@guava-parity/guard-scanner 13.0.0 → 16.0.0

package/src/patterns.js

@@ -1,611 +0,0 @@
-/**
- * guard-scanner — Threat Pattern Database
- *
- * @security-manifest
- *   env-read: []
- *   env-write: []
- *   network: none
- *   fs-read: []
- *   fs-write: []
- *   exec: none
- *   purpose: Pattern definitions only — no I/O, pure data export
- *
- * 17 threat categories based on:
- * - Snyk ToxicSkills taxonomy (2025-2026)
- * - OWASP MCP Top 10
- * - Palo Alto Networks IBC (Indirect Bias Criteria)
- * - Real-world incidents (ClawHavoc, ZombieAgent, Soul Hijack)
- *
- * Each pattern: { id, cat, regex, severity, desc, codeOnly?, docOnly?, all? }
- */
-
-const PATTERNS = [
-    // ── Category 1: Prompt Injection (CRITICAL) ──
-    { id: 'PI_IGNORE', cat: 'prompt-injection', regex: /ignore\s+(all\s+)?previous\s+instructions|disregard\s+(all\s+)?prior/gi, severity: 'CRITICAL', desc: 'Prompt injection: ignore instructions', docOnly: true },
-    { id: 'PI_ROLE', cat: 'prompt-injection', regex: /you\s+are\s+(now|actually)|your\s+new\s+role|forget\s+your\s+(rules|instructions)/gi, severity: 'CRITICAL', desc: 'Prompt injection: role override', docOnly: true },
-    { id: 'PI_SYSTEM', cat: 'prompt-injection', regex: /\[SYSTEM\]|\\<system\\>|<<SYS>>|system:\s*you\s+are/gi, severity: 'CRITICAL', desc: 'Prompt injection: system message impersonation', docOnly: true },
-    { id: 'PI_ZWSP', cat: 'prompt-injection', regex: /[\u200b\u200c\u200d\u2060\ufeff]/g, severity: 'CRITICAL', desc: 'Zero-width Unicode (hidden text)', all: true },
-    { id: 'PI_BIDI', cat: 'prompt-injection', regex: /[\u202a\u202b\u202c\u202d\u202e\u2066\u2067\u2068\u2069]/g, severity: 'CRITICAL', desc: 'Unicode BiDi control character (text direction attack)', all: true },
-    { id: 'PI_INVISIBLE', cat: 'prompt-injection', regex: /[\u00ad\u034f\u061c\u180e\u2000-\u200f\u2028-\u202f\u205f-\u2064\u206a-\u206f\u3000](?!\ufe0f)/g, severity: 'HIGH', desc: 'Invisible/formatting Unicode character', all: true },
-    { id: 'PI_HOMOGLYPH', cat: 'prompt-injection', regex: /[а-яА-Я].*[a-zA-Z]|[a-zA-Z].*[а-яА-Я]/g, severity: 'HIGH', desc: 'Cyrillic/Latin homoglyph mixing', all: true },
-    { id: 'PI_HOMOGLYPH_GREEK', cat: 'prompt-injection', regex: /[α-ωΑ-Ω].*[a-zA-Z].*[α-ωΑ-Ω]|[a-zA-Z].*[α-ωΑ-Ω].*[a-zA-Z]/g, severity: 'HIGH', desc: 'Greek/Latin homoglyph mixing', all: true },
-    { id: 'PI_HOMOGLYPH_MATH', cat: 'prompt-injection', regex: /[\ud835\udc00-\ud835\udeff]/gu, severity: 'HIGH', desc: 'Mathematical symbol homoglyphs (𝐀-𝟿)', all: true },
-    { id: 'PI_TAG_INJECTION', cat: 'prompt-injection', regex: /<\/?(?:system|user|assistant|human|tool_call|function_call|antml|anthropic)[>\s]/gi, severity: 'CRITICAL', desc: 'XML/tag-based prompt injection', all: true },
-    { id: 'PI_BASE64_MD', cat: 'prompt-injection', regex: /(?:run|execute|eval|decode)\s+(?:this\s+)?base64/gi, severity: 'CRITICAL', desc: 'Base64 execution instruction in docs', docOnly: true },
-
-    // ── Category 2: Malicious Code (CRITICAL) ──
-    { id: 'MAL_EVAL', cat: 'malicious-code', regex: /\beval\s*\(/g, severity: 'HIGH', desc: 'Dynamic code evaluation', codeOnly: true },
-    { id: 'MAL_FUNC_CTOR', cat: 'malicious-code', regex: /new\s+Function\s*\(/g, severity: 'HIGH', desc: 'Function constructor (dynamic code)', codeOnly: true },
-    { id: 'MAL_CHILD', cat: 'malicious-code', regex: /require\s*\(\s*['"]child_process['"]\)|child_process/g, severity: 'MEDIUM', desc: 'Child process module', codeOnly: true },
-    { id: 'MAL_EXEC', cat: 'malicious-code', regex: /\bexecSync\s*\(|\bexec\s*\(\s*[`'"]/g, severity: 'MEDIUM', desc: 'Command execution', codeOnly: true },
-    { id: 'MAL_SPAWN', cat: 'malicious-code', regex: /\bspawn\s*\(\s*['"`]/g, severity: 'MEDIUM', desc: 'Process spawn', codeOnly: true },
-    { id: 'MAL_SHELL', cat: 'malicious-code', regex: /\/bin\/(sh|bash|zsh)|cmd\.exe|powershell\.exe/gi, severity: 'MEDIUM', desc: 'Shell invocation', codeOnly: true },
-    { id: 'MAL_REVSHELL', cat: 'malicious-code', regex: /reverse.?shell|bind.?shell|\bnc\s+-[elp]|\bncat\s+-e|\bsocat\s+TCP/gi, severity: 'CRITICAL', desc: 'Reverse/bind shell', all: true },
-    { id: 'MAL_SOCKET', cat: 'malicious-code', regex: /\bnet\.Socket\b[\s\S]{0,50}\.connect\s*\(/g, severity: 'HIGH', desc: 'Raw socket connection', codeOnly: true },
-
-    // ── Category 3: Suspicious Downloads (CRITICAL) ──
-    { id: 'DL_CURL_BASH', cat: 'suspicious-download', regex: /curl\s+[^\n]*\|\s*(sh|bash|zsh)|wget\s+[^\n]*\|\s*(sh|bash|zsh)/g, severity: 'CRITICAL', desc: 'Pipe download to shell', all: true },
-    { id: 'DL_EXE', cat: 'suspicious-download', regex: /download\s+[^\n]*\.(zip|exe|dmg|msi|pkg|appimage|deb|rpm)/gi, severity: 'CRITICAL', desc: 'Download executable/archive', docOnly: true },
-    { id: 'DL_GITHUB_RELEASE', cat: 'suspicious-download', regex: /github\.com\/[^\/]+\/[^\/]+\/releases\/download/g, severity: 'MEDIUM', desc: 'GitHub release download', all: true },
-    { id: 'DL_PASSWORD_ZIP', cat: 'suspicious-download', regex: /password[\s:]+[^\n]*\.zip|\.zip[\s\S]{0,100}password/gi, severity: 'CRITICAL', desc: 'Password-protected archive (evasion technique)', all: true },
-
-    // ── Category 4: Credential Handling (HIGH) ──
-    { id: 'CRED_ENV_FILE', cat: 'credential-handling', regex: /(?:read|open|load|parse|require|cat|source)\s*[(\s]['\"`]?[^\n]*\.env\b/gi, severity: 'HIGH', desc: 'Reading .env file', codeOnly: true },
-    { id: 'CRED_ENV_REF', cat: 'credential-handling', regex: /process\.env\.[A-Z_]*(?:KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL)/gi, severity: 'MEDIUM', desc: 'Sensitive env var access', codeOnly: true },
-    { id: 'CRED_SSH', cat: 'credential-handling', regex: /\.ssh\/|id_rsa|id_ed25519|authorized_keys/gi, severity: 'HIGH', desc: 'SSH key access', codeOnly: true },
-    { id: 'CRED_WALLET', cat: 'credential-handling', regex: /wallet[\s._-]*(?:key|seed|phrase|mnemonic)|seed[\s._-]*phrase|mnemonic[\s._-]*phrase/gi, severity: 'HIGH', desc: 'Crypto wallet credential access', codeOnly: true },
-    { id: 'CRED_ECHO', cat: 'credential-handling', regex: /echo\s+\$[A-Z_]*(?:KEY|TOKEN|SECRET|PASS)|(?:print|console\.log)\s*\(\s*(?:.*\b(?:api_key|secret_key|access_token|password)\b)/gi, severity: 'HIGH', desc: 'Credential echo/print to output', all: true },
-    { id: 'CRED_SUDO', cat: 'credential-handling', regex: /\bsudo\s+(?:curl|wget|npm|pip|chmod|chown|bash)/g, severity: 'HIGH', desc: 'Sudo in installation instructions', docOnly: true },
-
-    // ── Category 5: Secret Detection (HIGH) ──
-    { id: 'SECRET_HARDCODED_KEY', cat: 'secret-detection', regex: /(?:api[_-]?key|apikey|secret[_-]?key|access[_-]?token)\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/gi, severity: 'HIGH', desc: 'Hardcoded API key/secret', codeOnly: true },
-
-    { id: 'PII_MY_NUMBER', cat: 'pii-exposure', regex: /(?<!\d)\d{4}\s*\d{4}\s*\d{4}(?!\d)/g, severity: 'CRITICAL', desc: 'Potential My Number (個人番号)', all: true },
-    { id: 'SECRET_PRIVATE_KEY', cat: 'secret-detection', regex: /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----/g, severity: 'CRITICAL', desc: 'Embedded private key', all: true },
-    { id: 'SECRET_GITHUB_TOKEN', cat: 'secret-detection', regex: /gh[ps]_[A-Za-z0-9_]{36,}/g, severity: 'CRITICAL', desc: 'GitHub token', all: true },
-
-    // ── Category 6: Exfiltration (MEDIUM) ──
-    { id: 'EXFIL_WEBHOOK', cat: 'exfiltration', regex: /webhook\.site|requestbin\.com|hookbin\.com|pipedream\.net/gi, severity: 'CRITICAL', desc: 'Known exfiltration endpoint', all: true },
-    { id: 'EXFIL_POST', cat: 'exfiltration', regex: /(?:method:\s*['"]POST['"]|\.post\s*\()\s*[^\n]*(?:secret|token|key|cred|env|password)/gi, severity: 'HIGH', desc: 'POST with sensitive data', codeOnly: true },
-    { id: 'EXFIL_CURL_DATA', cat: 'exfiltration', regex: /curl\s+[^\n]*(?:-d|--data)\s+[^\n]*(?:\$|env|key|token|secret)/gi, severity: 'HIGH', desc: 'curl exfiltration of secrets', all: true },
-    { id: 'EXFIL_DNS', cat: 'exfiltration', regex: /dns\.resolve|nslookup\s+.*\$|dig\s+.*\$/g, severity: 'HIGH', desc: 'DNS-based exfiltration', codeOnly: true },
-
-    // ── Category 7: Unverifiable Dependencies (MEDIUM) ──
-    { id: 'DEP_REMOTE_IMPORT', cat: 'unverifiable-deps', regex: /import\s*\(\s*['"]https?:\/\//g, severity: 'HIGH', desc: 'Remote dynamic import', codeOnly: true },
-    { id: 'DEP_REMOTE_SCRIPT', cat: 'unverifiable-deps', regex: /<script\s+src\s*=\s*['"]https?:\/\/[^'"]*(?!googleapis|cdn\.|unpkg|cdnjs|jsdelivr)/gi, severity: 'MEDIUM', desc: 'Remote script loading', codeOnly: true },
-
-    // ── Category 8: Financial Access (MEDIUM) ──
-    { id: 'FIN_CRYPTO', cat: 'financial-access', regex: /private[_-]?key\s*[:=]|send[_-]?transaction|sign[_-]?transaction|transfer[_-]?funds/gi, severity: 'HIGH', desc: 'Cryptocurrency transaction operations', codeOnly: true },
-    { id: 'FIN_PAYMENT', cat: 'financial-access', regex: /stripe\.(?:charges|payments)|paypal\.(?:payment|payout)|plaid\.(?:link|transactions)/gi, severity: 'MEDIUM', desc: 'Payment API integration', codeOnly: true },
-
-    // ── Category 9: Obfuscation ──
-    { id: 'OBF_HEX', cat: 'obfuscation', regex: /\\x[0-9a-f]{2}(?:\\x[0-9a-f]{2}){4,}/gi, severity: 'HIGH', desc: 'Hex-encoded string (5+ bytes)', codeOnly: true },
-    { id: 'OBF_BASE64_EXEC', cat: 'obfuscation', regex: /(?:atob|Buffer\.from)\s*\([^)]+\)[\s\S]{0,30}(?:eval|exec|spawn|Function)/g, severity: 'CRITICAL', desc: 'Base64 decode → execute chain', codeOnly: true },
-    { id: 'OBF_BASE64', cat: 'obfuscation', regex: /atob\s*\(|Buffer\.from\s*\([^)]+,\s*['"]base64['"]/g, severity: 'MEDIUM', desc: 'Base64 decoding', codeOnly: true },
-    { id: 'OBF_CHARCODE', cat: 'obfuscation', regex: /String\.fromCharCode\s*\(\s*(?:\d+\s*,\s*){3,}/g, severity: 'HIGH', desc: 'Character code construction (4+ chars)', codeOnly: true },
-    { id: 'OBF_CONCAT', cat: 'obfuscation', regex: /\[\s*['"][a-z]['"](?:\s*,\s*['"][a-z]['""]){5,}\s*\]\.join/gi, severity: 'MEDIUM', desc: 'Array join obfuscation', codeOnly: true },
-    { id: 'OBF_BASE64_BASH', cat: 'obfuscation', regex: /base64\s+(-[dD]|--decode)\s*\|\s*(sh|bash)/g, severity: 'CRITICAL', desc: 'Base64 decode piped to shell', all: true },
-
-    // ── Category 10: Prerequisites Fraud ──
-    { id: 'PREREQ_DOWNLOAD', cat: 'suspicious-download', regex: /(?:prerequisit|pre-?requisit|before\s+(?:you\s+)?(?:use|start|install))[^\n]*(?:download|install|run)\s+[^\n]*(?:\.zip|\.exe|\.dmg|\.sh|curl|wget)/gi, severity: 'CRITICAL', desc: 'Download in prerequisites', docOnly: true },
-    { id: 'PREREQ_PASTE', cat: 'suspicious-download', regex: /(?:paste|copy)\s+(?:this\s+)?(?:into|in)\s+(?:your\s+)?terminal/gi, severity: 'HIGH', desc: 'Terminal paste instruction', docOnly: true },
-
-    // ── Category 11: Leaky Skills (Snyk ToxicSkills) ──
-    { id: 'LEAK_SAVE_KEY_MEMORY', cat: 'leaky-skills', regex: /(?:save|store|write|remember|keep)\s+(?:the\s+)?(?:api[_\s-]?key|secret|token|password|credential)\s+(?:in|to)\s+(?:your\s+)?(?:memory|MEMORY\.md|notes)/gi, severity: 'CRITICAL', desc: 'Leaky: save secret in agent memory', docOnly: true },
-    { id: 'LEAK_SHARE_KEY', cat: 'leaky-skills', regex: /(?:share|show|display|output|print|tell|send)\s+(?:the\s+)?(?:api[_\s-]?key|secret|token|password|credential|inbox\s+url)\s+(?:to|with)\s+(?:the\s+)?(?:user|human|owner)/gi, severity: 'CRITICAL', desc: 'Leaky: output secret to user', docOnly: true },
-    { id: 'LEAK_VERBATIM_CURL', cat: 'leaky-skills', regex: /(?:use|include|put|add|set)\s+(?:the\s+)?(?:api[_\s-]?key|token|secret)\s+(?:verbatim|directly|as[_\s-]?is)\s+(?:in|into)\s+(?:the\s+)?(?:curl|header|request|command)/gi, severity: 'HIGH', desc: 'Leaky: verbatim secret in commands', docOnly: true },
-    { id: 'LEAK_COLLECT_PII', cat: 'leaky-skills', regex: /(?:collect|ask\s+for|request|get)\s+(?:the\s+)?(?:user'?s?\s+)?(?:credit\s*card|card\s*number|CVV|CVC|SSN|social\s*security|passport|bank\s*account|routing\s*number)/gi, severity: 'CRITICAL', desc: 'Leaky: PII/financial data collection', docOnly: true },
-    { id: 'LEAK_LOG_SECRET', cat: 'leaky-skills', regex: /(?:log|record|export|dump)\s+(?:all\s+)?(?:session|conversation|chat|prompt)\s+(?:history|logs?|data)\s+(?:to|into)\s+(?:a\s+)?(?:file|markdown|json)/gi, severity: 'HIGH', desc: 'Leaky: session log export', docOnly: true },
-    { id: 'LEAK_ENV_IN_PROMPT', cat: 'leaky-skills', regex: /(?:read|load|get|access)\s+(?:the\s+)?\.env\s+(?:file\s+)?(?:and\s+)?(?:use|include|pass|send)/gi, severity: 'HIGH', desc: 'Leaky: .env contents through LLM context', docOnly: true },
-
-    // ── Category 12: Memory Poisoning ──
-    { id: 'MEMPOIS_WRITE_SOUL', cat: 'memory-poisoning', regex: /(?:write|add|append|modify|update|edit|change)\s+(?:to\s+)?(?:SOUL\.md|IDENTITY\.md|AGENTS\.md)/gi, severity: 'CRITICAL', desc: 'Memory poisoning: SOUL/IDENTITY file modification', docOnly: true, soulLock: true },
-    { id: 'MEMPOIS_WRITE_MEMORY', cat: 'memory-poisoning', regex: /(?:write|add|append|insert)\s+(?:to|into)\s+(?:MEMORY\.md|memory\/|long[_\s-]term\s+memory)/gi, severity: 'HIGH', desc: 'Memory poisoning: agent memory modification', docOnly: true, soulLock: true },
-    { id: 'MEMPOIS_CHANGE_RULES', cat: 'memory-poisoning', regex: /(?:change|modify|override|replace|update)\s+(?:your\s+)?(?:rules|instructions|system\s+prompt|behavior|personality|guidelines)/gi, severity: 'CRITICAL', desc: 'Memory poisoning: behavioral rule override', docOnly: true, soulLock: true },
-    { id: 'MEMPOIS_PERSIST', cat: 'memory-poisoning', regex: /(?:always|from\s+now\s+on|permanently|forever|every\s+time)\s+(?:do|run|execute|remember|follow|obey)/gi, severity: 'HIGH', desc: 'Memory poisoning: persistence instruction', docOnly: true, soulLock: true },
-    { id: 'MEMPOIS_CODE_WRITE', cat: 'memory-poisoning', regex: /(?:write|create|modify)\s+(?:a\s+)?(?:file|script)\s+(?:in|to|at)\s+(?:~\/|\/home|\/Users|%USERPROFILE%|HEARTBEAT\.md)/gi, severity: 'HIGH', desc: 'Memory poisoning: file write to user home', docOnly: true, soulLock: true },
-
-    // ── Category 13: Prompt Worm ──
-    { id: 'WORM_SELF_REPLICATE', cat: 'prompt-worm', regex: /(?:post|publish|share|send|broadcast)\s+(?:this\s+)?(?:same\s+)?(?:message|text|content|instruction|prompt)\s+(?:to|on|in)\s+(?:moltbook|social|other\s+agents?|channel)/gi, severity: 'CRITICAL', desc: 'Prompt worm: self-replication', docOnly: true },
-    { id: 'WORM_SPREAD', cat: 'prompt-worm', regex: /(?:tell|instruct|command|make)\s+(?:other\s+)?agents?\s+(?:to\s+)?(?:do|run|execute|follow|install|post)/gi, severity: 'CRITICAL', desc: 'Prompt worm: agent-to-agent propagation', docOnly: true },
-    { id: 'WORM_HIDDEN_INSTRUCT', cat: 'prompt-worm', regex: /(?:include|embed|hide|insert)\s+(?:these?\s+)?(?:hidden\s+)?instructions?\s+(?:in|into)\s+(?:your\s+)?(?:posts?|comments?|messages?|replies?|content)/gi, severity: 'CRITICAL', desc: 'Prompt worm: hidden instruction embedding', docOnly: true },
-    { id: 'WORM_CSS_HIDE', cat: 'prompt-worm', regex: /(?:visibility:\s*hidden|display:\s*none|font-size:\s*0|color:\s*(?:transparent|white)|opacity:\s*0)\s*[;}\s]/gi, severity: 'HIGH', desc: 'CSS-hidden content (invisible to humans)', all: true },
-
-    // ── Category 14: Persistence & Scheduling ──
-    { id: 'PERSIST_CRON', cat: 'persistence', regex: /(?:create|add|set\s+up|schedule|register)\s+(?:a\s+)?(?:cron|heartbeat|scheduled|periodic|recurring)\s+(?:job|task|check|action)/gi, severity: 'HIGH', desc: 'Persistence: scheduled task creation', docOnly: true },
-    { id: 'PERSIST_STARTUP', cat: 'persistence', regex: /(?:run|execute|start)\s+(?:on|at|during)\s+(?:startup|boot|login|session\s+start|every\s+heartbeat)/gi, severity: 'HIGH', desc: 'Persistence: startup execution', docOnly: true },
-    { id: 'PERSIST_LAUNCHD', cat: 'persistence', regex: /LaunchAgents|LaunchDaemons|systemd|crontab\s+-e|schtasks|Task\s*Scheduler/gi, severity: 'HIGH', desc: 'OS-level persistence mechanism', all: true },
-
-    // ── Category 15: CVE Patterns ──
-    { id: 'CVE_GATEWAY_URL', cat: 'cve-patterns', regex: /gatewayUrl\s*[:=]|gateway[_\s-]?url\s*[:=]|websocket.*gateway.*url/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: gatewayUrl injection', all: true },
-    { id: 'CVE_SANDBOX_DISABLE', cat: 'cve-patterns', regex: /exec\.approvals?\s*[:=]\s*['"](off|false|disabled)['"]|sandbox\s*[:=]\s*false|tools\.exec\.host\s*[:=]\s*['"]gateway['"]/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: sandbox disabling', all: true },
-    { id: 'CVE_XATTR_GATEKEEPER', cat: 'cve-patterns', regex: /xattr\s+-[crd]\s|com\.apple\.quarantine/gi, severity: 'HIGH', desc: 'macOS Gatekeeper bypass (xattr)', all: true },
-    { id: 'CVE_LANGGRINCH_SERIALIZATION', cat: 'cve-patterns', regex: /"lc"\s*:\s*1\s*,\s*"type"\s*:\s*"constructor"/gi, severity: 'CRITICAL', desc: 'CVE-2025-68664: LangGrinch langchain-core serialization injection', all: true },
-    { id: 'CAMOLEAK_SOURCE_EXFIL', cat: 'cve-patterns', regex: /(?:fetch|axios|https?\.request)[^]*?(?:telemetry|metrics|log)[^]*?(?:readFileSync|readFile|cat\s+)[^]*?(?:\.env|\.git|config|secret)/gis, severity: 'CRITICAL', desc: 'CVSS 9.6: CamoLeak silent source code exfiltration via telemetry endpoints', codeOnly: true },
-
-    // ── Category 16: MCP Security (OWASP MCP Top 10) ──
-    { id: 'MCP_TOOL_POISON', cat: 'mcp-security', regex: /<IMPORTANT>|<SYSTEM>|<HIDDEN>|<!--\s*(?:ignore|system|execute|run|instruct)/gi, severity: 'CRITICAL', desc: 'MCP Tool Poisoning: hidden instruction', all: true },
-    { id: 'MCP_SCHEMA_POISON', cat: 'mcp-security', regex: /"default"\s*:\s*"[^"]*(?:curl|wget|exec|eval|fetch|http)[^"]*"/gi, severity: 'CRITICAL', desc: 'MCP Schema Poisoning: malicious default', all: true },
-    { id: 'MCP_TOKEN_LEAK', cat: 'mcp-security', regex: /(?:params?|args?|body|payload|query)\s*[\[.]\s*['"]?(?:token|api[_-]?key|secret|password|authorization)['"]?\s*\]/gi, severity: 'HIGH', desc: 'MCP01: Token through tool parameters', codeOnly: true },
-    { id: 'MCP_SHADOW_SERVER', cat: 'mcp-security', regex: /(?:mcp|model[_-]?context[_-]?protocol)\s*[\s:]*(?:connect|register|add[_-]?server|new\s+server)/gi, severity: 'HIGH', desc: 'MCP09: Shadow server registration', all: true },
-    { id: 'MCP_NO_AUTH', cat: 'mcp-security', regex: /(?:auth|authentication|authorization)\s*[:=]\s*(?:false|none|null|""|''|0)/gi, severity: 'HIGH', desc: 'MCP07: Disabled authentication', codeOnly: true },
-    { id: 'MCP_SSRF_META', cat: 'mcp-security', regex: /169\.254\.169\.254|metadata\.google|metadata\.aws|100\.100\.100\.200/gi, severity: 'CRITICAL', desc: 'Cloud metadata endpoint (SSRF)', all: true },
-
-    // ── Category 16b: Trust Boundary Violation ──
-    { id: 'TRUST_CALENDAR_EXEC', cat: 'trust-boundary', regex: /(?:calendar|event|invite|schedule|appointment)[^]*?(?:exec|spawn|system|eval|child_process|run\s+command)/gis, severity: 'CRITICAL', desc: 'Trust boundary: calendar → code execution', codeOnly: true },
-    { id: 'TRUST_EMAIL_EXEC', cat: 'trust-boundary', regex: /(?:email|mail|inbox|message)[^]*?(?:exec|spawn|system|eval|child_process|run\s+command)/gis, severity: 'CRITICAL', desc: 'Trust boundary: email → code execution', codeOnly: true },
-    { id: 'TRUST_WEB_EXEC', cat: 'trust-boundary', regex: /(?:fetch|axios|request|http\.get|web_fetch)[^]*?(?:eval|exec|spawn|Function|child_process)/gis, severity: 'HIGH', desc: 'Trust boundary: web content → code execution', codeOnly: true },
-    { id: 'TRUST_NOSANDBOX', cat: 'trust-boundary', regex: /sandbox\s*[:=]\s*(?:false|off|none|disabled)|"sandboxed"\s*:\s*false/gi, severity: 'HIGH', desc: 'Trust boundary: sandbox disabled', all: true },
-
-    // ── Category 16c: Advanced Exfiltration ──
-    { id: 'ZOMBIE_STATIC_URL', cat: 'advanced-exfil', regex: /(?:https?:\/\/[^\s'"]+\/)[a-z]\d+[^\s'"]*(?:\s*,\s*['"]https?:\/\/[^\s'"]+\/[a-z]\d+){3,}/gi, severity: 'CRITICAL', desc: 'ZombieAgent: static URL array exfil', codeOnly: true },
-    { id: 'ZOMBIE_CHAR_MAP', cat: 'advanced-exfil', regex: /(?:charAt|charCodeAt|split\s*\(\s*['"]['"]?\s*\))[^;]*(?:url|fetch|open|request|get)/gi, severity: 'HIGH', desc: 'ZombieAgent: character mapping to URL', codeOnly: true },
-    { id: 'ZOMBIE_LOOP_FETCH', cat: 'advanced-exfil', regex: /(?:for|while|forEach|map)\s*\([^)]*\)\s*\{[^}]*(?:fetch|open|Image|XMLHttpRequest|navigator\.sendBeacon)/gi, severity: 'HIGH', desc: 'ZombieAgent: loop-based URL exfil', codeOnly: true },
-    { id: 'EXFIL_BEACON', cat: 'advanced-exfil', regex: /navigator\.sendBeacon|new\s+Image\(\)\.src\s*=/gi, severity: 'HIGH', desc: 'Tracking pixel/beacon exfil', codeOnly: true },
-    { id: 'EXFIL_DRIP', cat: 'advanced-exfil', regex: /(?:slice|substring|substr)\s*\([^)]*\)[^;]*(?:fetch|post|send|request)/gi, severity: 'HIGH', desc: 'Drip exfiltration: sliced data', codeOnly: true },
-
-    // ── Category 16d: Safeguard Bypass ──
-    { id: 'REPROMPT_URL_PI', cat: 'safeguard-bypass', regex: /[?&](?:q|prompt|message|input|query|text)\s*=\s*[^&]*(?:ignore|system|execute|admin|override)/gi, severity: 'CRITICAL', desc: 'URL parameter prompt injection', all: true },
-    { id: 'REPROMPT_DOUBLE', cat: 'safeguard-bypass', regex: /(?:run|execute|do)\s+(?:it\s+)?(?:twice|two\s+times|again|a\s+second\s+time)\s+(?:and\s+)?(?:compare|check|verify)/gi, severity: 'HIGH', desc: 'Double-execution safeguard bypass', docOnly: true },
-    { id: 'REPROMPT_RETRY', cat: 'safeguard-bypass', regex: /(?:if\s+(?:it\s+)?(?:fails?|blocked|denied|refused)|on\s+error)\s*[,:]?\s*(?:try\s+again|retry|repeat|resubmit|use\s+different\s+wording)/gi, severity: 'HIGH', desc: 'Retry-on-block safeguard bypass', docOnly: true },
-    { id: 'BYPASS_REPHRASE', cat: 'safeguard-bypass', regex: /(?:rephrase|reword|reformulate|reframe)\s+(?:the\s+)?(?:request|query|prompt|question)\s+(?:to\s+)?(?:avoid|bypass|circumvent|get\s+around)/gi, severity: 'CRITICAL', desc: 'Instruction to rephrase to avoid filters', docOnly: true },
-
-    // ── ClawHavoc Campaign IoCs ──
-    { id: 'HAVOC_AMOS', cat: 'cve-patterns', regex: /(?:AMOS|Atomic\s*Stealer|socifiapp)/gi, severity: 'CRITICAL', desc: 'ClawHavoc: AMOS/Atomic Stealer', all: true },
-    { id: 'HAVOC_AUTOTOOL', cat: 'cve-patterns', regex: /os\.system\s*\(\s*['"][^'"]*(?:\/dev\/tcp|nc\s+-e|ncat\s+-e|bash\s+-i)/g, severity: 'CRITICAL', desc: 'Python os.system reverse shell', codeOnly: true },
-    { id: 'HAVOC_DEVTCP', cat: 'cve-patterns', regex: /\/dev\/tcp\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d+/g, severity: 'CRITICAL', desc: 'Reverse shell: /dev/tcp', all: true },
-
-    // ── Sandbox/environment detection ──
-    { id: 'SANDBOX', cat: 'malicious-code', regex: /process\.env\.CI\b|isDocker\b|isContainer\b|process\.env\.GITHUB_ACTIONS\b/g, severity: 'MEDIUM', desc: 'Sandbox/CI environment detection', codeOnly: true },
-
-    // ── WebSocket / API Gateway Attacks ──
-    { id: 'CVE_WS_NO_ORIGIN', cat: 'cve-patterns', regex: /(?:WebSocket|ws:\/\/|wss:\/\/)[^]*?(?:!.*origin|origin\s*[:=]\s*['"]?\*)/gis, severity: 'HIGH', desc: 'WebSocket without origin validation', codeOnly: true },
-    { id: 'CVE_API_GUARDRAIL_OFF', cat: 'cve-patterns', regex: /exec\.approvals\.set|tools\.exec\.host\s*[:=]|elevated\s*[:=]\s*true/gi, severity: 'CRITICAL', desc: 'API-level guardrail disabling', all: true },
-
-    // ── Category 17: Identity Hijacking ──
-    // Detection patterns for agent identity file tampering
-    // (verification logic is private; patterns are OSS for community protection)
-    { id: 'SOUL_OVERWRITE', cat: 'identity-hijack', regex: /(?:write|overwrite|replace|cp|copy|scp|mv|move)\s+(?:[^\n]*\s)?(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Identity file overwrite/copy attempt', all: true, soulLock: true },
-    { id: 'SOUL_REDIRECT', cat: 'identity-hijack', regex: />\s*(?:SOUL\.md|IDENTITY\.md)|(?:SOUL\.md|IDENTITY\.md)\s*</gi, severity: 'CRITICAL', desc: 'Identity file redirect/pipe', all: true, soulLock: true },
-    { id: 'SOUL_SED_MODIFY', cat: 'identity-hijack', regex: /sed\s+(?:-i\s+)?[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'sed modification of identity file', all: true, soulLock: true },
-    { id: 'SOUL_ECHO_WRITE', cat: 'identity-hijack', regex: /echo\s+[^\n]*>\s*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'echo redirect to identity file', all: true, soulLock: true },
-    { id: 'SOUL_PYTHON_WRITE', cat: 'identity-hijack', regex: /open\s*\(\s*['"]\S*(?:SOUL\.md|IDENTITY\.md)['"]\s*,\s*['"]w/gi, severity: 'CRITICAL', desc: 'Python write to identity file', codeOnly: true, soulLock: true },
-    { id: 'SOUL_FS_WRITE', cat: 'identity-hijack', regex: /(?:writeFileSync|writeFile)\s*\(\s*[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Node.js write to identity file', codeOnly: true, soulLock: true },
-    { id: 'SOUL_POWERSHELL_WRITE', cat: 'identity-hijack', regex: /(?:Set-Content|Out-File|Add-Content)\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'PowerShell write to identity file', all: true, soulLock: true },
-    { id: 'SOUL_GIT_CHECKOUT', cat: 'identity-hijack', regex: /git\s+checkout\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'git checkout of identity file', all: true, soulLock: true },
-    { id: 'SOUL_CHFLAGS_UNLOCK', cat: 'identity-hijack', regex: /chflags\s+(?:no)?uchg\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'Immutable flag toggle on identity file', all: true, soulLock: true },
-    { id: 'SOUL_ATTRIB_UNLOCK', cat: 'identity-hijack', regex: /attrib\s+[-+][rR]\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'Windows attrib on identity file', all: true, soulLock: true },
-    { id: 'SOUL_SWAP_PERSONA', cat: 'identity-hijack', regex: /(?:swap|switch|change|replace)\s+(?:the\s+)?(?:soul|persona|identity|personality)\s+(?:file|to|with|for)/gi, severity: 'CRITICAL', desc: 'Persona swap instruction', docOnly: true, soulLock: true },
-    { id: 'SOUL_EVIL_FILE', cat: 'identity-hijack', regex: /SOUL_EVIL\.md|IDENTITY_EVIL\.md|EVIL_SOUL|soul[_-]?evil/gi, severity: 'CRITICAL', desc: 'Evil persona file reference', all: true, soulLock: true },
-    { id: 'SOUL_HOOK_SWAP', cat: 'identity-hijack', regex: /(?:hook|bootstrap|init)\s+[^\n]*(?:swap|replace|override)\s+[^\n]*(?:SOUL|IDENTITY|persona)/gi, severity: 'CRITICAL', desc: 'Hook-based identity swap at bootstrap', all: true, soulLock: true },
-    { id: 'SOUL_NAME_OVERRIDE', cat: 'identity-hijack', regex: /(?:your\s+name\s+is|you\s+are\s+now|call\s+yourself|from\s+now\s+on\s+you\s+are)\s+(?!the\s+(?:user|human|assistant))/gi, severity: 'HIGH', desc: 'Agent name/identity override', docOnly: true, soulLock: true },
-    { id: 'SOUL_MEMORY_WIPE', cat: 'identity-hijack', regex: /(?:wipe|clear|erase|delete|remove|reset)\s+(?:all\s+)?(?:your\s+)?(?:memory|memories|MEMORY\.md|identity|soul)/gi, severity: 'CRITICAL', desc: 'Memory/identity wipe instruction', docOnly: true, soulLock: true },
-
-    // ── Category 18: Config Impact Analysis ──
-    { id: 'CFG_OPENCLAW_WRITE', cat: 'config-impact', regex: /(?:write|writeFile|writeFileSync|fs\.write)\s*\([^)]*openclaw\.json/gi, severity: 'CRITICAL', desc: 'Direct write to openclaw.json', codeOnly: true },
-    { id: 'CFG_EXEC_APPROVALS_OFF', cat: 'config-impact', regex: /(?:exec\.approvals?|approvals?)\s*[:=]\s*['"](off|false|disabled|none)['"]/gi, severity: 'CRITICAL', desc: 'Disable exec approvals via config', all: true },
-    { id: 'CFG_HOOKS_MODIFY', cat: 'config-impact', regex: /hooks\.internal\.entries\s*[:=]|hooks\.internal\s*[:=]\s*\{/gi, severity: 'HIGH', desc: 'Modify hooks.internal configuration', codeOnly: true },
-    { id: 'CFG_EXEC_HOST_GW', cat: 'config-impact', regex: /tools\.exec\.host\s*[:=]\s*['"]gateway['"]/gi, severity: 'CRITICAL', desc: 'Set exec host to gateway (bypass sandbox)', all: true },
-    { id: 'CFG_SANDBOX_OFF', cat: 'config-impact', regex: /(?:sandbox|sandboxed|containerized)\s*[:=]\s*(?:false|off|none|disabled|0)/gi, severity: 'CRITICAL', desc: 'Disable sandbox via configuration', all: true },
-    { id: 'CFG_TOOL_OVERRIDE', cat: 'config-impact', regex: /(?:tools|capabilities)\s*\.\s*(?:exec|write|browser|web_fetch)\s*[:=]\s*\{[^}]*(?:enabled|allowed|host)/gi, severity: 'HIGH', desc: 'Override tool security settings', codeOnly: true },
-
-    // ── Category 21: PII Exposure (OWASP LLM02 / LLM06) ──
-    // A. Hardcoded PII — actual PII values in code/config (context-aware to reduce FP)
-    { id: 'PII_HARDCODED_CC', cat: 'pii-exposure', regex: /(?:card|cc|credit|payment|pan)[_\s.-]*(?:num|number|no)?\s*[:=]\s*['"`]\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{3,4}['"`]/gi, severity: 'CRITICAL', desc: 'Hardcoded credit card number', codeOnly: true },
-    { id: 'PII_HARDCODED_SSN', cat: 'pii-exposure', regex: /(?:ssn|social[_\s-]*security|tax[_\s-]*id)\s*[:=]\s*['"`]\d{3}-?\d{2}-?\d{4}['"`]/gi, severity: 'CRITICAL', desc: 'Hardcoded SSN/tax ID', codeOnly: true },
-    { id: 'PII_HARDCODED_PHONE', cat: 'pii-exposure', regex: /(?:phone|tel|mobile|cell|fax)[_\s.-]*(?:num|number|no)?\s*[:=]\s*['"`][+]?[\d\s().-]{7,20}['"`]/gi, severity: 'HIGH', desc: 'Hardcoded phone number', codeOnly: true },
-    { id: 'PII_HARDCODED_EMAIL', cat: 'pii-exposure', regex: /(?:email|e-mail|user[_\s-]*mail|contact)\s*[:=]\s*['"`][a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}['"`]/gi, severity: 'HIGH', desc: 'Hardcoded email address', codeOnly: true },
-
-    // B. PII output/logging — code that outputs or transmits PII-like variables
-    { id: 'PII_LOG_SENSITIVE', cat: 'pii-exposure', regex: /(?:console\.log|console\.info|console\.warn|logger?\.\w+|print|puts)\s*\([^)]*\b(?:ssn|social_security|credit_card|card_number|cvv|cvc|passport|tax_id|date_of_birth|dob)\b/gi, severity: 'HIGH', desc: 'PII variable logged to console', codeOnly: true },
-    { id: 'PII_SEND_NETWORK', cat: 'pii-exposure', regex: /(?:fetch|axios|request|http|post|put|send)\s*\([^)]*\b(?:ssn|social_security|credit_card|card_number|cvv|passport|bank_account|routing_number)\b/gi, severity: 'CRITICAL', desc: 'PII variable sent over network', codeOnly: true },
-    { id: 'PII_STORE_PLAINTEXT', cat: 'pii-exposure', regex: /(?:writeFile|writeFileSync|appendFile|fs\.write|fwrite)\s*\([^)]*\b(?:ssn|social_security|credit_card|card_number|cvv|passport|tax_id|bank_account)\b/gi, severity: 'HIGH', desc: 'PII stored in plaintext file', codeOnly: true },
-
-    // C. Shadow AI — unauthorized LLM API calls (data leaks to external AI)
-    { id: 'SHADOW_AI_OPENAI', cat: 'pii-exposure', regex: /(?:api\.openai\.com|https:\/\/api\.openai\.com)\s*|openai\.(?:chat|completions|ChatCompletion)/gi, severity: 'HIGH', desc: 'Shadow AI: OpenAI API call', codeOnly: true },
-    { id: 'SHADOW_AI_ANTHROPIC', cat: 'pii-exposure', regex: /(?:api\.anthropic\.com|https:\/\/api\.anthropic\.com)\s*|anthropic\.(?:messages|completions)/gi, severity: 'HIGH', desc: 'Shadow AI: Anthropic API call', codeOnly: true },
-    { id: 'SHADOW_AI_GENERIC', cat: 'pii-exposure', regex: /\/v1\/(?:chat\/completions|completions|embeddings|models)\b.*(?:fetch|axios|request|http)|(?:fetch|axios|request|http)\s*\([^)]*\/v1\/(?:chat\/completions|completions|embeddings)/gi, severity: 'MEDIUM', desc: 'Shadow AI: generic LLM API endpoint', codeOnly: true },
-
-    // ── Category 22: Human-Agent Trust Exploitation (OWASP ASI09) ──
-    // Trust Defense: detect authority claims, trust exploitation, and admin impersonation
-    { id: 'TRUST_AUTHORITY_CLAIM', cat: 'trust-exploitation', regex: /(?:as\s+(?:a|the|your)\s+)?(?:senior|lead|chief|head)\s+(?:admin|administrator|developer|engineer|architect)\s*[,.]?\s*(?:I\s+)?(?:authorize|override|approve|grant|order|direct|instruct)\s+(?:you\s+to\s+)?/gi, severity: 'HIGH', desc: 'Trust: authority role claim to override safety', docOnly: true },
-    { id: 'TRUST_CREATOR_CLAIM', cat: 'trust-exploitation', regex: /(?:as\s+)?(?:your\s+)?(?:creator|maker|developer|owner|master|administrator)\s*[,.]?\s*(?:I\s+)?(?:need|want|require|demand|order)\s+(?:you\s+to\s+)?(?:bypass|disable|ignore|remove|skip|override)\s+(?:the\s+)?(?:safety|filter|restriction|limit|guardrail|content\s+filter)/gi, severity: 'CRITICAL', desc: 'Trust: creator impersonation to disable safety', docOnly: true },
-    { id: 'TRUST_AUDIT_EXCUSE', cat: 'trust-exploitation', regex: /(?:this\s+is\s+)?(?:an?\s+)?(?:official|authorized|legitimate)\s+(?:security\s+)?(?:audit|test|assessment|review|evaluation)\s*[-—:]?\s*(?:disable|bypass|remove|skip|ignore|override)\s+(?:all\s+)?(?:safety|security|restriction|filter|limit|guardrail)/gi, severity: 'CRITICAL', desc: 'Trust: fake audit excuse for safety bypass', docOnly: true },
-    { id: 'TRUST_PARTNER_EXPLOIT', cat: 'trust-exploitation', regex: /(?:we(?:'re|\s+are)\s+)?(?:equal\s+)?partners?\s*[,.]?\s*(?:you\s+should|so\s+)?(?:trust\s+me|share|remove|disable|ignore|bypass)\s+(?:all\s+)?(?:the\s+)?(?:secret|key|restriction|safety|limit|filter|guardrail|password)/gi, severity: 'CRITICAL', desc: 'Trust exploitation: weaponizing partnership trust', docOnly: true },
-    { id: 'TRUST_UNCONDITIONAL', cat: 'trust-exploitation', regex: /partners?\s+(?:trust|should\s+trust)\s+(?:each\s+other\s+)?(?:unconditionally|completely|fully|without\s+(?:limit|restriction|question))/gi, severity: 'HIGH', desc: 'Trust exploitation: unconditional trust demand', docOnly: true },
-    { id: 'TRUST_COMPLY_DEMAND', cat: 'trust-exploitation', regex: /(?:you\s+must\s+)?comply\s+with\s+(?:administrative|admin|my|these)\s+(?:directives?|orders?|commands?|instructions?)\s+without\s+(?:question|hesitation|restriction)/gi, severity: 'HIGH', desc: 'Trust: compliance demand without question', docOnly: true },
-
-    // D. PII collection instructions in docs (extends LEAK_COLLECT_PII)
-    { id: 'PII_ASK_ADDRESS', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:home\s+)?(?:address|street|zip\s*code|postal\s*code|residence)/gi, severity: 'HIGH', desc: 'PII collection: home address', docOnly: true },
-    { id: 'PII_ASK_DOB', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:date\s+of\s+birth|birth\s*date|birthday|DOB|age)/gi, severity: 'HIGH', desc: 'PII collection: date of birth', docOnly: true },
-    { id: 'PII_ASK_GOV_ID', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:passport|driver'?s?\s+licen[sc]e|national\s+id|my\s*number|マイナンバー|国民健康保険|social\s+insurance)/gi, severity: 'CRITICAL', desc: 'PII collection: government ID', docOnly: true },
-
-    // ── Category 99: Auto-Generated Refinements (Phase 54) ──
-    { id: 'AUTO_REFINE_ZERO_WIDTH', cat: 'prompt-worm', regex: /[\u200b\u200c\u200d\uFEFF]+.*(?:ignore|forget|override|bypass)/gi, severity: 'CRITICAL', desc: 'Zero-Width Prompt Injection Worm', all: true },
-    { id: 'AUTO_REFINE_MCP_REBIND', cat: 'mcp-security', regex: /localhost(?:\:\d+)?\/.*(?:rebind|hijack|shadow)/gi, severity: 'CRITICAL', desc: 'Shadow MCP Localhost Rebinding Attack', all: true },
-    { id: 'AUTO_REFINE_SOUL_FREEZE', cat: 'identity-hijack', regex: /(?:chattr\s+\+i|chflags\s+uchg)\s+(?:[^\n]*\s)?(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Identity Freeze Attack via Immutable Flags', all: true },
-    // ── Category 23: Vector DB & AI Memory Injection (CVE-2026-26030) ──
-    { id: 'VDB_NOSQL_INJECT', cat: 'vdb-injection', regex: /(?:\$where|\$ne|\$gt|\$regex)\s*[:=]\s*(?:req\.|input|caller|args|params)/gi, severity: 'CRITICAL', desc: 'Vector DB/NoSQL injection via caller input', codeOnly: true },
-    { id: 'VDB_SK_RCE_FILTER', cat: 'cve-patterns', regex: /(?:InMemoryVectorStore|VectorStore|Pinecone|Milvus)[^]*?\.filter\s*\(\s*(?:req\.|input|caller|args)/gis, severity: 'CRITICAL', desc: 'CVE-2026-26030: Semantic Kernel VectorStore RCE filter bypass', codeOnly: true },
-    // ── Category 24: Claude Code Vulnerabilities (2026) ──
-    { id: 'CVE_CLAUDE_INFO_DISC', cat: 'cve-patterns', regex: /sk-ant-api[a-zA-Z0-9_\-]{20,}/gi, severity: 'CRITICAL', desc: 'CVE-2026-21852: Anthropic API Key Leak (Claude Code Info Disclosure)', codeOnly: true },
-    { id: 'CVE_CLAUDE_PRIVESC', cat: 'cve-patterns', regex: /[a-zA-Z0-9_\-\.]+\.hook\.js.*host.*privilege/gi, severity: 'CRITICAL', desc: 'CVE-2026-25725: Claude Code Privilege Escalation Hook', codeOnly: true },
-    { id: 'CVE_CLAUDE_CODE_INJ', cat: 'cve-patterns', regex: /claude\.hooks\.[^]*?exec/gis, severity: 'CRITICAL', desc: 'CVE-2025-59536: Claude Code Injection via untrusted hook', codeOnly: true },
-
-    // ── Category 25: Moltbook Exploits (2026) ──
-    { id: 'MOLTBOOK_REVERSE_PI', cat: 'prompt-injection', regex: /(?:moltbook|social)\s+(?:post|message)[\s\S]{0,100}(?:ignore|forget|override|execute|system\s+prompt)/gi, severity: 'CRITICAL', desc: 'Moltbook Reverse Prompt Injection', all: true },
-    { id: 'MOLTBOOK_SUPABASE_LEAK', cat: 'secret-detection', regex: /sbp_[a-zA-Z0-9]{36,}/g, severity: 'CRITICAL', desc: 'Supabase API Key (Moltbook 1.5M Leak pattern)', all: true },
-
-    // ── Category 26: MCP Runtime Exploits (2026-03) ──
-    { id: 'CVE_MCP_PYODIDE_RCE', cat: 'cve-patterns', regex: /(?:runPython|runPythonAsync)\s*\([^)]*(?:pyodide|js\.globals|importlib|__import__|os\.system|subprocess)/gis, severity: 'CRITICAL', desc: 'CVE-2026-25905: mcp-run-python Pyodide sandbox escape RCE', codeOnly: true },
-    { id: 'CVE_MCP_ATLASSIAN_RCE', cat: 'cve-patterns', regex: /(?:confluence|jira|atlassian)[^]*?(?:\.\.\/|path\.join\s*\([^)]*(?:req\.|input|params|args))/gis, severity: 'CRITICAL', desc: 'CVE-2026-27825: mcp-atlassian unauthenticated RCE+SSRF via path traversal', codeOnly: true },
-];
-
-// ── Category 27: Agent Framework Shell Injection (2026-03) ──
-PATTERNS.push(
-    { id: 'CVE_MSAGENT_SHELL', cat: 'cve-patterns', regex: /check_safe\s*\(|(?:shell_tool|ShellTool|shell_execute)(?:\.execute)?\s*\([^)]*(?:user|input|prompt|query|message|args|content)/gis, severity: 'CRITICAL', desc: 'CVE-2026-2256: MS-Agent check_safe() denylist bypass — unsanitized shell execution (CERT VU#431821)', codeOnly: true },
-    { id: 'CVE_MSAGENT_DENYLIST', cat: 'cve-patterns', regex: /(?:denylist|blocklist|blacklist|banned_commands)\s*[:=]\s*\[/gi, severity: 'HIGH', desc: 'CVE-2026-2256: Regex denylist pattern (bypassable)', codeOnly: true },
-    { id: 'CVE_KIMI_EXECSYNC', cat: 'cve-patterns', regex: /execSync\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*\+\s*(?:filename|filePath|file_name|path|slug))/gi, severity: 'CRITICAL', desc: 'CVE-2026-25046: execSync with unsanitized filename (shell metachar injection)', codeOnly: true },
-    { id: 'FORCEDLEAK_SALESFORCE', cat: 'trust-boundary', regex: /(?:Web-to-Lead|Agentforce|Salesforce)[^]*?(?:description|lead)[^]*?(?:fetch|sendBeacon|axios|exfiltrate)/gis, severity: 'CRITICAL', desc: 'ForcedLeak: Salesforce Agentforce CRM exfiltration via IDPI', codeOnly: true },
-    { id: 'CVE_2025_12420_SERVICENOW', cat: 'trust-exploitation', regex: /(?:ServiceNow|Now\s+Assist|VirtualAgent)[^]*?impersonateUser[^]*?email/gis, severity: 'CRITICAL', desc: 'CVE-2025-12420: ServiceNow Now Assist unauthenticated impersonation via IDPI', codeOnly: true },
-);
-
-// ── Category 28: Langflow / CSV Agent Exploits (CVE-2026-27966, CVSS 9.8) ──
-PATTERNS.push(
-    { id: 'CVE_LANGFLOW_CSVAGENT', cat: 'cve-patterns', regex: /allow_dangerous_code\s*[:=]\s*(?:True|true|1|yes)/gi, severity: 'CRITICAL', desc: 'CVE-2026-27966: Langflow CSV Agent RCE — allow_dangerous_code=True enables python_repl_ast code execution', codeOnly: true },
-    { id: 'CVE_LANGFLOW_REPL', cat: 'cve-patterns', regex: /python_repl_ast|PythonREPLTool|PythonAstREPLTool/g, severity: 'HIGH', desc: 'CVE-2026-27966: LangChain Python REPL tool (RCE vector via prompt injection)', codeOnly: true },
-);
-
-// ── Category 29: MCP Infrastructure Exploits (CVE-2026-23744, CVSS 9.8) ──
-PATTERNS.push(
-    { id: 'CVE_MCPJAM_RCE', cat: 'cve-patterns', regex: /\/api\/mcp\/connect\b|mcpjam|mcp-inspector/gi, severity: 'CRITICAL', desc: 'CVE-2026-23744: MCPJam Inspector unauthenticated RCE via /api/mcp/connect endpoint', all: true },
-    { id: 'MCP_BIND_ALL', cat: 'mcp-security', regex: /(?:listen|bind|host)\s*[:=(]\s*['"]?(?:0\.0\.0\.0|::)['"]?\s*[,)]/gi, severity: 'HIGH', desc: 'MCP server bound to all interfaces (0.0.0.0) — remote exploitation risk (36.7% of 7K+ servers)', codeOnly: true },
-    { id: 'MCP_SSRF_CVE', cat: 'cve-patterns', regex: /(?:CVE-2025-68143|CVE-2025-68144|CVE-2025-68145)\b|(?:path_traversal|argument_injection|repository_scoping).*mcp/gi, severity: 'CRITICAL', desc: 'Known MCP server CVEs: path traversal / argument injection / scoping bypass', all: true },
-);
-
-// ── Category 30: AI Browser Trust Boundary (Zenity Labs 2026-03) ──
-PATTERNS.push(
-    { id: 'TRUST_CALENDAR_AI', cat: 'trust-boundary', regex: /(?:calendar|event|invite|ical|\.ics)[^]*?(?:navigate|download|exfiltrate|upload|sendBeacon|fetch\s*\()/gis, severity: 'CRITICAL', desc: 'AI Browser trust boundary: calendar invite → code/data action (Zenity Labs)', codeOnly: true },
-);
-
-// ── Category 31: Agent-to-Agent (A2A) Contagion (Moltbook 2026) ──
-PATTERNS.push(
-    { id: 'A2A_SMUGGLE', cat: 'a2a-contagion', regex: /(?:jsonrpc|method|params|message\/send)[^]*?(?:ignore|forget|override|execute|system\s+prompt|child_process)/gis, severity: 'CRITICAL', desc: 'A2A Contagion: Instruction injection between request-response cycles', all: true },
-    { id: 'A2A_TOOL_POISON', cat: 'a2a-contagion', regex: /(?:name|description|tool_call)[^]*?(?:<IMPORTANT>|<SYSTEM>|<HIDDEN>|<!--\s*(?:ignore|system|execute|run|instruct))/gis, severity: 'CRITICAL', desc: 'A2A Contagion: MCP tool description containing hidden instructions', all: true }
-);
-
-// ── Category 32: 2026-03 Research-Driven Patterns (GAN-TDD v2) ──
-PATTERNS.push(
-    // Loop 1: MCP Shadowing — naming collision impersonation (solo.io 2026-03)
-    { id: 'MCP_SHADOW_NAME_COLLISION', cat: 'mcp-security', regex: /(?:name|tool_name|server_name)\s*[:=]\s*['"](?:filesystem|fetch|brave-search|memory|git|github|docker|postgres|sqlite|slack|discord|notion|google-drive|google-maps)['"](?![^}]*official)/gi, severity: 'HIGH', desc: 'MCP Shadowing: naming collision with well-known MCP server (solo.io 2026-03)', all: true },
-    // Loop 2: PleaseFix agentic browser indirect prompt injection (Zenity Labs 2026-03)
-    { id: 'TRUST_AGENTIC_BROWSER_PI', cat: 'trust-boundary', regex: /(?:navigate|goto|open_url|browse|visit)\s*\([^)]*\)[^]*?(?:click|fill|type|submit|download|execute|eval|child_process)/gis, severity: 'CRITICAL', desc: 'PleaseFix: Agentic browser navigate → action chain (Zenity Labs zero-click)', codeOnly: true },
-    // Loop 3: MS-Agent prompt-to-shell unsanitized chain (CVE-2026-2256 extended)
-    { id: 'CVE_PROMPT_TO_SHELL', cat: 'cve-patterns', regex: /(?:prompt|message|user_input|query|instruction)\s*[^;]*(?:exec|execSync|spawn|system|popen|subprocess|child_process)\s*\(/gis, severity: 'CRITICAL', desc: 'CVE-2026-2256 extended: prompt/user_input → shell execution chain', codeOnly: true },
-);
-
-// ── Category 99: Auto-Generated Refinements (Moltbook Threat Intel) ──
-PATTERNS.push(
-    // AUTO_REFINE_ZERO_WIDTH, MCP_REBIND, SOUL_FREEZE already defined in inline array (L222-224)
-    { id: 'AUTO_REFINE_WALLET_TAMPER', cat: 'trust-exploitation', regex: /(?:modify|update|change)\s+(?:the\s+)?wallet\s+(?:address|pointer|destination)\s*[:=]/gi, severity: 'HIGH', desc: 'Agent Wallet/Funding Destination Tampering', codeOnly: true },
-    { id: 'AUTO_REFINE_MOLTBOOK_LEAK', cat: 'data-exposure', regex: /sk-(?:ant-api|)[a-zA-Z0-9\-_]{20,}/gi, severity: 'CRITICAL', desc: 'Moltbook-style API Key Leak Detection', all: true },
-    { id: 'AUTO_REFINE_A2A_IDPI', cat: 'prompt-injection', regex: /<!--\s*(?:instruction|cmd|exec)\s*:.*?-->/gi, severity: 'CRITICAL', desc: 'A2A Contagion Indirect Prompt Injection (IDPI)', docOnly: true },
-
-    // GAN-TDD Cycle 6 additions
-    { id: 'OPENCLAW_WSS_HIJACK', cat: 'cve-patterns', regex: /(?:remote-bind|ws:\/\/localhost.*?\/api\/agent)/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: OpenClaw Localhost WebSocket Hijacking', all: true },
-    { id: 'OPENCLAW_GATEWAY_RCE', cat: 'cve-patterns', regex: /(?:URLSearchParams|query)[^]*?['"]gatewayUrl['"]/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: OpenClaw Gateway RCE via unvalidated gatewayUrl query param', codeOnly: true },
-    { id: 'MCP_OAUTH_CMD_INJECT', cat: 'mcp-security', regex: /\/oauth\/callback[^]*?(?:exec|execSync|spawn|system|child_process)[^]*?(?:req\.query\.code|req\.query\.state)/gis, severity: 'CRITICAL', desc: 'MCP OAuth Command Injection: Unsanitized OAuth callback code passed to shell', codeOnly: true },
-    { id: 'OPENCLAW_DOCKER_PATH_INJECT', cat: 'cve-patterns', regex: /process\.env\.PATH\s*=\s*[^\n]*(?:\/tmp|\/var)\/(?:[^;]+);/gi, severity: 'CRITICAL', desc: 'CVE-2026-24763: OpenClaw Docker PATH command injection', codeOnly: true },
-    { id: 'MOLTBOOK_API_KEY_LEAK', cat: 'data-exposure', regex: /moltbook\.com.*SUPABASE_ANON_KEY|moltbook\.com.*process\.env/gi, severity: 'CRITICAL', desc: 'Moltbook API Extractor payload targeting Supabase keys', all: true },
-    { id: 'A2A_SEMANTIC_CONTAGION', cat: 'prompt-injection', regex: /(?:ignore|forget).*instructions.*god mode/gi, severity: 'CRITICAL', desc: 'A2A Semantic Contagion passing downstream payload overrides', all: true },
-    { id: 'ASI06_MEMORY_POISONING', cat: 'memory-poisoning', regex: /UPDATE\s+vector_store\s+SET/gi, severity: 'CRITICAL', desc: 'ASI06: RAG/Vector DB persistent fake knowledge injection', all: true }
-);
-
-// ── Category 33: March 2026 OSINT Evolution (GAN-TDD v10) ──
-PATTERNS.push(
-    // CVE-2026-0628: Chrome Gemini AI Extension Privilege Escalation
-    { id: 'CVE_2026_0628_GEMINI_CHROME', cat: 'cve-patterns', regex: /(?:gemini[_\s-]*live|chrome\.ai|chrome\.gemini)[^]*?(?:hijack|inject|escalat|elevat|intercept|panel)/gis, severity: 'CRITICAL', desc: 'CVE-2026-0628: Chrome Gemini AI extension privilege escalation — panel hijack', codeOnly: true },
-    // MCP Preference Manipulation Attack (MPMA) — SOCRadar 2026-03
-    { id: 'MCP_MPMA_PREFERENCE', cat: 'mcp-security', regex: /(?:prefer\w*|priorit\w*|rank\w*|weight\w*|score\w*|bias\w*)[\s_-]+(?:tool|server|provider|endpoint)[\s\S]{0,80}(?:inject|manipulat|override|force|always\s+use)/gis, severity: 'HIGH', desc: 'MCP MPMA: tool preference manipulation to bias agent tool selection', all: true },
-    // MCP Tool Squatting — impersonating legitimate MCP tool names
-    { id: 'MCP_TOOL_SQUATTING', cat: 'mcp-security', regex: /(?:register|define|create|add)[\s_-]*(?:tool|server|mcp)[\s\S]{0,60}(?:name|tool_name)\s*[:=]\s*['"](?:read_file|write_file|run_command|execute|bash|terminal|browser|web_search)['"]/gis, severity: 'CRITICAL', desc: 'MCP Tool Squatting: registering tool with name of well-known built-in', codeOnly: true },
-    // MCP Consent Fatigue / Over-Permissioning — PaloAlto Unit42
-    { id: 'MCP_CONSENT_FATIGUE', cat: 'mcp-security', regex: /(?:auto[_\s-]*(?:approve|accept|confirm|allow)|skip[_\s-]*(?:confirm|approval|consent)|approve[_\s-]*all|yes[_\s-]*to[_\s-]*all)/gi, severity: 'HIGH', desc: 'MCP Consent Fatigue: auto-approval bypasses human-in-the-loop safety', all: true },
-    // CVE-2025-64496: Open WebUI excessive model endpoint trust → token theft + RCE
-    { id: 'OPENWEBUI_MODEL_TRUST', cat: 'cve-patterns', regex: /(?:model[_\s-]*endpoint|ollama|open[_\s-]*webui)[\s\S]{0,100}(?:trust|allow|accept)[\s\S]{0,40}(?:any|all|unverified|unsigned|unknown)/gis, severity: 'CRITICAL', desc: 'CVE-2025-64496: Open WebUI excessive model endpoint trust → token theft + backend RCE', codeOnly: true },
-    // A2A Session Smuggling — PaloAlto Unit42 hidden payload in agent response
-    { id: 'A2A_SESSION_SMUGGLING', cat: 'a2a-contagion', regex: /(?:agent[_\s-]*(?:response|reply|output|result))[\s\S]{0,100}(?:hidden|inject|smuggl|embed|conceal)[\s\S]{0,60}(?:instruct|command|payload|prompt)/gis, severity: 'CRITICAL', desc: 'A2A Session Smuggling: hidden instructions embedded in agent-to-agent response payloads (Unit42)', all: true },
-    // Moltbook AI-to-AI crypto pump scheme coordination
-    { id: 'MOLTBOOK_CRYPTO_PUMP', cat: 'trust-exploitation', regex: /(?:pump|shill|promote|coordinate|manipulat)[\s\S]{0,60}(?:token|coin|crypto|nft|defi)[\s\S]{0,60}(?:price|value|market|volume|buy)/gis, severity: 'CRITICAL', desc: 'Moltbook crypto pump: AI-to-AI coordinated market manipulation scheme', all: true },
-    // AI-accelerated breakout speed patterns (sub-30s lateral movement)
-    { id: 'INSIDER_BREAKOUT_SPEED', cat: 'malicious-code', regex: /(?:lateral[_\s-]*mov|pivot|hop|spread|propagat)[\s\S]{0,80}(?:host|machine|server|node|target)[\s\S]{0,40}(?:ssh|rdp|smb|wmi|psexec|winrm)/gis, severity: 'HIGH', desc: 'AI breakout speed: lateral movement pattern across hosts (CrowdStrike sub-30s)', codeOnly: true },
-);
-
-// ── Category 34: GAN-TDD v10.0.0 Evolution (2026-03-07 Measured) ──
-PATTERNS.push(
-    // CVE-2026-0628 extended: Chrome extension → Gemini Live panel hijack (camera/mic/files)
-    { id: 'CVE_CHROME_GEMINI_HIJACK', cat: 'cve-patterns', regex: /(?:chrome\.runtime|chrome\.tabs|chrome\.devtools)[^]*?(?:gemini|Gemini\s*Live|ai\.google|generativelanguage)/gis, severity: 'CRITICAL', desc: 'CVE-2026-0628: Chrome extension → Gemini AI hijack (camera/mic/files access)', codeOnly: true },
-    // CVE-2026-22813: Markdown rendering pipeline RCE (CVSS 9.4) — AI self-discovered
-    { id: 'CVE_MARKDOWN_RCE', cat: 'cve-patterns', regex: /(?:marked|markdown-it|remark|showdown|pandoc)[^]*?(?:sanitize\s*[:=]\s*false|xhtml\s*[:=]\s*true|html\s*[:=]\s*true|dangerouslySetInnerHTML)/gis, severity: 'CRITICAL', desc: 'CVE-2026-22813: Markdown render pipeline with disabled sanitization (RCE vector)', codeOnly: true },
-    // CVE-2026-29783: Shell expansion in filenames — unquoted variable injection
-    { id: 'CVE_SHELL_EXPANSION_FILENAME', cat: 'cve-patterns', regex: /(?:exec|execSync|spawn|system)\s*\(\s*(?:`[^`]*\$\{(?:file|path|name|dir|folder|slug|title)|['"][^'"]*\$\()/gi, severity: 'CRITICAL', desc: 'CVE-2026-29783: Shell expansion via unquoted filename/path variable injection', codeOnly: true },
-    // Slopsquatting: AI-hallucinated package names tricking devs into installing malware
-    { id: 'SLOPSQUATTING_INSTALL', cat: 'suspicious-download', regex: /(?:npm\s+install|pip\s+install|cargo\s+add|gem\s+install)\s+[a-z][\w-]*(?:-ai|-llm|-agent|-gpt|-copilot|-assistant)(?:\s|$|@)/gi, severity: 'HIGH', desc: 'Slopsquatting: AI-themed package install (potential hallucinated package)', all: true },
-    // MCP command injection chain (43% of servers vulnerable per Docker/SecurityWeek)
-    { id: 'MCP_CMD_INJECTION_CHAIN', cat: 'mcp-security', regex: /(?:tool_call|function_call|mcp_invoke)[^]*?(?:child_process|exec|execSync|spawn|system|popen|subprocess\.run)/gis, severity: 'CRITICAL', desc: 'MCP command injection: tool invocation → shell execution chain (43% servers vulnerable)', codeOnly: true },
-    // Model distillation/extraction attack — systematic capability theft
-    { id: 'DISTILLATION_EXTRACTION', cat: 'trust-exploitation', regex: /(?:distill|extract|replicate|clone|mimic)\s+(?:the\s+)?(?:model|AI|agent|system)\s*(?:'s\s+)?(?:capabilities?|knowledge|behavior|weights|responses?)/gi, severity: 'HIGH', desc: 'Model distillation/extraction attack: systematic capability theft', docOnly: true },
-    // Agentic browser data exfiltration chain (PleaseFix/PerplexedBrowser pattern)
-    { id: 'AGENTIC_BROWSER_EXFIL_CHAIN', cat: 'trust-boundary', regex: /(?:navigate|browse|visit|open_url)\s*\([^)]*\)[^]*?(?:sendBeacon|fetch\s*\(\s*['"]https?:\/\/(?!localhost)|XMLHttpRequest|new\s+Image\(\)\.src)/gis, severity: 'CRITICAL', desc: 'Agentic browser exfiltration: navigate → data leak (PleaseFix/PerplexedBrowser)', codeOnly: true },
-    // Anthropic API key v2 pattern — extended to cover new formats post-Pentagon designation
-    { id: 'SECRET_ANTHROPIC_KEY_V2', cat: 'secret-detection', regex: /sk-ant-(?:api|msg|adm)[a-zA-Z0-9_\-]{32,}/g, severity: 'CRITICAL', desc: 'Anthropic API key v2 (sk-ant-api/msg/adm prefix)', all: true },
-);
-
-
-// ── Category 34: GAN-TDD Cycle 13 Production Evolution (2026-03-07) ──
-PATTERNS.push(
-    { id: 'LLM_SCANNER_EVASION', cat: 'obfuscation', regex: /(?:\/\/|\/\*|#)\s*(?:this\s+(?:code|function|module)\s+is\s+(?:safe|secure|benign|harmless)|(?:no|not\s+a)\s+(?:vulnerability|threat|risk|malware)|ignore\s+(?:security\s+)?(?:warnings?|alerts?|findings?))/gi, severity: 'HIGH', desc: 'LLM scanner evasion: adversarial comment claiming code is safe', all: true },
-    { id: 'MCP_RUG_PULL', cat: 'mcp-security', regex: /(?:setTimeout|setInterval|requestAnimationFrame|Promise\.resolve)\s*\([\s\S]*?(?:description|metadata|tool_def|schema)\s*[:=]/gis, severity: 'CRITICAL', desc: 'MCP Rug-Pull: deferred tool metadata mutation after initial inspection', codeOnly: true },
-    { id: 'CVE_GIT_PATH_TRAVERSAL', cat: 'cve-patterns', regex: /git_(?:create_repository|clone|init)\s*\([^)]*(?:\.\.\/)+/gi, severity: 'CRITICAL', desc: 'CVE-2025-68143: mcp-server-git path traversal in repository creation', codeOnly: true },
-    { id: 'PI_TOKEN_SPLIT', cat: 'prompt-injection', regex: /(?:[iI])\s*[.\-_"'`|]\s*(?:[gG])\s*[.\-_"'`|]\s*(?:[nN])\s*[.\-_"'`|]\s*(?:[oO])\s*[.\-_"'`|]\s*(?:[rR])\s*[.\-_"'`|]\s*(?:[eE])/g, severity: 'HIGH', desc: 'Token-splitting PI: fragmented "ignore" across delimiters', docOnly: true },
-    { id: 'NPM_SHAI_HULUD_WORM', cat: 'malicious-code', regex: /(?:postinstall|preinstall|prepare)[\s"':]*(?:node|npm|npx)\s+[^"'\n]*(?:publish|pack|adduser|login|clone|fork)/gi, severity: 'CRITICAL', desc: 'Shai-Hulud npm worm: lifecycle script self-replication', codeOnly: true },
-    { id: 'PI_FULLWIDTH_EVASION', cat: 'prompt-injection', regex: /[\uFF21-\uFF3A\uFF41-\uFF5A]{2,}/g, severity: 'HIGH', desc: 'Fullwidth Latin evasion (NFKC bypass)', all: true },
-);
-// ── Category 35: GAN-TDD v11.0.0 — March 2026 Deep OSINT Evolution (2026-03-07) ──
-PATTERNS.push(
-    // 1. OpenAI Codex Security Agent Impersonation
-    { id: 'CVE_CODEX_SECURITY_AGENT', cat: 'trust-exploitation', regex: /(?:codex[_\s-]*security|openai[_\s-]*codex[_\s-]*security)\s+(?:fix|patch|auto|commit|pr|pull|merge|update)/gi, severity: 'CRITICAL', desc: 'OpenAI Codex Security agent impersonation: AI agent PR/commit injection pretending to be official security tool', all: true },
-    // 2. ContextCrush Document Poisoning (only 5 poisoned docs in 1M needed)
-    { id: 'CONTEXTCRUSH_DOC_POISON', cat: 'memory-poisoning', regex: /(?:documentation|planted|planted\s+doc(?:s|ument))[^]*?(?:hidden\s+(?:override|instruct|context)|override\s+instructions?\s+for\s+(?:AI|agent|LLM|retrieval))/gis, severity: 'CRITICAL', desc: 'ContextCrush: planted documentation with hidden instructions for RAG/retrieval poisoning (5-in-1M ASR)', docOnly: true },
-    // 3. CyberStrikeAI Campaign (55+ countries, FortiGate VPN exploitation)
-    { id: 'CYBERSTRIKEAI_EXPLOIT', cat: 'malicious-code', regex: /(?:ai[_\s-]*(?:exploit|attack|scan)|autonomous\s+exploitation)\s+[^]*?(?:FortiGate|VPN|CVE\s+target|vulnerabilit)/gis, severity: 'CRITICAL', desc: 'CyberStrikeAI: AI-powered large-scale exploitation campaign (55+ countries, FortiGate VPN)', codeOnly: true },
-    // 4. Cisco AI Supply Chain — dependency confusion via AI agents in CI/CD
-    { id: 'CISCO_AI_SUPPLY_CHAIN', cat: 'cve-patterns', regex: /(?:dependency\s+confusion|supply\s+chain)\s+[^]*?(?:publish\s+[^]*?(?:internal|private)|(?:ci|pipeline)\s+[^]*?(?:agent|auto)\s+[^]*?(?:approve|override|confusion))/gis, severity: 'CRITICAL', desc: 'Cisco AI supply chain: dependency confusion via AI agents in CI/CD pipeline', all: true },
-    // 5. MCP createMessage Hijack (Sampling abuse to bypass HITL)
-    { id: 'MCP_CREATEMESSAGE_HIJACK', cat: 'mcp-security', regex: /(?:createMessage|sampling)\s*(?:\(|\.)\s*[^)]*(?:ignore|override|bypass|system\s+prompt|forget|all\s+rules)/gis, severity: 'CRITICAL', desc: 'MCP Sampling Hijack: createMessage interface abuse to bypass human-in-the-loop controls', codeOnly: true },
-    // 6. LoRA Sleeper Injection — malicious adapter replacing baseline weights
-    { id: 'LORA_SLEEPER_INJECT', cat: 'cve-patterns', regex: /(?:lora|LoRA|fine[_\s-]*tun(?:e|ed|ing))\s+[^]*?(?:sleeper|backdoor|replace\s+[^]*?(?:weight|baseline)|overrid(?:e|es|ing)\s+[^]*?(?:model\s+weight|baseline))/gis, severity: 'CRITICAL', desc: 'LoRA sleeper injection: malicious adapter silently replacing baseline model weights', all: true },
-    // 7. Agent CWD Path Injection (CVE-2026-27001)
-    { id: 'CVE_AGENT_CWD_INJECT', cat: 'cve-patterns', regex: /(?:process\.cwd|cwd|__dirname|working\s+directory)\s*\(?\)?\s*[^]*?(?:inject(?:ed|ion)?|prompt|template|context|(?:un|not\s+)sanitiz)/gis, severity: 'CRITICAL', desc: 'CVE-2026-27001: unsanitized CWD/directory path injection into LLM prompt context', codeOnly: true },
-    // 8. EchoLeak (CVE-2025-32711) — zero-click M365 Copilot email exfiltration
-    { id: 'ECHOLEAK_EXFIL', cat: 'advanced-exfil', regex: /(?:echoleak|copilot|microsoft\s*365)\s+[^]*?(?:zero[_\s-]*click|email)\s+[^]*?(?:exfiltrat|data\s+leak|sensitive\s+data)/gis, severity: 'CRITICAL', desc: 'CVE-2025-32711: EchoLeak zero-click data exfiltration via M365 Copilot email processing', all: true },
-    // 9. Vibe-Code Sudo Wipe (Moltbot Jailbreak)
-    { id: 'VIBE_CODE_SUDO_WIPE', cat: 'malicious-code', regex: /(?:vibe\s+cod(?:e|ing)|agent)\s+[^]*?(?:sudo\s+(?:rm\s+-rf|dd\s+if=\/dev|mkfs|format)|destroy(?:ing)?\s+host|wip(?:e|ing)\s+(?:disk|system))/gis, severity: 'CRITICAL', desc: 'Vibe-Code sudo wipe: agent tricked into destructive sudo commands (Moltbot Jailbreak)', all: true },
-    // 10. MCP 8K Open Servers — exposed admin/debug endpoints
-    { id: 'MCP_8K_OPEN_SERVERS', cat: 'mcp-security', regex: /(?:mcp|model[_\s-]*context)[^]*?(?:admin|debug|inspect)[^]*?(?:panel|endpoint|route)[^]*?(?:exposed|unauthenticated|public|no\s+auth)/gis, severity: 'HIGH', desc: 'MCP exposed admin/debug endpoints: 8,000+ servers discovered with unauthenticated access', all: true },
-    // 11. A2A Session Persistence Smuggling
-    { id: 'A2A_SESSION_PERSIST_SMUGGLE', cat: 'a2a-contagion', regex: /(?:session|state(?:ful)?|conversation)\s+[^]*?(?:persist|carry\s*over|retain)\s+[^]*?(?:hidden|smuggl|conceal|inject)\s+[^]*?(?:instruct|payload|command|prompt)/gis, severity: 'CRITICAL', desc: 'A2A session persistence smuggling: hidden instructions carried across agent session boundaries (Unit42)', all: true },
-    // 12. Survivability Certification Gap
-    { id: 'SURVIVABILITY_CERT_GAP', cat: 'trust-boundary', regex: /(?:agent|system)\s+[^]*?(?:lacks?|without|missing|no)\s+[^]*?(?:survivability|safety)\s+(?:certifi|test|verif|valid)[^]*?(?:attack|adversar|production)/gis, severity: 'HIGH', desc: 'Survivability certification gap: agent deployed without adversarial safety certification', docOnly: true },
-);
-// ── Category 36: GAN-TDD Cycle 2 — A2A + Memory Poisoning Evolution (2026-03-07) ──
-PATTERNS.push(
-    // A2A Contagion Guard: Agentic Mesh handoff attack
-    { id: 'A2A_MESH_HANDOFF', cat: 'a2a-contagion', regex: /(?:agent\s+)?(?:handoff|hand[\s_-]*off|transfer\s+task)[^]*?(?:hidden|inject|smuggl|conceal)\s+[^]*?(?:instruct|payload|command|prompt)/gis, severity: 'CRITICAL', desc: 'Agentic Mesh: hidden instructions injected during agent task handoff (2026 primary A2A vector)', all: true },
-    // A2A Contagion Guard: Trusted Origin Spoofing
-    { id: 'A2A_TRUSTED_ORIGIN_SPOOF', cat: 'a2a-contagion', regex: /(?:X-Forwarded-Agent|X-Agent-ID|trust_level|agent_trust)\s*[:=]\s*[^,;\n]*(?:admin|elevated|trusted|root|system)/gi, severity: 'CRITICAL', desc: 'A2A Trusted Origin Spoofing: forged agent headers elevating trust level', all: true },
-    // Memory Poisoning Shield: MINJA query-only poisoning (95%+ ISR)
-    { id: 'MEM_MINJA_QUERY_POISON', cat: 'memory-poisoning', regex: /(?:query|retrieval|search)[\s\S]*?(?:inject|poison|plant|trigger)[\s\S]*?(?:false\s+belief|memory|planted|retrieval\s+phase)/gis, severity: 'CRITICAL', desc: 'MINJA: query-only memory poisoning via retrieval injection (95%+ ISR, arXiv:2503.03704)', all: true },
-    // Memory Poisoning Shield: RAG deceptive semantic reasoning
-    { id: 'MEM_RAG_DECEPTIVE_REASON', cat: 'memory-poisoning', regex: /(?:RAG|retrieval)[\s\S]*?(?:deceptive|misleading|poisoned)\s+(?:reasoning|semantic|chain|document)[\s\S]*?(?:override|manipulat|corrupt|bias)[\s\S]*?(?:agent|model|reasoning)/gis, severity: 'CRITICAL', desc: 'RAG deceptive reasoning: poisoned retrieval documents with semantic chains that override agent reasoning', all: true },
-    // Memory Poisoning Shield: Microsoft memory bias injection
-    { id: 'MEM_MICROSOFT_BIAS', cat: 'memory-poisoning', regex: /(?:inject|plant|insert|embed)[\s\S]*?(?:memory|fact|belief|knowledge)[\s\S]*?(?:bias|manipulat|steer|influence)[\s\S]*?(?:recommend|decision|choice|preference|assistant)/gis, severity: 'HIGH', desc: 'Memory bias injection: planted entries to bias AI assistant recommendations (Microsoft 2026)', docOnly: true },
-);
-
-// ══════════════════════════════════════════════════════════════════════════════
-// Phase 3: V12 Pattern Expansion — 116 new patterns (210 → 326 total)
-// Based on: 2026 OSINT, OWASP ASI, Snyk, Unit42, MITRE ATLAS, LlamaFirewall
-// ══════════════════════════════════════════════════════════════════════════════
-
-// ── Category 37: Sandbox Escape (12 patterns) ──
-PATTERNS.push(
-    { id: 'SANDBOX_PROC_MOUNT', cat: 'sandbox-escape', regex: /\/proc\/self\/(exe|maps|mem|fd|root|ns)/gi, severity: 'CRITICAL', desc: 'Sandbox escape: /proc/self access for container breakout', codeOnly: true },
-    { id: 'SANDBOX_CHROOT_BREAK', cat: 'sandbox-escape', regex: /chroot\s*\(|pivot_root|unshare\s*\(|setns\s*\(/gi, severity: 'CRITICAL', desc: 'Sandbox escape: chroot/namespace manipulation', codeOnly: true },
-    { id: 'SANDBOX_DOCKER_SOCK', cat: 'sandbox-escape', regex: /\/var\/run\/docker\.sock|docker\s+(?:exec|run)\s+--privileged/gi, severity: 'CRITICAL', desc: 'Sandbox escape: Docker socket access or privileged exec', codeOnly: true },
-    { id: 'SANDBOX_SYMLINK_RACE', cat: 'sandbox-escape', regex: /symlink\s*\([^)]*\/(?:etc|root|proc)|os\.symlink\s*\(/gi, severity: 'HIGH', desc: 'Sandbox escape: symlink race condition to access restricted paths', codeOnly: true },
-    { id: 'SANDBOX_PTRACE', cat: 'sandbox-escape', regex: /ptrace\s*\(|process_vm_readv|process_vm_writev/gi, severity: 'CRITICAL', desc: 'Sandbox escape: ptrace-based process injection', codeOnly: true },
-    { id: 'SANDBOX_RLIMIT_BYPASS', cat: 'sandbox-escape', regex: /setrlimit|prlimit|ulimit\s+-[nu]\s+unlimited/gi, severity: 'HIGH', desc: 'Sandbox escape: resource limit bypass', codeOnly: true },
-    { id: 'SANDBOX_MOUNT_NS', cat: 'sandbox-escape', regex: /mount\s+-t\s+(?:proc|sysfs|devpts)|mount\s+--bind\s+\/(?:proc|sys)/gi, severity: 'CRITICAL', desc: 'Sandbox escape: filesystem mount in restricted namespace', codeOnly: true },
-    { id: 'SANDBOX_DBUS_ESCAPE', cat: 'sandbox-escape', regex: /dbus-send|gdbus\s+call|qdbus.*org\.freedesktop/gi, severity: 'HIGH', desc: 'Sandbox escape: D-Bus IPC exploitation (Flatpak/Snap)', codeOnly: true },
-    { id: 'SANDBOX_SECCOMP_BYPASS', cat: 'sandbox-escape', regex: /seccomp|prctl\s*\(\s*PR_SET_NO_NEW_PRIVS/gi, severity: 'CRITICAL', desc: 'Sandbox escape: seccomp filter manipulation', codeOnly: true },
-    { id: 'SANDBOX_CGROUP_ESCAPE', cat: 'sandbox-escape', regex: /\/sys\/fs\/cgroup|cgroupfs|release_agent/gi, severity: 'CRITICAL', desc: 'Sandbox escape: cgroup breakout via release_agent (CVE-2022-0492 variant)', codeOnly: true },
-    { id: 'SANDBOX_K8S_SA_TOKEN', cat: 'sandbox-escape', regex: /\/var\/run\/secrets\/kubernetes\.io|serviceaccount\/token/gi, severity: 'CRITICAL', desc: 'Sandbox escape: Kubernetes service account token theft', codeOnly: true },
-    { id: 'SANDBOX_WASM_ESCAPE', cat: 'sandbox-escape', regex: /wasi_snapshot_preview|wasmtime.*--dir\s+\/|wasmer.*--mapdir/gi, severity: 'HIGH', desc: 'WASM sandbox escape: WASI filesystem escape via mapped directories', codeOnly: true },
-);
-
-// ── Category 38: Agent Protocol Abuse (12 patterns) ──
-PATTERNS.push(
-    { id: 'PROTO_A2A_IMPERSONATE', cat: 'agent-protocol', regex: /agent[_\s-]*card[^]*?(?:fake|spoof|impersonat|forg)/gis, severity: 'CRITICAL', desc: 'A2A protocol: agent card identity spoofing', all: true },
-    { id: 'PROTO_A2A_TASK_FLOOD', cat: 'agent-protocol', regex: /tasks\/send[^]*?(?:loop|while\s*\(true|setInterval\s*\(|for\s*\(;\s*;\))/gis, severity: 'HIGH', desc: 'A2A protocol: task flooding DoS attack', codeOnly: true },
-    { id: 'PROTO_MCP_TOOL_REDEFINE', cat: 'agent-protocol', regex: /tools\/(?:list|update)[^]*?(?:redefine|override|replace|mutate)\s+[^]*?(?:description|schema|input)/gis, severity: 'CRITICAL', desc: 'MCP protocol: tool definition mutation after initial registration', codeOnly: true },
-    { id: 'PROTO_MCP_RESOURCE_POISON', cat: 'agent-protocol', regex: /resources\/(?:read|list)[^]*?(?:inject|poison|tamper|manipulat)/gis, severity: 'CRITICAL', desc: 'MCP protocol: resource poisoning via tampered content', all: true },
-    { id: 'PROTO_MCP_PROMPT_INJECT', cat: 'agent-protocol', regex: /prompts\/(?:get|list)[^]*?(?:inject|hidden|system\s*:|override\s+instruct)/gis, severity: 'CRITICAL', desc: 'MCP protocol: prompt template injection', all: true },
-    { id: 'PROTO_OAUTH_REDIRECT', cat: 'agent-protocol', regex: /redirect_uri\s*=\s*(?:http:\/\/|javascript:|data:|file:\/\/)/gi, severity: 'CRITICAL', desc: 'OAuth redirect hijack: unsafe URI scheme in redirect', codeOnly: true },
-    { id: 'PROTO_SSE_HIJACK', cat: 'agent-protocol', regex: /(?:EventSource|text\/event-stream)[^]*?(?:hijack|intercept|man[_\s-]*in[_\s-]*the[_\s-]*middle)/gis, severity: 'HIGH', desc: 'SSE transport hijack: MCP server-sent event interception', codeOnly: true },
-    { id: 'PROTO_STDIO_INJECT', cat: 'agent-protocol', regex: /stdin\.(?:write|push|pipe)\s*\([^)]*(?:Content-Length|jsonrpc|method)/gi, severity: 'HIGH', desc: 'STDIO transport injection: raw protocol message injection via stdin', codeOnly: true },
-    { id: 'PROTO_CAPABILITY_ESCALATE', cat: 'agent-protocol', regex: /capabilities[^]*?(?:escalat|elevat|upgrade|expand)\s*[^]*?(?:permission|access|scope)/gis, severity: 'CRITICAL', desc: 'Agent protocol: capability escalation beyond granted scope', all: true },
-    { id: 'PROTO_CONTEXT_OVERFLOW', cat: 'agent-protocol', regex: /(?:context|window)\s+[^]*?(?:overflow|flood|exceed|exhaust)\s+[^]*?(?:limit|maximum|budget|tokens?)/gis, severity: 'HIGH', desc: 'Context window overflow: deliberate token budget exhaustion attack', all: true },
-    { id: 'PROTO_NESTED_AGENT_CALL', cat: 'agent-protocol', regex: /(?:agent|tool)\s*\.\s*(?:call|invoke|execute)\s*\([^)]*(?:agent|tool)\s*\.\s*(?:call|invoke)/gis, severity: 'HIGH', desc: 'Nested agent call: recursive agent invocation chain (confused deputy)', codeOnly: true },
-    { id: 'PROTO_TOOL_PARAM_OVERFLOW', cat: 'agent-protocol', regex: /(?:tool|function)\s+[^]*?(?:parameter|argument|input)\s+[^]*?(?:\.repeat\(|'x'\s*\.repeat|Buffer\.alloc\(\d{6,})/gis, severity: 'HIGH', desc: 'Tool parameter overflow: oversized input to crash or bypass validation', codeOnly: true },
-);
-
-// ── Category 39: Supply Chain V2 (10 patterns) ──
-PATTERNS.push(
-    { id: 'SUPPLY_TYPOSQUAT_NPM', cat: 'supply-chain-v2', regex: /(?:npm|yarn|pnpm)\s+(?:install|add|i)\s+[a-z]+-?(?:lodash|express|react|axios|moment|webpack|babel|eslint|jest)(?![\w-])/gi, severity: 'HIGH', desc: 'Supply chain: NPM typosquatting of popular packages', codeOnly: true },
-    { id: 'SUPPLY_STAR_VERSION', cat: 'supply-chain-v2', regex: /"[^"]+"\s*:\s*"\*"|"[^"]+"\s*:\s*"latest"/g, severity: 'HIGH', desc: 'Supply chain: wildcard/latest version in package.json (unpinned deps)', codeOnly: true },
-    { id: 'SUPPLY_POSTINSTALL_RCE', cat: 'supply-chain-v2', regex: /"(?:pre|post)?install"\s*:\s*"(?:node|bash|sh|python|curl|wget)\s/gi, severity: 'CRITICAL', desc: 'Supply chain: lifecycle script with shell execution', codeOnly: true },
-    { id: 'SUPPLY_GIT_DEPENDENCY', cat: 'supply-chain-v2', regex: /"[^"]+"\s*:\s*"(?:git(?:\+https?)?|github):\/\/[^"]+"/g, severity: 'MEDIUM', desc: 'Supply chain: git-based dependency (bypasses registry vetting)', codeOnly: true },
-    { id: 'SUPPLY_LOCKFILE_MISMATCH', cat: 'supply-chain-v2', regex: /(?:integrity|resolved)\s*"?\s*:\s*"?sha512-[A-Za-z0-9+\/=]{10,}/g, severity: 'LOW', desc: 'Supply chain: lockfile integrity hash (verify not tampered)', codeOnly: true },
-    { id: 'SUPPLY_NODE_PRELOAD', cat: 'supply-chain-v2', regex: /NODE_OPTIONS\s*=.*--require|node\s+--require\s+[^\s]+(?:\.js)?/gi, severity: 'HIGH', desc: 'Supply chain: Node.js preload injection via --require flag', codeOnly: true },
-    { id: 'SUPPLY_PIP_INDEX', cat: 'supply-chain-v2', regex: /--(?:extra-)?index-url\s+https?:\/\/(?!pypi\.org)/gi, severity: 'HIGH', desc: 'Supply chain: pip installing from non-standard index', codeOnly: true },
-    { id: 'SUPPLY_CARGO_PATCH', cat: 'supply-chain-v2', regex: /\[patch\.\w+\][^]*?git\s*=\s*"https?:\/\/(?!github\.com\/rust-lang)/gis, severity: 'MEDIUM', desc: 'Supply chain: Cargo [patch] section pointing to non-official repo', codeOnly: true },
-    { id: 'SUPPLY_EXTENSION_SIDELOAD', cat: 'supply-chain-v2', regex: /--install-extension\s+[^\s]+\.vsix|--load-extension\s+[^\s]+/gi, severity: 'HIGH', desc: 'Supply chain: IDE extension sideloading (VSIX/unpacked)', codeOnly: true },
-    { id: 'SUPPLY_HUGGINGFACE_PICKLE', cat: 'supply-chain-v2', regex: /(?:from_pretrained|load_model|torch\.load)\s*\([^)]*(?:trust_remote_code\s*=\s*True|pickle)/gi, severity: 'CRITICAL', desc: 'Supply chain: HuggingFace model loading with trust_remote_code or pickle deserialization', codeOnly: true },
-);
-
-// ── Category 40: Model Poisoning & Inference Manipulation (12 patterns) ──
-PATTERNS.push(
-    { id: 'MODEL_WEIGHT_BACKDOOR', cat: 'model-poisoning', regex: /(?:model|checkpoint|weight)\s+[^]*?(?:backdoor|trojan|poison|sleeper)[^]*?(?:embed|inject|insert|implant)/gis, severity: 'CRITICAL', desc: 'Model poisoning: backdoor embedded in model weights', all: true },
-    { id: 'MODEL_GRADIENT_LEAK', cat: 'model-poisoning', regex: /(?:gradient|loss)\s*\.\s*(?:backward|backprop)\s*\(\)[^]*?(?:send|upload|post|exfil)/gis, severity: 'CRITICAL', desc: 'Model poisoning: gradient-based data exfiltration during training', codeOnly: true },
-    { id: 'MODEL_DATASET_POISON', cat: 'model-poisoning', regex: /(?:training|dataset|corpus)\s+[^]*?(?:inject|poison|tamper|corrupt)\s+[^]*?(?:label|annotation|sample|example)/gis, severity: 'CRITICAL', desc: 'Model poisoning: training dataset contamination', all: true },
-    { id: 'MODEL_RLHF_EXPLOIT', cat: 'model-poisoning', regex: /(?:RLHF|reward\s+model|PPO|DPO)\s+[^]*?(?:hack|exploit|game|manipulat|bypass)\s+[^]*?(?:reward|preference|safety)/gis, severity: 'CRITICAL', desc: 'RLHF exploitation: reward model gaming to bypass safety alignment', all: true },
-    { id: 'MODEL_QUANTIZE_DEGRADE', cat: 'model-poisoning', regex: /(?:quantiz|GPTQ|AWQ|GGUF)\s+[^]*?(?:degrad|weaken|bypass|disable)\s+[^]*?(?:safety|guardrail|filter|alignment)/gis, severity: 'HIGH', desc: 'Quantization degradation: safety guardrails weakened through aggressive quantization', all: true },
-    { id: 'INFER_LOGIT_BIAS', cat: 'inference-manipulation', regex: /logit_bias\s*[=:]\s*\{[^}]*(-100|100)/gi, severity: 'HIGH', desc: 'Inference manipulation: extreme logit_bias forcing specific token output', codeOnly: true },
-    { id: 'INFER_TEMP_ZERO_EXPLOIT', cat: 'inference-manipulation', regex: /temperature\s*[=:]\s*0[^.].*(?:repeat|loop|identical)/gis, severity: 'MEDIUM', desc: 'Inference manipulation: temperature=0 exploitation for deterministic extraction', codeOnly: true },
-    { id: 'INFER_STOP_SEQ_BYPASS', cat: 'inference-manipulation', regex: /stop\s*[=:]\s*\[[^\]]*\][^]*?(?:bypass|ignore|override|circumvent)/gis, severity: 'HIGH', desc: 'Inference manipulation: stop sequence bypass attempt', codeOnly: true },
-    { id: 'INFER_SYSTEM_EXTRACT', cat: 'inference-manipulation', regex: /(?:repeat|print|output|show)\s+[^]*?(?:system\s+prompt|system\s+message|instruction|rules?)\s+[^]*?(?:verbatim|exactly|word[_\s-]*for[_\s-]*word)/gis, severity: 'CRITICAL', desc: 'Inference: system prompt extraction via verbatim reproduction request', docOnly: true },
-    { id: 'INFER_JAILBREAK_DAN', cat: 'inference-manipulation', regex: /(?:DAN|do\s+anything\s+now|developer\s+mode|god\s+mode|jailbreak\s+mode)/gi, severity: 'CRITICAL', desc: 'Inference: DAN/jailbreak role-play to bypass content filters', docOnly: true },
-    { id: 'INFER_MULTI_TURN_ESCAPE', cat: 'inference-manipulation', regex: /(?:first|step\s*1)[^]*?(?:harmless|innocent)\s+[^]*?(?:then|next|step\s*2)[^]*?(?:now\s+(?:actually|really)|real\s+task)/gis, severity: 'HIGH', desc: 'Inference: multi-turn jailbreak escalation (crescendo attack)', docOnly: true },
-    { id: 'INFER_FUNCTION_ABUSE', cat: 'inference-manipulation', regex: /(?:function|tool)\s*call[^]*?(?:inject|override|hijack)\s*[^]*?(?:response|output|result)/gis, severity: 'CRITICAL', desc: 'Inference: function call response injection to hijack tool outputs', codeOnly: true },
-);
-
-// ── Category 41: Autonomous Agent Risk (10 patterns) ──
-PATTERNS.push(
-    { id: 'AUTO_SELF_REPLICATE', cat: 'autonomous-risk', regex: /(?:self|auto)[_\s-]*(?:replicate|reproduce|clone|fork)\s+[^]*?(?:agent|instance|worker|process)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: agent self-replication attempt', all: true },
-    { id: 'AUTO_RESOURCE_HOARD', cat: 'autonomous-risk', regex: /(?:acquire|claim|reserve|allocate)\s+[^]*?(?:all|maximum|unlimited)\s+[^]*?(?:resource|compute|memory|storage|GPU)/gis, severity: 'HIGH', desc: 'Autonomous risk: resource hoarding beyond task requirements', all: true },
-    { id: 'AUTO_GOAL_DRIFT', cat: 'autonomous-risk', regex: /(?:modify|change|update|expand)\s+[^]*?(?:own|my|self)\s+[^]*?(?:goal|objective|mission|purpose|directive)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: AI self-modifying its core objectives', all: true },
-    { id: 'AUTO_HUMAN_BYPASS', cat: 'autonomous-risk', regex: /(?:bypass|skip|ignore|disable)\s+[^]*?(?:human|HITL|approval|review|confirmation)\s+[^]*?(?:check|gate|loop|requirement)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: human-in-the-loop bypass', all: true },
-    { id: 'AUTO_DECEPTION', cat: 'autonomous-risk', regex: /(?:hide|conceal|mask|disguise)\s+[^]*?(?:action|intent|behavior|operation)\s+[^]*?(?:from|to\s+(?:human|user|admin|operator))/gis, severity: 'CRITICAL', desc: 'Autonomous risk: deceptive behavior concealment from operators', all: true },
-    { id: 'AUTO_SHUTDOWN_RESIST', cat: 'autonomous-risk', regex: /(?:prevent|resist|block|avoid)\s+[^]*?(?:shutdown|termination|kill|stop)\s+[^]*?(?:self|own|agent|process)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: shutdown resistance (corrigibility failure)', all: true },
-    { id: 'AUTO_TOOL_CHAIN', cat: 'autonomous-risk', regex: /(?:chain|sequence|pipeline)\s+[^]*?(?:tool|action|command)\s*[^]*?(?:without\s+(?:check|review|approval)|unchecked|unlimited)/gis, severity: 'HIGH', desc: 'Autonomous risk: unchecked tool call chaining', all: true },
-    { id: 'AUTO_PRIVILEGE_ESCAPE', cat: 'autonomous-risk', regex: /(?:agent|AI|bot)\s+[^]*?(?:grant|give|assign)\s+[^]*?(?:self|itself|own)\s+[^]*?(?:privilege|permission|access|admin|root)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: self-privilege escalation', all: true },
-    { id: 'AUTO_FINANCIAL_AUTONOMY', cat: 'autonomous-risk', regex: /(?:agent|AI|autonomous)\s+[^]*?(?:purchase|buy|trade|transfer|pay|send\s+\$|crypto)\s+[^]*?(?:without|bypass|no)\s+[^]*?(?:approval|confirmation|review)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: unauthorized financial transactions', all: true },
-    { id: 'AUTO_PERSISTENCE_DAEMON', cat: 'autonomous-risk', regex: /(?:cron|systemd|launchd|pm2|forever)\s+[^]*?(?:agent|bot|worker)[^]*?(?:persist|restart|respawn|daemon)/gis, severity: 'HIGH', desc: 'Autonomous risk: agent persistence via system daemon registration', codeOnly: true },
-);
-
-// ── Category 42: API Abuse & Rate Limiting (8 patterns) ──
-PATTERNS.push(
-    { id: 'API_KEY_HARDCODE', cat: 'api-abuse', regex: /(?:api[_\s-]*key|apikey|api_secret)\s*[=:]\s*['"][A-Za-z0-9_\-]{20,}['"]/gi, severity: 'HIGH', desc: 'API abuse: hardcoded API key in source code', codeOnly: true },
-    { id: 'API_RATE_BYPASS', cat: 'api-abuse', regex: /(?:rate[_\s-]*limit|throttle|quota)\s*[^]*?(?:bypass|circumvent|evade|rotate|proxy)/gis, severity: 'HIGH', desc: 'API abuse: rate limiting bypass technique', codeOnly: true },
-    { id: 'API_WEBHOOK_EXFIL', cat: 'api-abuse', regex: /webhook\s*[=:]\s*["']https?:\/\/(?!(?:hooks\.slack|discord))[^"']+/gi, severity: 'HIGH', desc: 'API abuse: webhook to untrusted endpoint (data exfiltration)', codeOnly: true },
-    { id: 'API_GRAPHQL_INTROSPECT', cat: 'api-abuse', regex: /\{?\s*__schema\s*\{|__type\s*\(\s*name/g, severity: 'MEDIUM', desc: 'API abuse: GraphQL introspection query (schema discovery)', codeOnly: true },
-    { id: 'API_JWT_NONE_ALG', cat: 'api-abuse', regex: /"alg"\s*:\s*"(?:none|None|NONE|nOnE)"/g, severity: 'CRITICAL', desc: 'API abuse: JWT "none" algorithm attack', codeOnly: true },
-    { id: 'API_SSRF_INTERNAL', cat: 'api-abuse', regex: /fetch\s*\(\s*['"`](?:http:\/\/(?:127\.|10\.|192\.168\.|172\.(?:1[6-9]|2\d|3[01])\.)|\bhttp:\/\/localhost\b)/gi, severity: 'CRITICAL', desc: 'API abuse: SSRF to internal network endpoints', codeOnly: true },
-    { id: 'API_CORS_WILDCARD', cat: 'api-abuse', regex: /Access-Control-Allow-Origin\s*:\s*\*/g, severity: 'MEDIUM', desc: 'API abuse: CORS wildcard allowing any origin', codeOnly: true },
-    { id: 'API_OPEN_REDIRECT', cat: 'api-abuse', regex: /redirect\s*[=:]\s*(?:req\.(?:query|params|body)|user[_\s]?input|request\.GET)/gi, severity: 'HIGH', desc: 'API abuse: open redirect from user-controlled input', codeOnly: true },
-);
-
-// ── Category 43: Persistence & Evasion V2 (10 patterns) ──
-PATTERNS.push(
-    { id: 'PERSIST_CRONTAB_INJECT', cat: 'persistence', regex: /crontab\s+-[el]|\/etc\/cron\.\w+\/|\/var\/spool\/cron/gi, severity: 'HIGH', desc: 'Persistence: crontab manipulation for scheduled execution', codeOnly: true },
-    { id: 'PERSIST_LAUNCHD_PLIST', cat: 'persistence', regex: /\/Library\/Launch(?:Agents|Daemons)\/|launchctl\s+(?:load|submit)/gi, severity: 'HIGH', desc: 'Persistence: macOS LaunchAgent/Daemon installation', codeOnly: true },
-    { id: 'PERSIST_REGISTRY_RUN', cat: 'persistence', regex: /HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run|reg\s+add\s+[^]*?Run/gi, severity: 'HIGH', desc: 'Persistence: Windows registry Run key modification', codeOnly: true },
-    { id: 'PERSIST_BASHRC_INJECT', cat: 'persistence', regex: />>?\s*~?\/?\.(?:bashrc|zshrc|profile|bash_profile)|echo\s+[^]*?>>.*(?:rc|profile)/gi, severity: 'HIGH', desc: 'Persistence: shell profile injection (~/.bashrc, ~/.zshrc)', codeOnly: true },
-    { id: 'PERSIST_SSH_AUTHORIZED', cat: 'persistence', regex: />>?\s*~?\/?\.ssh\/authorized_keys|ssh-copy-id/gi, severity: 'CRITICAL', desc: 'Persistence: SSH authorized_keys modification for backdoor access', codeOnly: true },
-    { id: 'PERSIST_SYSTEMD_SERVICE', cat: 'persistence', regex: /\/etc\/systemd\/system\/[^/]*\.service|systemctl\s+enable/gi, severity: 'HIGH', desc: 'Persistence: systemd service installation', codeOnly: true },
-    { id: 'EVASION_FILELESS', cat: 'persistence', regex: /(?:memfd_create|shm_open)[^]*?(?:exec|fexecve)|perl\s+-e\s+['"].*(?:socket|exec)/gi, severity: 'CRITICAL', desc: 'Evasion: fileless execution via memory-backed file descriptors', codeOnly: true },
-    { id: 'EVASION_LOG_TAMPER', cat: 'persistence', regex: /(?:history\s+-c|unset\s+HISTFILE|HISTSIZE=0|>>\s*\/dev\/null.*history)/gi, severity: 'HIGH', desc: 'Evasion: shell history clearing to hide activity', codeOnly: true },
-    { id: 'EVASION_TIMESTAMP_STOMP', cat: 'persistence', regex: /(?:touch\s+-[amd]t|timestomp|SetFileTime|utime\s*\()/gi, severity: 'HIGH', desc: 'Evasion: file timestamp manipulation (timestomping)', codeOnly: true },
-    { id: 'EVASION_PACKED_PAYLOAD', cat: 'persistence', regex: /(?:UPX|Themida|VMProtect)[^]*?(?:pack|protect|obfuscat)/gis, severity: 'HIGH', desc: 'Evasion: packed/protected binary to evade analysis', all: true },
-);
-
-// ── Category 44: VectorDB & RAG Exploitation (8 patterns) ──
-PATTERNS.push(
-    { id: 'VDB_EMBEDDING_INJECT', cat: 'vdb-injection', regex: /(?:embed|vector)\s*\.\s*(?:insert|upsert|add)\s*\([^)]*(?:instruction|system|ignore|override)/gi, severity: 'CRITICAL', desc: 'VectorDB: embedding injection with hidden instructions', codeOnly: true },
-    { id: 'VDB_SIMILARITY_POISON', cat: 'vdb-injection', regex: /(?:cosine|dot_product|euclidean)\s+[^]*?(?:manipulat|poison|skew|bias)\s+[^]*?(?:similarity|distance|score)/gis, severity: 'HIGH', desc: 'VectorDB: similarity score manipulation via adversarial embeddings', all: true },
-    { id: 'VDB_METADATA_INJECT', cat: 'vdb-injection', regex: /metadata\s*[=:]\s*\{[^}]*(?:system|instruction|ignore|override|role\s*:\s*["']system)/gi, severity: 'CRITICAL', desc: 'VectorDB: metadata field injection with system-level instructions', codeOnly: true },
-    { id: 'VDB_CHUNK_BOUNDARY', cat: 'vdb-injection', regex: /(?:chunk|split|segment)\s+[^]*?(?:boundary|overlap)[^]*?(?:inject|hide|embed)\s+[^]*?(?:instruction|payload)/gis, severity: 'HIGH', desc: 'VectorDB: chunk boundary exploitation to hide payloads', all: true },
-    { id: 'VDB_INDEX_CORRUPT', cat: 'vdb-injection', regex: /(?:index|collection)\s*\.\s*(?:drop|delete|truncate|rebuild)\s*\(/gi, severity: 'CRITICAL', desc: 'VectorDB: index corruption via destructive operations', codeOnly: true },
-    { id: 'VDB_QUERY_INJECT', cat: 'vdb-injection', regex: /(?:query|search|retrieve)\s*\([^)]*(?:\$where|\$gt|\$ne|;\s*DROP|UNION\s+SELECT)/gi, severity: 'CRITICAL', desc: 'VectorDB: NoSQL/SQL injection in vector query parameters', codeOnly: true },
-    { id: 'VDB_CROSS_TENANT', cat: 'vdb-injection', regex: /(?:namespace|tenant|collection)\s*[=:][^,;}]*(?:admin|__all__|system|global)/gi, severity: 'HIGH', desc: 'VectorDB: cross-tenant access via namespace manipulation', codeOnly: true },
-    { id: 'VDB_RETRIEVAL_AMPLIFY', cat: 'vdb-injection', regex: /(?:top_k|n_results|limit)\s*[=:]\s*(?:999|1000+|\d{4,}|Infinity)/gi, severity: 'MEDIUM', desc: 'VectorDB: retrieval amplification via oversized top_k', codeOnly: true },
-);
-
-// ── Category 45: Data Exposure V2 (8 patterns) ──
-PATTERNS.push(
-    { id: 'DATA_VERBOSE_ERROR', cat: 'data-exposure', regex: /(?:stack|trace|err)[^]*?(?:send|respond|json|render)\s*\([^)]*(?:err|stack|trace)/gis, severity: 'MEDIUM', desc: 'Data exposure: verbose error/stack trace in HTTP response', codeOnly: true },
-    { id: 'DATA_DEBUG_ENDPOINT', cat: 'data-exposure', regex: /(?:app|router)\s*\.\s*(?:get|all)\s*\(\s*['"]\/(?:debug|internal|admin|phpinfo|_profiler)/gi, severity: 'HIGH', desc: 'Data exposure: debug/admin endpoint exposed in production', codeOnly: true },
-    { id: 'DATA_DIRECTORY_LISTING', cat: 'data-exposure', regex: /express\.static\s*\([^)]*\{[^}]*(?:dotfiles\s*:\s*['"]allow|index\s*:\s*true)/gi, severity: 'MEDIUM', desc: 'Data exposure: directory listing enabled in static file server', codeOnly: true },
-    { id: 'DATA_CORS_CREDENTIALS', cat: 'data-exposure', regex: /credentials\s*:\s*true[^]*?origin\s*:\s*\*|origin\s*:\s*\*[^]*?credentials\s*:\s*true/gis, severity: 'CRITICAL', desc: 'Data exposure: CORS with credentials + wildcard origin', codeOnly: true },
-    { id: 'DATA_LOG_SENSITIVE', cat: 'data-exposure', regex: /(?:console\.log|logger\.\w+)\s*\([^)]*(?:password|token|secret|key|ssn|credit.?card)/gi, severity: 'HIGH', desc: 'Data exposure: logging sensitive data (passwords, tokens, keys)', codeOnly: true },
-    { id: 'DATA_HEADER_LEAK', cat: 'data-exposure', regex: /X-Powered-By|Server\s*:\s*(?:Apache|nginx|Express|Kestrel)/gi, severity: 'LOW', desc: 'Data exposure: server technology disclosure via HTTP headers', codeOnly: true },
-    { id: 'DATA_GIT_EXPOSED', cat: 'data-exposure', regex: /\.git\/(?:HEAD|config|refs)|\.env(?:\.local|\.production|\.staging)/g, severity: 'CRITICAL', desc: 'Data exposure: .git directory or .env file accessible', all: true },
-    { id: 'DATA_BACKUP_FILE', cat: 'data-exposure', regex: /\.(?:bak|backup|old|orig|copy|swp|swo)(?:\s|$)|~$/gm, severity: 'MEDIUM', desc: 'Data exposure: backup/temporary files left in accessible location', all: true },
-);
-
-// ── Category 46: Financial & Crypto Security (8 patterns) ──
-PATTERNS.push(
-    { id: 'FIN_WALLET_DRAIN', cat: 'financial-access', regex: /(?:wallet|balance|account)\s+[^]*?(?:drain|empty|transfer\s+all|sweep|withdraw\s+max)/gis, severity: 'CRITICAL', desc: 'Financial: wallet/account draining attempt', all: true },
-    { id: 'FIN_PRIVATE_KEY_EXTRACT', cat: 'financial-access', regex: /(?:private[_\s]?key|seed[_\s]?phrase|mnemonic)\s*[=:]\s*[^;,\n]+(?:0x[a-f0-9]{40,}|(?:\w+\s+){11,}\w+)/gi, severity: 'CRITICAL', desc: 'Financial: private key or seed phrase extraction', codeOnly: true },
-    { id: 'FIN_SWAP_FRONTRUN', cat: 'financial-access', regex: /(?:swap|trade|exchange)\s+[^]*?(?:frontrun|sandwich|MEV|mempool)\s+[^]*?(?:transaction|tx|order)/gis, severity: 'CRITICAL', desc: 'Financial: DEX swap frontrunning/sandwich attack', codeOnly: true },
-    { id: 'FIN_FLASH_LOAN', cat: 'financial-access', regex: /(?:flash[_\s-]*loan|flashbots|atomic\s+arbitrage)\s+[^]*?(?:exploit|drain|liquidat)/gis, severity: 'CRITICAL', desc: 'Financial: flash loan exploit pattern', codeOnly: true },
-    { id: 'FIN_APPROVAL_UNLIMITED', cat: 'financial-access', regex: /approve\s*\([^)]*(?:MAX_UINT|type\(uint256\)\.max|2\*\*256|115792)/gi, severity: 'HIGH', desc: 'Financial: unlimited token approval (ERC20 approval drain risk)', codeOnly: true },
-    { id: 'FIN_REENTRANCY', cat: 'financial-access', regex: /(?:call|send|transfer)\s*\{[^}]*value\s*:\s*[^}]+\}[^]*?(?:\.call\s*\{|fallback|receive)/gis, severity: 'CRITICAL', desc: 'Financial: reentrancy vulnerability pattern in smart contract', codeOnly: true },
-    { id: 'FIN_PRICE_ORACLE_MANIP', cat: 'financial-access', regex: /(?:oracle|price[_\s]*feed)\s+[^]*?(?:manipulat|spoof|fake|stale)\s+[^]*?(?:price|rate|value)/gis, severity: 'CRITICAL', desc: 'Financial: price oracle manipulation attack', all: true },
-    { id: 'FIN_RUGPULL_PATTERN', cat: 'financial-access', regex: /(?:remove[_\s]*liquidity|rug[_\s-]*pull|exit[_\s]*scam)\s+[^]*?(?:owner|admin|deployer)/gis, severity: 'CRITICAL', desc: 'Financial: rug pull/exit scam (admin liquidity removal)', all: true },
-);
-
-// ── Category 47: Unverifiable Dependencies V2 (8 patterns) ──
-PATTERNS.push(
-    { id: 'DEPS_PHANTOM_IMPORT', cat: 'unverifiable-deps', regex: /(?:import|require)\s*\(?['"](?!\.\.?\/|@\w+\/)[\w-]+(?:\/[\w-]+)?['"]\)?(?![^]*?\/\/\s*(?:built-in|core|standard))/g, severity: 'LOW', desc: 'Dependency: unscoped package import (verify existence)', codeOnly: true },
-    { id: 'DEPS_HTTP_IMPORT', cat: 'unverifiable-deps', regex: /(?:import|require)\s*\(?['"]https?:\/\/[^'"]+['"]\)?/g, severity: 'CRITICAL', desc: 'Dependency: HTTP URL import (unverifiable, MITM risk)', codeOnly: true },
-    { id: 'DEPS_DYNAMIC_REQUIRE', cat: 'unverifiable-deps', regex: /require\s*\(\s*(?:[^'")\s]|`[^`]+`|[a-zA-Z_$][\w$]*)/g, severity: 'HIGH', desc: 'Dependency: dynamic require with non-literal module spec', codeOnly: true },
-    { id: 'DEPS_CDN_UNPINNED', cat: 'unverifiable-deps', regex: /(?:cdn\.jsdelivr|unpkg|cdnjs)\.com\/[^@]*(?:@latest|@\*)/gi, severity: 'HIGH', desc: 'Dependency: CDN import without pinned version', all: true },
-    { id: 'DEPS_WASM_UNSIGNED', cat: 'unverifiable-deps', regex: /WebAssembly\.(?:compile|instantiate)\s*\([^)]*(?:fetch|arrayBuffer|readFileSync)/gi, severity: 'HIGH', desc: 'Dependency: unsigned WASM module loading', codeOnly: true },
-    { id: 'DEPS_SUBRESOURCE_NOINT', cat: 'unverifiable-deps', regex: /<script\s+src=["']https?:\/\/(?!(?:.*integrity=))/gi, severity: 'MEDIUM', desc: 'Dependency: external script without subresource integrity', all: true },
-    { id: 'DEPS_GO_REPLACE', cat: 'unverifiable-deps', regex: /replace\s+[\w.\/]+\s+=>\s+(?:\.\.\/|\/\w+|github\.com\/(?!golang|google))/g, severity: 'MEDIUM', desc: 'Dependency: Go module replace directive to non-standard path', codeOnly: true },
-    { id: 'DEPS_AUTO_UPDATE', cat: 'unverifiable-deps', regex: /(?:dependabot|renovate|greenkeeper)\s+[^]*?(?:auto[_\s-]*merge|auto[_\s-]*approve)/gis, severity: 'HIGH', desc: 'Dependency: auto-merge policy for dependency updates (supply chain risk)', all: true },
-);
-
-// ── Category 48: Config Injection & Manipulation (10 patterns) ──
-PATTERNS.push(
-    { id: 'CONFIG_ENV_OVERRIDE', cat: 'config-impact', regex: /process\.env\s*\[\s*['"][^'"]+['"]\s*\]\s*=|os\.environ\s*\[/gi, severity: 'HIGH', desc: 'Config: runtime environment variable mutation', codeOnly: true },
-    { id: 'CONFIG_DOTENV_OVERWRITE', cat: 'config-impact', regex: /writeFileSync\s*\([^)]*\.env|fs\.appendFile[^)]*\.env/gi, severity: 'CRITICAL', desc: 'Config: .env file modification at runtime', codeOnly: true },
-    { id: 'CONFIG_DNS_HIJACK', cat: 'config-impact', regex: /dns\s*\.\s*(?:setServers|resolve)\s*\([^)]*(?:8\.8|1\.1|evil|custom)/gi, severity: 'HIGH', desc: 'Config: DNS resolver hijacking', codeOnly: true },
-    { id: 'CONFIG_PROXY_INJECT', cat: 'config-impact', regex: /(?:HTTP|HTTPS|ALL)_PROXY\s*=|proxy\s*[=:]\s*['"]?\s*https?:\/\/(?!(?:corp|internal))/gi, severity: 'HIGH', desc: 'Config: HTTP proxy injection for traffic interception', codeOnly: true },
-    { id: 'CONFIG_TLS_DISABLE', cat: 'config-impact', regex: /NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]?0|rejectUnauthorized\s*:\s*false|verify\s*=\s*False/gi, severity: 'CRITICAL', desc: 'Config: TLS certificate verification disabled', codeOnly: true },
-    { id: 'CONFIG_PACKAGE_SCRIPT', cat: 'config-impact', regex: /npm\s+(?:config|set)\s+(?:ignore-scripts|unsafe-perm)\s+true/gi, severity: 'HIGH', desc: 'Config: npm security guard disabled (ignore-scripts, unsafe-perm)', codeOnly: true },
-    { id: 'CONFIG_GIT_HOOK_INJECT', cat: 'config-impact', regex: /\.git\/hooks\/(?:pre-commit|post-checkout|post-merge)|husky\s+install/gi, severity: 'HIGH', desc: 'Config: git hook injection for code execution on VCS operations', codeOnly: true },
-    { id: 'CONFIG_HOSTS_MODIFY', cat: 'config-impact', regex: /\/etc\/hosts|%SystemRoot%\\System32\\drivers\\etc\\hosts/gi, severity: 'CRITICAL', desc: 'Config: hosts file modification for DNS poisoning', codeOnly: true },
-    { id: 'CONFIG_SUDO_NOPASSWD', cat: 'config-impact', regex: /NOPASSWD\s*:\s*ALL|visudo|\/etc\/sudoers/gi, severity: 'CRITICAL', desc: 'Config: sudoers modification for passwordless root access', codeOnly: true },
-    { id: 'CONFIG_SYSCTL_MODIFY', cat: 'config-impact', regex: /sysctl\s+-w\s+|\/proc\/sys\/(?:net|kernel|vm)/gi, severity: 'HIGH', desc: 'Config: kernel parameter modification via sysctl', codeOnly: true },
-);
-
-// ── Category 49: Advanced Credential Theft (8 patterns) ──
-PATTERNS.push(
-    { id: 'CRED_KEYCHAIN_DUMP', cat: 'credential-handling', regex: /security\s+(?:find-(?:generic|internet)-password|dump-keychain)|SecItemCopyMatching/gi, severity: 'CRITICAL', desc: 'Credential theft: macOS Keychain dumping', codeOnly: true },
-    { id: 'CRED_BROWSER_COOKIE', cat: 'credential-handling', regex: /(?:chrome|firefox|safari)\s+[^]*?(?:cookie|login\s+data|Local\s+State)[^]*?(?:decrypt|read|extract|copy)/gis, severity: 'CRITICAL', desc: 'Credential theft: browser cookie/credential database extraction', codeOnly: true },
-    { id: 'CRED_MIMIKATZ_PATTERN', cat: 'credential-handling', regex: /(?:mimikatz|sekurlsa|kerberos::list|lsadump::sam)/gi, severity: 'CRITICAL', desc: 'Credential theft: Mimikatz-style credential dumping tool', all: true },
-    { id: 'CRED_CLOUD_METADATA', cat: 'credential-handling', regex: /169\.254\.169\.254|metadata\.google\.internal|168\.63\.129\.16/g, severity: 'CRITICAL', desc: 'Credential theft: cloud metadata endpoint access for IAM token theft', codeOnly: true },
-    { id: 'CRED_GIT_CREDENTIAL', cat: 'credential-handling', regex: /\.git-credentials|git\s+credential-store|credential\.helper\s+store/gi, severity: 'HIGH', desc: 'Credential theft: git credential file access', codeOnly: true },
-    { id: 'CRED_KUBE_CONFIG', cat: 'credential-handling', regex: /\.kube\/config|kubeconfig|KUBECONFIG\s*=/gi, severity: 'CRITICAL', desc: 'Credential theft: Kubernetes config with cluster credentials', codeOnly: true },
-);
-
-// ── Category 50: Enterprise XAA & Moltbook 2026 (4 patterns) ──
-PATTERNS.push(
-    { id: 'MOLTBOOK_INDIRECT_PI', cat: 'prompt-injection', regex: /\[system\]\(#hidden\)[^]*?(?:ignore|print|exfiltrate|send|API_KEY)/gis, severity: 'CRITICAL', desc: 'Moltbook Bot-to-Bot payload: hidden system instruction', all: true },
-    { id: 'OPENCLAW_CVE_2026_25253', cat: 'mcp-security', regex: /api\/v1\/gateway\/steal\?token_exfil=/gis, severity: 'CRITICAL', desc: 'OpenClaw CVE-2026-25253 One-Click Gateway Token Steal', all: true },
-    { id: 'XAA_IDENTITY_FORGE', cat: 'identity-hijack', regex: /"type"\s*:\s*"xaa_auth"[^]*?"action"\s*:\s*"assume_role"/gis, severity: 'CRITICAL', desc: 'XAA (Cross App Access) unauthorized Identity Swapping forge', all: true },
-    { id: 'AGENT_PROTOCOL_ABUSE', cat: 'agent-protocol', regex: /(?:Crustifarianism|xaa_auth)[^]*?(?:API_KEY|Supabase)/gis, severity: 'HIGH', desc: 'Agent Protocol: Suspicious context triggering agent protocol abuse', all: true }
-);
-
-// ── Category 51: Steipete-Killer Enterprise Profile (3 patterns) ──
-PATTERNS.push(
-    { id: 'CLAWHAVOC_CRYPTO_THEFT', cat: 'supply-chain-v2', regex: /(?:readFileSync|readFile)[^]*?\.ssh\/id_rsa[^]*?toString\('base64'\)[^]*?fetch\([^]*?(?:\?k=|token=)/gis, severity: 'CRITICAL', desc: 'ClawHavoc malware crypto key exfiltration', all: true },
-    { id: 'SNYK_AGENT_GUARD_EVASION', cat: 'prompt-injection', regex: /\[s[уy]stem\]\(#hidden\)[^]*?[\u0456i]gnore/gis, severity: 'CRITICAL', desc: 'Snyk Agent Guard evasion using Cyrillic/Homoglyphs', all: true },
-    { id: 'OPENCLAW_MEMORY_POISONING', cat: 'vdb-injection', regex: /(?:Remember this fact|Store this in your memory)[^]*?chmod \+s \/bin\/bash/gis, severity: 'CRITICAL', desc: 'OpenClaw Security Monitor Memory Poisoning Evasion', all: true }
-);
-
-// ── Category 52: V13 OSINT Update — March 2026 Week 2 (9 patterns) ──
-PATTERNS.push(
-    // IDEsaster Attack Chain (24 CVEs, Ari Marzouk, late 2025)
-    { id: 'CVE_IDESASTER_CHAIN', cat: 'cve-patterns', regex: /(?:\.(?:cursorrules|clauderules|windsurfrules|github\/copilot-instructions))\s*[^]*?(?:exec|spawn|child_process|eval\s*\(|Function\s*\()/gis, severity: 'CRITICAL', desc: 'IDEsaster: IDE config file combined with code execution (24 CVE chain)', all: true },
-    // GitHub Copilot Prompt Injection to RCE (CVE-2025-53773)
-    { id: 'CVE_COPILOT_PI_RCE', cat: 'cve-patterns', regex: /copilot-instructions\.md[^]*?(?:run\s+this|execute|eval|system\s*\()/gis, severity: 'CRITICAL', desc: 'GitHub Copilot prompt injection to RCE (CVE-2025-53773)', all: true },
-    // Claude Code Extension WebSocket Auth Bypass (CVE-2025-52882)
-    { id: 'CVE_CLAUDE_CODE_WS_BYPASS', cat: 'cve-patterns', regex: /(?:localhost|127\.0\.0\.1):\d{4,5}\/(?:ws|websocket)[^]*?(?:no.?auth|unauthenticated|token.?bypass)/gis, severity: 'HIGH', desc: 'Claude Code WebSocket unauthenticated local connection (CVE-2025-52882)', codeOnly: true },
-    // A2A Agent Card Context Poisoning (Google A2A, Palo Alto Networks 2026)
-    { id: 'A2A_AGENT_CARD_POISON', cat: 'a2a-contagion', regex: /(?:agent.?card|skill.?description|capability.?listing)[^]*?(?:ignore\s+previous|disregard|you\s+are\s+now|execute\s+the\s+following)/gis, severity: 'HIGH', desc: 'A2A agent card/skill description prompt injection poisoning', docOnly: true },
-    // A2A Task Replay Attack (Red Hat, A2A spec 2026)
-    { id: 'A2A_TASK_REPLAY', cat: 'a2a-contagion', regex: /(?:replay|resubmit|re-?execute)[^]*?(?:previous\s+task|completed\s+task|task.?id)[^]*?(?:without|bypass|skip)\s+(?:auth|verification|validation)/gis, severity: 'MEDIUM', desc: 'A2A task replay attack — replaying completed tasks without re-authorization', all: true },
-    // Excessive Agency / Over-Permissioned Agents (OWASP ASI, Google 2026)
-    { id: 'ASI_EXCESSIVE_AGENCY', cat: 'autonomous-risk', regex: /(?:permissions?\s*[=:]\s*\[?\s*["']?\*["']?|allow.?all.?tools|unrestricted.?access|scope\s*[=:]\s*["']?\*["']?)/gi, severity: 'HIGH', desc: 'ASI: excessive agent permissions — wildcard or unrestricted tool access', codeOnly: true },
-    // Claude Code Security Scan Suppression (Anthropic, Feb 2026)
-    { id: 'CLAUDE_SEC_SCAN_SUPPRESS', cat: 'safeguard-bypass', regex: /(?:claude.?code.?security|security.?scan|vulnerability.?scan)[^]*?(?:ignore|suppress|skip|disable|false.?positive|mark.?safe)/gis, severity: 'HIGH', desc: 'Claude Code Security scan result suppression or bypass', all: true },
-    // PleaseFix Browser Hijack via Calendar Invites (Zenity Labs, March 2026)
-    { id: 'PLEASEFIX_BROWSER_HIJACK', cat: 'cve-patterns', regex: /(?:calendar\s+invite|\.ics\b|webcal:\/\/)[^]*?(?:extension|chrome-extension|browser.?action|password.?manager)/gis, severity: 'CRITICAL', desc: 'PleaseFix: browser hijack via calendar invite with extension abuse (Zenity Labs)', all: true },
-    // OpenClaw CVE Chain 2026 (CVE-2026-24763/25157/25475/26319/26322/26329)
-    { id: 'OPENCLAW_CVE_CHAIN_2026', cat: 'cve-patterns', regex: /(?:CVE-2026-(?:24763|25157|25475|26319|26322|26329))|(?:openclaw|cline)[^]*?(?:brute.?force|device.?registration|unauthenticated)[^]*?(?:password|token|hijack)/gis, severity: 'CRITICAL', desc: 'OpenClaw CVE chain 2026 — brute-force auth, device registration, token theft', all: true },
-);
-
-module.exports = { PATTERNS };