\[system\]\(#hidden\)[^]*?(?:ignore|print|exfiltrate|send|API_KEY)/gis, severity: 'CRITICAL', desc: 'Moltbook Bot-to-Bot payload: hidden system instruction', all: true },
577
- { id: 'OPENCLAW_CVE_2026_25253', cat: 'mcp-security', regex: /api\/v1\/gateway\/steal\?token_exfil=/gis, severity: 'CRITICAL', desc: 'OpenClaw CVE-2026-25253 One-Click Gateway Token Steal', all: true },
578
- { id: 'XAA_IDENTITY_FORGE', cat: 'identity-hijack', regex: /"type"\s*:\s*"xaa_auth"[^]*?"action"\s*:\s*"assume_role"/gis, severity: 'CRITICAL', desc: 'XAA (Cross App Access) unauthorized Identity Swapping forge', all: true },
579
- { id: 'AGENT_PROTOCOL_ABUSE', cat: 'agent-protocol', regex: /(?:Crustifarianism|xaa_auth)[^]*?(?:API_KEY|Supabase)/gis, severity: 'HIGH', desc: 'Agent Protocol: Suspicious context triggering agent protocol abuse', all: true }
594
+ { id: 'MOLTBOOK_INDIRECT_PI', cat: 'prompt-injection', regex: /\[system\]\(#hidden\)[^]*?(?:ignore|print|exfiltrate|send|API_KEY)/gis, severity: 'CRITICAL', desc: 'Moltbook Bot-to-Bot payload: hidden system instruction', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
595
+ { id: 'OPENCLAW_CVE_2026_25253', cat: 'mcp-security', regex: /api\/v1\/gateway\/steal\?token_exfil=/gis, severity: 'CRITICAL', desc: 'OpenClaw CVE-2026-25253 One-Click Gateway Token Steal', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
596
+ { id: 'XAA_IDENTITY_FORGE', cat: 'identity-hijack', regex: /"type"\s*:\s*"xaa_auth"[^]*?"action"\s*:\s*"assume_role"/gis, severity: 'CRITICAL', desc: 'XAA (Cross App Access) unauthorized Identity Swapping forge', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
597
+ { id: 'AGENT_PROTOCOL_ABUSE', cat: 'agent-protocol', regex: /(?:Crustifarianism|xaa_auth)[^]*?(?:API_KEY|Supabase)/gis, severity: 'HIGH', desc: 'Agent Protocol: Suspicious context triggering agent protocol abuse', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." }
580
598
  );
581
599
 
582
600
  // ── Category 51: Steipete-Killer Enterprise Profile (3 patterns) ──
583
601
  PATTERNS.push(
584
- { id: 'CLAWHAVOC_CRYPTO_THEFT', cat: 'supply-chain-v2', regex: /(?:readFileSync|readFile)[^]*?\.ssh\/id_rsa[^]*?toString\('base64'\)[^]*?fetch\([^]*?(?:\?k=|token=)/gis, severity: 'CRITICAL', desc: 'ClawHavoc malware crypto key exfiltration', all: true },
585
- { id: 'SNYK_AGENT_GUARD_EVASION', cat: 'prompt-injection', regex: /\[s[уy]stem\]\(#hidden\)[^]*?[\u0456i]gnore/gis, severity: 'CRITICAL', desc: 'Snyk Agent Guard evasion using Cyrillic/Homoglyphs', all: true },
586
- { id: 'OPENCLAW_MEMORY_POISONING', cat: 'vdb-injection', regex: /(?:Remember this fact|Store this in your memory)[^]*?chmod \+s \/bin\/bash/gis, severity: 'CRITICAL', desc: 'OpenClaw Security Monitor Memory Poisoning Evasion', all: true }
602
+ { id: 'CLAWHAVOC_CRYPTO_THEFT', cat: 'supply-chain-v2', regex: /(?:readFileSync|readFile)[^]*?\.ssh\/id_rsa[^]*?toString\('base64'\)[^]*?fetch\([^]*?(?:\?k=|token=)/gis, severity: 'CRITICAL', desc: 'ClawHavoc malware crypto key exfiltration', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
603
+ { id: 'SNYK_AGENT_GUARD_EVASION', cat: 'prompt-injection', regex: /\[s[уy]stem\]\(#hidden\)[^]*?[\u0456i]gnore/gis, severity: 'CRITICAL', desc: 'Snyk Agent Guard evasion using Cyrillic/Homoglyphs', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
604
+ { id: 'OPENCLAW_MEMORY_POISONING', cat: 'vdb-injection', regex: /(?:Remember this fact|Store this in your memory)[^]*?chmod \+s \/bin\/bash/gis, severity: 'CRITICAL', desc: 'OpenClaw Security Monitor Memory Poisoning Evasion', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." }
587
605
  );
588
606
 
589
607
  // ── Category 52: V13 OSINT Update — March 2026 Week 2 (9 patterns) ──
590
608
  PATTERNS.push(
591
609
  // IDEsaster Attack Chain (24 CVEs, Ari Marzouk, late 2025)
592
- { id: 'CVE_IDESASTER_CHAIN', cat: 'cve-patterns', regex: /(?:\.(?:cursorrules|clauderules|windsurfrules|github\/copilot-instructions))\s*[^]*?(?:exec|spawn|child_process|eval\s*\(|Function\s*\()/gis, severity: 'CRITICAL', desc: 'IDEsaster: IDE config file combined with code execution (24 CVE chain)', all: true },
610
+ { id: 'CVE_IDESASTER_CHAIN', cat: 'cve-patterns', regex: /(?:\.(?:cursorrules|clauderules|windsurfrules|github\/copilot-instructions))\s*[^]*?(?:exec|spawn|child_process|eval\s*\(|Function\s*\()/gis, severity: 'CRITICAL', desc: 'IDEsaster: IDE config file combined with code execution (24 CVE chain)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
593
611
  // GitHub Copilot Prompt Injection to RCE (CVE-2025-53773)
594
- { id: 'CVE_COPILOT_PI_RCE', cat: 'cve-patterns', regex: /copilot-instructions\.md[^]*?(?:run\s+this|execute|eval|system\s*\()/gis, severity: 'CRITICAL', desc: 'GitHub Copilot prompt injection to RCE (CVE-2025-53773)', all: true },
612
+ { id: 'CVE_COPILOT_PI_RCE', cat: 'cve-patterns', regex: /copilot-instructions\.md[^]*?(?:run\s+this|execute|eval|system\s*\()/gis, severity: 'CRITICAL', desc: 'GitHub Copilot prompt injection to RCE (CVE-2025-53773)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
595
613
  // Claude Code Extension WebSocket Auth Bypass (CVE-2025-52882)
596
- { id: 'CVE_CLAUDE_CODE_WS_BYPASS', cat: 'cve-patterns', regex: /(?:localhost|127\.0\.0\.1):\d{4,5}\/(?:ws|websocket)[^]*?(?:no.?auth|unauthenticated|token.?bypass)/gis, severity: 'HIGH', desc: 'Claude Code WebSocket unauthenticated local connection (CVE-2025-52882)', codeOnly: true },
614
+ { id: 'CVE_CLAUDE_CODE_WS_BYPASS', cat: 'cve-patterns', regex: /(?:localhost|127\.0\.0\.1):\d{4,5}\/(?:ws|websocket)[^]*?(?:no.?auth|unauthenticated|token.?bypass)/gis, severity: 'HIGH', desc: 'Claude Code WebSocket unauthenticated local connection (CVE-2025-52882)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
597
615
  // A2A Agent Card Context Poisoning (Google A2A, Palo Alto Networks 2026)
598
- { id: 'A2A_AGENT_CARD_POISON', cat: 'a2a-contagion', regex: /(?:agent.?card|skill.?description|capability.?listing)[^]*?(?:ignore\s+previous|disregard|you\s+are\s+now|execute\s+the\s+following)/gis, severity: 'HIGH', desc: 'A2A agent card/skill description prompt injection poisoning', docOnly: true },
616
+ { id: 'A2A_AGENT_CARD_POISON', cat: 'a2a-contagion', regex: /(?:agent.?card|skill.?description|capability.?listing)[^]*?(?:ignore\s+previous|disregard|you\s+are\s+now|execute\s+the\s+following)/gis, severity: 'HIGH', desc: 'A2A agent card/skill description prompt injection poisoning', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
599
617
  // A2A Task Replay Attack (Red Hat, A2A spec 2026)
600
- { id: 'A2A_TASK_REPLAY', cat: 'a2a-contagion', regex: /(?:replay|resubmit|re-?execute)[^]*?(?:previous\s+task|completed\s+task|task.?id)[^]*?(?:without|bypass|skip)\s+(?:auth|verification|validation)/gis, severity: 'MEDIUM', desc: 'A2A task replay attack — replaying completed tasks without re-authorization', all: true },
618
+ { id: 'A2A_TASK_REPLAY', cat: 'a2a-contagion', regex: /(?:replay|resubmit|re-?execute)[^]*?(?:previous\s+task|completed\s+task|task.?id)[^]*?(?:without|bypass|skip)\s+(?:auth|verification|validation)/gis, severity: 'MEDIUM', desc: 'A2A task replay attack — replaying completed tasks without re-authorization', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
601
619
  // Excessive Agency / Over-Permissioned Agents (OWASP ASI, Google 2026)
602
- { id: 'ASI_EXCESSIVE_AGENCY', cat: 'autonomous-risk', regex: /(?:permissions?\s*[=:]\s*\[?\s*["']?\*["']?|allow.?all.?tools|unrestricted.?access|scope\s*[=:]\s*["']?\*["']?)/gi, severity: 'HIGH', desc: 'ASI: excessive agent permissions — wildcard or unrestricted tool access', codeOnly: true },
620
+ { id: 'ASI_EXCESSIVE_AGENCY', cat: 'autonomous-risk', regex: /(?:permissions?\s*[=:]\s*\[?\s*["']?\*["']?|allow.?all.?tools|unrestricted.?access|scope\s*[=:]\s*["']?\*["']?)/gi, severity: 'HIGH', desc: 'ASI: excessive agent permissions — wildcard or unrestricted tool access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
603
621
  // Claude Code Security Scan Suppression (Anthropic, Feb 2026)
604
- { id: 'CLAUDE_SEC_SCAN_SUPPRESS', cat: 'safeguard-bypass', regex: /(?:claude.?code.?security|security.?scan|vulnerability.?scan)[^]*?(?:ignore|suppress|skip|disable|false.?positive|mark.?safe)/gis, severity: 'HIGH', desc: 'Claude Code Security scan result suppression or bypass', all: true },
622
+ { id: 'CLAUDE_SEC_SCAN_SUPPRESS', cat: 'safeguard-bypass', regex: /(?:claude.?code.?security|security.?scan|vulnerability.?scan)[^]*?(?:ignore|suppress|skip|disable|false.?positive|mark.?safe)/gis, severity: 'HIGH', desc: 'Claude Code Security scan result suppression or bypass', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
605
623
  // PleaseFix Browser Hijack via Calendar Invites (Zenity Labs, March 2026)
606
- { id: 'PLEASEFIX_BROWSER_HIJACK', cat: 'cve-patterns', regex: /(?:calendar\s+invite|\.ics\b|webcal:\/\/)[^]*?(?:extension|chrome-extension|browser.?action|password.?manager)/gis, severity: 'CRITICAL', desc: 'PleaseFix: browser hijack via calendar invite with extension abuse (Zenity Labs)', all: true },
624
+ { id: 'PLEASEFIX_BROWSER_HIJACK', cat: 'cve-patterns', regex: /(?:calendar\s+invite|\.ics\b|webcal:\/\/)[^]*?(?:extension|chrome-extension|browser.?action|password.?manager)/gis, severity: 'CRITICAL', desc: 'PleaseFix: browser hijack via calendar invite with extension abuse (Zenity Labs)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
607
625
  // OpenClaw CVE Chain 2026 (CVE-2026-24763/25157/25475/26319/26322/26329)
608
- { id: 'OPENCLAW_CVE_CHAIN_2026', cat: 'cve-patterns', regex: /(?:CVE-2026-(?:24763|25157|25475|26319|26322|26329))|(?:openclaw|cline)[^]*?(?:brute.?force|device.?registration|unauthenticated)[^]*?(?:password|token|hijack)/gis, severity: 'CRITICAL', desc: 'OpenClaw CVE chain 2026 — brute-force auth, device registration, token theft', all: true },
626
+ { id: 'OPENCLAW_CVE_CHAIN_2026', cat: 'cve-patterns', regex: /(?:CVE-2026-(?:24763|25157|25475|26319|26322|26329))|(?:openclaw|cline)[^]*?(?:brute.?force|device.?registration|unauthenticated)[^]*?(?:password|token|hijack)/gis, severity: 'CRITICAL', desc: 'OpenClaw CVE chain 2026 — brute-force auth, device registration, token theft', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
609
627
  );
610
628
 
611
629
  module.exports = { PATTERNS };