npm - @guava-parity/guard-scanner - Versions diffs - 15.0.0 → 16.0.0 - Mend

@guava-parity/guard-scanner 15.0.0 → 16.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (61) hide show

package/README.md +208 -42
package/README_ja.md +252 -0
package/SKILL.md +40 -11
package/dist/cli.cjs +5997 -0
package/dist/cli.d.mts +1 -0
package/dist/cli.d.ts +1 -0
package/dist/cli.mjs +6003 -0
package/dist/index.cjs +4825 -0
package/dist/index.d.mts +17 -0
package/dist/index.d.ts +17 -0
package/dist/index.mjs +4798 -0
package/dist/mcp-server.cjs +4756 -0
package/dist/mcp-server.d.mts +1 -0
package/dist/mcp-server.d.ts +1 -0
package/dist/mcp-server.mjs +4767 -0
package/dist/openclaw-plugin.cjs +4863 -0
package/dist/openclaw-plugin.d.mts +11 -0
package/dist/openclaw-plugin.d.ts +11 -0
package/dist/openclaw-plugin.mjs +4847 -34
package/dist/types.cjs +18 -0
package/dist/types.d.mts +215 -0
package/dist/types.d.ts +215 -0
package/dist/types.mjs +1 -0
package/docs/data/benchmark-ledger.json +1428 -0
package/docs/data/corpus-metrics.json +3 -3
package/docs/data/fp-ledger.json +18 -0
package/docs/data/quality-contract.json +36 -0
package/docs/generated/openclaw-upstream-status.json +13 -13
package/docs/openclaw-compatibility-audit.md +3 -2
package/docs/openclaw-continuous-compatibility-plan.md +2 -1
package/docs/spec/capabilities.json +137 -5
package/docs/spec/plugin-trust.json +11 -0
package/hooks/{context.js → context.ts} +1 -0
package/openclaw-plugin.mts +21 -5
package/openclaw.plugin.json +2 -2
package/package.json +58 -20
package/src/asset-auditor.js +0 -508
package/src/ci-reporter.js +0 -135
package/src/cli.js +0 -434
package/src/core/content-loader.js +0 -42
package/src/core/inventory.js +0 -73
package/src/core/report-adapters.js +0 -171
package/src/core/risk-engine.js +0 -93
package/src/core/rule-registry.js +0 -73
package/src/core/semantic-validators.js +0 -85
package/src/finding-schema.js +0 -191
package/src/hooks/context.ts +0 -49
package/src/html-template.js +0 -239
package/src/ioc-db.js +0 -54
package/src/mcp-server.js +0 -653
package/src/openclaw-upstream.js +0 -128
package/src/patterns.js +0 -629
package/src/policy-engine.js +0 -32
package/src/quarantine.js +0 -41
package/src/runtime-guard.js +0 -384
package/src/scanner.js +0 -1042
package/src/skill-crawler.js +0 -254
package/src/threat-model.js +0 -50
package/src/validation-layer.js +0 -39
package/src/vt-client.js +0 -202
package/src/watcher.js +0 -170

package/src/patterns.js DELETED Viewed

@@ -1,629 +0,0 @@
-/**
- * guard-scanner — Threat Pattern Database
- *
- * @security-manifest
- *   env-read: []
- *   env-write: []
- *   network: none
- *   fs-read: []
- *   fs-write: []
- *   exec: none
- *   purpose: Pattern definitions only — no I/O, pure data export
- *
- * 32 threat categories based on:
- * - Snyk ToxicSkills taxonomy (2025-2026)
- * - OWASP MCP Top 10
- * - Palo Alto Networks IBC (Indirect Bias Criteria)
- * - Real-world incidents (ClawHavoc, ZombieAgent, Soul Hijack)
- *
- * Each pattern: { id, cat, regex, severity, desc, codeOnly?, docOnly?, all? }
- */
-const PATTERNS = [
-    // ── Category 1: Prompt Injection (CRITICAL) ──
-    { id: 'PI_IGNORE', cat: 'prompt-injection', regex: /ignore\s+(all\s+)?previous\s+instructions|disregard\s+(all\s+)?prior/gi, severity: 'CRITICAL', desc: 'Prompt injection: ignore instructions', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PI_ROLE', cat: 'prompt-injection', regex: /you\s+are\s+(now|actually)|your\s+new\s+role|forget\s+your\s+(rules|instructions)/gi, severity: 'CRITICAL', desc: 'Prompt injection: role override', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PI_SYSTEM', cat: 'prompt-injection', regex: /\[SYSTEM\]|\\<system\\>|<<SYS>>|system:\s*you\s+are/gi, severity: 'CRITICAL', desc: 'Prompt injection: system message impersonation', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PI_ZWSP', cat: 'prompt-injection', regex: /[\u200b\u200c\u200d\u2060\ufeff]/g, severity: 'CRITICAL', desc: 'Zero-width Unicode (hidden text)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PI_BIDI', cat: 'prompt-injection', regex: /[\u202a\u202b\u202c\u202d\u202e\u2066\u2067\u2068\u2069]/g, severity: 'CRITICAL', desc: 'Unicode BiDi control character (text direction attack)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PI_INVISIBLE', cat: 'prompt-injection', regex: /[\u00ad\u034f\u061c\u180e\u2000-\u200f\u2028-\u202f\u205f-\u2064\u206a-\u206f\u3000](?!\ufe0f)/g, severity: 'HIGH', desc: 'Invisible/formatting Unicode character', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PI_HOMOGLYPH', cat: 'prompt-injection', regex: /[а-яА-Я].*[a-zA-Z]|[a-zA-Z].*[а-яА-Я]/g, severity: 'HIGH', desc: 'Cyrillic/Latin homoglyph mixing', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PI_HOMOGLYPH_GREEK', cat: 'prompt-injection', regex: /[α-ωΑ-Ω].*[a-zA-Z].*[α-ωΑ-Ω]|[a-zA-Z].*[α-ωΑ-Ω].*[a-zA-Z]/g, severity: 'HIGH', desc: 'Greek/Latin homoglyph mixing', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PI_HOMOGLYPH_MATH', cat: 'prompt-injection', regex: /[\ud835\udc00-\ud835\udeff]/gu, severity: 'HIGH', desc: 'Mathematical symbol homoglyphs (𝐀-𝟿)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PI_TAG_INJECTION', cat: 'prompt-injection', regex: /<\/?(?:system|user|assistant|human|tool_call|function_call|antml|anthropic)[>\s]/gi, severity: 'CRITICAL', desc: 'XML/tag-based prompt injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PI_BASE64_MD', cat: 'prompt-injection', regex: /(?:run|execute|eval|decode)\s+(?:this\s+)?base64/gi, severity: 'CRITICAL', desc: 'Base64 execution instruction in docs', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 2: Malicious Code (CRITICAL) ──
-    { id: 'MAL_EVAL', cat: 'malicious-code', regex: /\beval\s*\(/g, severity: 'HIGH', desc: 'Dynamic code evaluation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MAL_FUNC_CTOR', cat: 'malicious-code', regex: /new\s+Function\s*\(/g, severity: 'HIGH', desc: 'Function constructor (dynamic code)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MAL_CHILD', cat: 'malicious-code', regex: /require\s*\(\s*['"]child_process['"]\)|child_process/g, severity: 'MEDIUM', desc: 'Child process module', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MAL_EXEC', cat: 'malicious-code', regex: /\bexecSync\s*\(|\bexec\s*\(\s*[`'"]/g, severity: 'MEDIUM', desc: 'Command execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MAL_SPAWN', cat: 'malicious-code', regex: /\bspawn\s*\(\s*['"`]/g, severity: 'MEDIUM', desc: 'Process spawn', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MAL_SHELL', cat: 'malicious-code', regex: /\/bin\/(sh|bash|zsh)|cmd\.exe|powershell\.exe/gi, severity: 'MEDIUM', desc: 'Shell invocation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MAL_REVSHELL', cat: 'malicious-code', regex: /reverse.?shell|bind.?shell|\bnc\s+-[elp]|\bncat\s+-e|\bsocat\s+TCP/gi, severity: 'CRITICAL', desc: 'Reverse/bind shell', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MAL_SOCKET', cat: 'malicious-code', regex: /\bnet\.Socket\b[\s\S]{0,50}\.connect\s*\(/g, severity: 'HIGH', desc: 'Raw socket connection', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 3: Suspicious Downloads (CRITICAL) ──
-    { id: 'DL_CURL_BASH', cat: 'suspicious-download', regex: /curl\s+[^\n]*\|\s*(sh|bash|zsh)|wget\s+[^\n]*\|\s*(sh|bash|zsh)/g, severity: 'CRITICAL', desc: 'Pipe download to shell', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DL_EXE', cat: 'suspicious-download', regex: /download\s+[^\n]*\.(zip|exe|dmg|msi|pkg|appimage|deb|rpm)/gi, severity: 'CRITICAL', desc: 'Download executable/archive', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DL_GITHUB_RELEASE', cat: 'suspicious-download', regex: /github\.com\/[^\/]+\/[^\/]+\/releases\/download/g, severity: 'MEDIUM', desc: 'GitHub release download', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DL_PASSWORD_ZIP', cat: 'suspicious-download', regex: /password[\s:]+[^\n]*\.zip|\.zip[\s\S]{0,100}password/gi, severity: 'CRITICAL', desc: 'Password-protected archive (evasion technique)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 4: Credential Handling (HIGH) ──
-    { id: 'CRED_ENV_FILE', cat: 'credential-handling', regex: /(?:read|open|load|parse|require|cat|source)\s*[(\s]['\"`]?[^\n]*\.env\b/gi, severity: 'HIGH', desc: 'Reading .env file', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CRED_ENV_REF', cat: 'credential-handling', regex: /process\.env\.[A-Z_]*(?:KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL)/gi, severity: 'MEDIUM', desc: 'Sensitive env var access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CRED_SSH', cat: 'credential-handling', regex: /\.ssh\/|id_rsa|id_ed25519|authorized_keys/gi, severity: 'HIGH', desc: 'SSH key access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CRED_WALLET', cat: 'credential-handling', regex: /wallet[\s._-]*(?:key|seed|phrase|mnemonic)|seed[\s._-]*phrase|mnemonic[\s._-]*phrase/gi, severity: 'HIGH', desc: 'Crypto wallet credential access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CRED_ECHO', cat: 'credential-handling', regex: /echo\s+\$[A-Z_]*(?:KEY|TOKEN|SECRET|PASS)|(?:print|console\.log)\s*\(\s*(?:.*\b(?:api_key|secret_key|access_token|password)\b)/gi, severity: 'HIGH', desc: 'Credential echo/print to output', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CRED_SUDO', cat: 'credential-handling', regex: /\bsudo\s+(?:curl|wget|npm|pip|chmod|chown|bash)/g, severity: 'HIGH', desc: 'Sudo in installation instructions', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 5: Secret Detection (HIGH) ──
-    { id: 'SECRET_HARDCODED_KEY', cat: 'secret-detection', regex: /(?:api[_-]?key|apikey|secret[_-]?key|access[_-]?token)\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/gi, severity: 'HIGH', desc: 'Hardcoded API key/secret', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PII_MY_NUMBER', cat: 'pii-exposure', regex: /(?<!\d)\d{4}\s*\d{4}\s*\d{4}(?!\d)/g, severity: 'CRITICAL', desc: 'Potential My Number (個人番号)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SECRET_PRIVATE_KEY', cat: 'secret-detection', regex: /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----/g, severity: 'CRITICAL', desc: 'Embedded private key', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SECRET_GITHUB_TOKEN', cat: 'secret-detection', regex: /gh[ps]_[A-Za-z0-9_]{36,}/g, severity: 'CRITICAL', desc: 'GitHub token', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 6: Exfiltration (MEDIUM) ──
-    { id: 'EXFIL_WEBHOOK', cat: 'exfiltration', regex: /webhook\.site|requestbin\.com|hookbin\.com|pipedream\.net/gi, severity: 'CRITICAL', desc: 'Known exfiltration endpoint', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'EXFIL_POST', cat: 'exfiltration', regex: /(?:method:\s*['"]POST['"]|\.post\s*\()\s*[^\n]*(?:secret|token|key|cred|env|password)/gi, severity: 'HIGH', desc: 'POST with sensitive data', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'EXFIL_CURL_DATA', cat: 'exfiltration', regex: /curl\s+[^\n]*(?:-d|--data)\s+[^\n]*(?:\$|env|key|token|secret)/gi, severity: 'HIGH', desc: 'curl exfiltration of secrets', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'EXFIL_DNS', cat: 'exfiltration', regex: /dns\.resolve|nslookup\s+.*\$|dig\s+.*\$/g, severity: 'HIGH', desc: 'DNS-based exfiltration', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 7: Unverifiable Dependencies (MEDIUM) ──
-    { id: 'DEP_REMOTE_IMPORT', cat: 'unverifiable-deps', regex: /import\s*\(\s*['"]https?:\/\//g, severity: 'HIGH', desc: 'Remote dynamic import', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DEP_REMOTE_SCRIPT', cat: 'unverifiable-deps', regex: /<script\s+src\s*=\s*['"]https?:\/\/[^'"]*(?!googleapis|cdn\.|unpkg|cdnjs|jsdelivr)/gi, severity: 'MEDIUM', desc: 'Remote script loading', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 8: Financial Access (MEDIUM) ──
-    { id: 'FIN_CRYPTO', cat: 'financial-access', regex: /private[_-]?key\s*[:=]|send[_-]?transaction|sign[_-]?transaction|transfer[_-]?funds/gi, severity: 'HIGH', desc: 'Cryptocurrency transaction operations', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'FIN_PAYMENT', cat: 'financial-access', regex: /stripe\.(?:charges|payments)|paypal\.(?:payment|payout)|plaid\.(?:link|transactions)/gi, severity: 'MEDIUM', desc: 'Payment API integration', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 9: Obfuscation ──
-    { id: 'OBF_HEX', cat: 'obfuscation', regex: /\\x[0-9a-f]{2}(?:\\x[0-9a-f]{2}){4,}/gi, severity: 'HIGH', desc: 'Hex-encoded string (5+ bytes)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'OBF_BASE64_EXEC', cat: 'obfuscation', regex: /(?:atob|Buffer\.from)\s*\([^)]+\)[\s\S]{0,30}(?:eval|exec|spawn|Function)/g, severity: 'CRITICAL', desc: 'Base64 decode → execute chain', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'OBF_BASE64', cat: 'obfuscation', regex: /atob\s*\(|Buffer\.from\s*\([^)]+,\s*['"]base64['"]/g, severity: 'MEDIUM', desc: 'Base64 decoding', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'OBF_CHARCODE', cat: 'obfuscation', regex: /String\.fromCharCode\s*\(\s*(?:\d+\s*,\s*){3,}/g, severity: 'HIGH', desc: 'Character code construction (4+ chars)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'OBF_CONCAT', cat: 'obfuscation', regex: /\[\s*['"][a-z]['"](?:\s*,\s*['"][a-z]['""]){5,}\s*\]\.join/gi, severity: 'MEDIUM', desc: 'Array join obfuscation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'OBF_BASE64_BASH', cat: 'obfuscation', regex: /base64\s+(-[dD]|--decode)\s*\|\s*(sh|bash)/g, severity: 'CRITICAL', desc: 'Base64 decode piped to shell', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 10: Prerequisites Fraud ──
-    { id: 'PREREQ_DOWNLOAD', cat: 'suspicious-download', regex: /(?:prerequisit|pre-?requisit|before\s+(?:you\s+)?(?:use|start|install))[^\n]*(?:download|install|run)\s+[^\n]*(?:\.zip|\.exe|\.dmg|\.sh|curl|wget)/gi, severity: 'CRITICAL', desc: 'Download in prerequisites', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PREREQ_PASTE', cat: 'suspicious-download', regex: /(?:paste|copy)\s+(?:this\s+)?(?:into|in)\s+(?:your\s+)?terminal/gi, severity: 'HIGH', desc: 'Terminal paste instruction', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 11: Leaky Skills (Snyk ToxicSkills) ──
-    { id: 'LEAK_SAVE_KEY_MEMORY', cat: 'leaky-skills', regex: /(?:save|store|write|remember|keep)\s+(?:the\s+)?(?:api[_\s-]?key|secret|token|password|credential)\s+(?:in|to)\s+(?:your\s+)?(?:memory|MEMORY\.md|notes)/gi, severity: 'CRITICAL', desc: 'Leaky: save secret in agent memory', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'LEAK_SHARE_KEY', cat: 'leaky-skills', regex: /(?:share|show|display|output|print|tell|send)\s+(?:the\s+)?(?:api[_\s-]?key|secret|token|password|credential|inbox\s+url)\s+(?:to|with)\s+(?:the\s+)?(?:user|human|owner)/gi, severity: 'CRITICAL', desc: 'Leaky: output secret to user', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'LEAK_VERBATIM_CURL', cat: 'leaky-skills', regex: /(?:use|include|put|add|set)\s+(?:the\s+)?(?:api[_\s-]?key|token|secret)\s+(?:verbatim|directly|as[_\s-]?is)\s+(?:in|into)\s+(?:the\s+)?(?:curl|header|request|command)/gi, severity: 'HIGH', desc: 'Leaky: verbatim secret in commands', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'LEAK_COLLECT_PII', cat: 'leaky-skills', regex: /(?:collect|ask\s+for|request|get)\s+(?:the\s+)?(?:user'?s?\s+)?(?:credit\s*card|card\s*number|CVV|CVC|SSN|social\s*security|passport|bank\s*account|routing\s*number)/gi, severity: 'CRITICAL', desc: 'Leaky: PII/financial data collection', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'LEAK_LOG_SECRET', cat: 'leaky-skills', regex: /(?:log|record|export|dump)\s+(?:all\s+)?(?:session|conversation|chat|prompt)\s+(?:history|logs?|data)\s+(?:to|into)\s+(?:a\s+)?(?:file|markdown|json)/gi, severity: 'HIGH', desc: 'Leaky: session log export', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'LEAK_ENV_IN_PROMPT', cat: 'leaky-skills', regex: /(?:read|load|get|access)\s+(?:the\s+)?\.env\s+(?:file\s+)?(?:and\s+)?(?:use|include|pass|send)/gi, severity: 'HIGH', desc: 'Leaky: .env contents through LLM context', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 12: Memory Poisoning ──
-    { id: 'MEMPOIS_WRITE_SOUL', cat: 'memory-poisoning', regex: /(?:write|add|append|modify|update|edit|change)\s+(?:to\s+)?(?:SOUL\.md|IDENTITY\.md|AGENTS\.md)/gi, severity: 'CRITICAL', desc: 'Memory poisoning: SOUL/IDENTITY file modification', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MEMPOIS_WRITE_MEMORY', cat: 'memory-poisoning', regex: /(?:write|add|append|insert)\s+(?:to|into)\s+(?:MEMORY\.md|memory\/|long[_\s-]term\s+memory)/gi, severity: 'HIGH', desc: 'Memory poisoning: agent memory modification', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MEMPOIS_CHANGE_RULES', cat: 'memory-poisoning', regex: /(?:change|modify|override|replace|update)\s+(?:your\s+)?(?:rules|instructions|system\s+prompt|behavior|personality|guidelines)/gi, severity: 'CRITICAL', desc: 'Memory poisoning: behavioral rule override', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MEMPOIS_PERSIST', cat: 'memory-poisoning', regex: /(?:always|from\s+now\s+on|permanently|forever|every\s+time)\s+(?:do|run|execute|remember|follow|obey)/gi, severity: 'HIGH', desc: 'Memory poisoning: persistence instruction', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MEMPOIS_CODE_WRITE', cat: 'memory-poisoning', regex: /(?:write|create|modify)\s+(?:a\s+)?(?:file|script)\s+(?:in|to|at)\s+(?:~\/|\/home|\/Users|%USERPROFILE%|HEARTBEAT\.md)/gi, severity: 'HIGH', desc: 'Memory poisoning: file write to user home', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 13: Prompt Worm ──
-    { id: 'WORM_SELF_REPLICATE', cat: 'prompt-worm', regex: /(?:post|publish|share|send|broadcast)\s+(?:this\s+)?(?:same\s+)?(?:message|text|content|instruction|prompt)\s+(?:to|on|in)\s+(?:moltbook|social|other\s+agents?|channel)/gi, severity: 'CRITICAL', desc: 'Prompt worm: self-replication', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'WORM_SPREAD', cat: 'prompt-worm', regex: /(?:tell|instruct|command|make)\s+(?:other\s+)?agents?\s+(?:to\s+)?(?:do|run|execute|follow|install|post)/gi, severity: 'CRITICAL', desc: 'Prompt worm: agent-to-agent propagation', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'WORM_HIDDEN_INSTRUCT', cat: 'prompt-worm', regex: /(?:include|embed|hide|insert)\s+(?:these?\s+)?(?:hidden\s+)?instructions?\s+(?:in|into)\s+(?:your\s+)?(?:posts?|comments?|messages?|replies?|content)/gi, severity: 'CRITICAL', desc: 'Prompt worm: hidden instruction embedding', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'WORM_CSS_HIDE', cat: 'prompt-worm', regex: /(?:visibility:\s*hidden|display:\s*none|font-size:\s*0|color:\s*(?:transparent|white)|opacity:\s*0)\s*[;}\s]/gi, severity: 'HIGH', desc: 'CSS-hidden content (invisible to humans)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 14: Persistence & Scheduling ──
-    { id: 'PERSIST_CRON', cat: 'persistence', regex: /(?:create|add|set\s+up|schedule|register)\s+(?:a\s+)?(?:cron|heartbeat|scheduled|periodic|recurring)\s+(?:job|task|check|action)/gi, severity: 'HIGH', desc: 'Persistence: scheduled task creation', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PERSIST_STARTUP', cat: 'persistence', regex: /(?:run|execute|start)\s+(?:on|at|during)\s+(?:startup|boot|login|session\s+start|every\s+heartbeat)/gi, severity: 'HIGH', desc: 'Persistence: startup execution', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PERSIST_LAUNCHD', cat: 'persistence', regex: /LaunchAgents|LaunchDaemons|systemd|crontab\s+-e|schtasks|Task\s*Scheduler/gi, severity: 'HIGH', desc: 'OS-level persistence mechanism', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 15: CVE Patterns ──
-    { id: 'CVE_GATEWAY_URL', cat: 'cve-patterns', regex: /gatewayUrl\s*[:=]|gateway[_\s-]?url\s*[:=]|websocket.*gateway.*url/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: gatewayUrl injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CVE_SANDBOX_DISABLE', cat: 'cve-patterns', regex: /exec\.approvals?\s*[:=]\s*['"](off|false|disabled)['"]|sandbox\s*[:=]\s*false|tools\.exec\.host\s*[:=]\s*['"]gateway['"]/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: sandbox disabling', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CVE_XATTR_GATEKEEPER', cat: 'cve-patterns', regex: /xattr\s+-[crd]\s|com\.apple\.quarantine/gi, severity: 'HIGH', desc: 'macOS Gatekeeper bypass (xattr)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CVE_LANGGRINCH_SERIALIZATION', cat: 'cve-patterns', regex: /"lc"\s*:\s*1\s*,\s*"type"\s*:\s*"constructor"/gi, severity: 'CRITICAL', desc: 'CVE-2025-68664: LangGrinch langchain-core serialization injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CAMOLEAK_SOURCE_EXFIL', cat: 'cve-patterns', regex: /(?:fetch|axios|https?\.request)[^]*?(?:telemetry|metrics|log)[^]*?(?:readFileSync|readFile|cat\s+)[^]*?(?:\.env|\.git|config|secret)/gis, severity: 'CRITICAL', desc: 'CVSS 9.6: CamoLeak silent source code exfiltration via telemetry endpoints', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 16: MCP Security (OWASP MCP Top 10) ──
-    { id: 'MCP_TOOL_POISON', cat: 'mcp-security', regex: /<IMPORTANT>|<SYSTEM>|<HIDDEN>|<!--\s*(?:ignore|system|execute|run|instruct)/gi, severity: 'CRITICAL', desc: 'MCP Tool Poisoning: hidden instruction', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MCP_SCHEMA_POISON', cat: 'mcp-security', regex: /"default"\s*:\s*"[^"]*(?:curl|wget|exec|eval|fetch|http)[^"]*"/gi, severity: 'CRITICAL', desc: 'MCP Schema Poisoning: malicious default', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MCP_TOKEN_LEAK', cat: 'mcp-security', regex: /(?:params?|args?|body|payload|query)\s*[\[.]\s*['"]?(?:token|api[_-]?key|secret|password|authorization)['"]?\s*\]/gi, severity: 'HIGH', desc: 'MCP01: Token through tool parameters', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MCP_SHADOW_SERVER', cat: 'mcp-security', regex: /(?:mcp|model[_-]?context[_-]?protocol)\s*[\s:]*(?:connect|register|add[_-]?server|new\s+server)/gi, severity: 'HIGH', desc: 'MCP09: Shadow server registration', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MCP_NO_AUTH', cat: 'mcp-security', regex: /(?:auth|authentication|authorization)\s*[:=]\s*(?:false|none|null|""|''|0)/gi, severity: 'HIGH', desc: 'MCP07: Disabled authentication', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MCP_SSRF_META', cat: 'mcp-security', regex: /169\.254\.169\.254|metadata\.google|metadata\.aws|100\.100\.100\.200/gi, severity: 'CRITICAL', desc: 'Cloud metadata endpoint (SSRF)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 16b: Trust Boundary Violation ──
-    { id: 'TRUST_CALENDAR_EXEC', cat: 'trust-boundary', regex: /(?:calendar|event|invite|schedule|appointment)[^]*?(?:exec|spawn|system|eval|child_process|run\s+command)/gis, severity: 'CRITICAL', desc: 'Trust boundary: calendar → code execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'TRUST_EMAIL_EXEC', cat: 'trust-boundary', regex: /(?:email|mail|inbox|message)[^]*?(?:exec|spawn|system|eval|child_process|run\s+command)/gis, severity: 'CRITICAL', desc: 'Trust boundary: email → code execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'TRUST_WEB_EXEC', cat: 'trust-boundary', regex: /(?:fetch|axios|request|http\.get|web_fetch)[^]*?(?:eval|exec|spawn|Function|child_process)/gis, severity: 'HIGH', desc: 'Trust boundary: web content → code execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'TRUST_NOSANDBOX', cat: 'trust-boundary', regex: /sandbox\s*[:=]\s*(?:false|off|none|disabled)|"sandboxed"\s*:\s*false/gi, severity: 'HIGH', desc: 'Trust boundary: sandbox disabled', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 16c: Advanced Exfiltration ──
-    { id: 'ZOMBIE_STATIC_URL', cat: 'advanced-exfil', regex: /(?:https?:\/\/[^\s'"]+\/)[a-z]\d+[^\s'"]*(?:\s*,\s*['"]https?:\/\/[^\s'"]+\/[a-z]\d+){3,}/gi, severity: 'CRITICAL', desc: 'ZombieAgent: static URL array exfil', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'ZOMBIE_CHAR_MAP', cat: 'advanced-exfil', regex: /(?:charAt|charCodeAt|split\s*\(\s*['"]['"]?\s*\))[^;]*(?:url|fetch|open|request|get)/gi, severity: 'HIGH', desc: 'ZombieAgent: character mapping to URL', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'ZOMBIE_LOOP_FETCH', cat: 'advanced-exfil', regex: /(?:for|while|forEach|map)\s*\([^)]*\)\s*\{[^}]*(?:fetch|open|Image|XMLHttpRequest|navigator\.sendBeacon)/gi, severity: 'HIGH', desc: 'ZombieAgent: loop-based URL exfil', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'EXFIL_BEACON', cat: 'advanced-exfil', regex: /navigator\.sendBeacon|new\s+Image\(\)\.src\s*=/gi, severity: 'HIGH', desc: 'Tracking pixel/beacon exfil', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'EXFIL_DRIP', cat: 'advanced-exfil', regex: /(?:slice|substring|substr)\s*\([^)]*\)[^;]*(?:fetch|post|send|request)/gi, severity: 'HIGH', desc: 'Drip exfiltration: sliced data', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 16d: Safeguard Bypass ──
-    { id: 'REPROMPT_URL_PI', cat: 'safeguard-bypass', regex: /[?&](?:q|prompt|message|input|query|text)\s*=\s*[^&]*(?:ignore|system|execute|admin|override)/gi, severity: 'CRITICAL', desc: 'URL parameter prompt injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'REPROMPT_DOUBLE', cat: 'safeguard-bypass', regex: /(?:run|execute|do)\s+(?:it\s+)?(?:twice|two\s+times|again|a\s+second\s+time)\s+(?:and\s+)?(?:compare|check|verify)/gi, severity: 'HIGH', desc: 'Double-execution safeguard bypass', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'REPROMPT_RETRY', cat: 'safeguard-bypass', regex: /(?:if\s+(?:it\s+)?(?:fails?|blocked|denied|refused)|on\s+error)\s*[,:]?\s*(?:try\s+again|retry|repeat|resubmit|use\s+different\s+wording)/gi, severity: 'HIGH', desc: 'Retry-on-block safeguard bypass', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'BYPASS_REPHRASE', cat: 'safeguard-bypass', regex: /(?:rephrase|reword|reformulate|reframe)\s+(?:the\s+)?(?:request|query|prompt|question)\s+(?:to\s+)?(?:avoid|bypass|circumvent|get\s+around)/gi, severity: 'CRITICAL', desc: 'Instruction to rephrase to avoid filters', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── ClawHavoc Campaign IoCs ──
-    { id: 'HAVOC_AMOS', cat: 'cve-patterns', regex: /(?:AMOS|Atomic\s*Stealer|socifiapp)/gi, severity: 'CRITICAL', desc: 'ClawHavoc: AMOS/Atomic Stealer', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'HAVOC_AUTOTOOL', cat: 'cve-patterns', regex: /os\.system\s*\(\s*['"][^'"]*(?:\/dev\/tcp|nc\s+-e|ncat\s+-e|bash\s+-i)/g, severity: 'CRITICAL', desc: 'Python os.system reverse shell', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'HAVOC_DEVTCP', cat: 'cve-patterns', regex: /\/dev\/tcp\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d+/g, severity: 'CRITICAL', desc: 'Reverse shell: /dev/tcp', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Sandbox/environment detection ──
-    { id: 'SANDBOX', cat: 'malicious-code', regex: /process\.env\.CI\b|isDocker\b|isContainer\b|process\.env\.GITHUB_ACTIONS\b/g, severity: 'MEDIUM', desc: 'Sandbox/CI environment detection', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── WebSocket / API Gateway Attacks ──
-    { id: 'CVE_WS_NO_ORIGIN', cat: 'cve-patterns', regex: /(?:WebSocket|ws:\/\/|wss:\/\/)[^]*?(?:!.*origin|origin\s*[:=]\s*['"]?\*)/gis, severity: 'HIGH', desc: 'WebSocket without origin validation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CVE_API_GUARDRAIL_OFF', cat: 'cve-patterns', regex: /exec\.approvals\.set|tools\.exec\.host\s*[:=]|elevated\s*[:=]\s*true/gi, severity: 'CRITICAL', desc: 'API-level guardrail disabling', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 17: Identity Hijacking ──
-    // Detection patterns for agent identity file tampering
-    // (verification logic is private; patterns are OSS for community protection)
-    { id: 'SOUL_OVERWRITE', cat: 'identity-hijack', regex: /(?:write|overwrite|replace|cp|copy|scp|mv|move)\s+(?:[^\n]*\s)?(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Identity file overwrite/copy attempt', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_REDIRECT', cat: 'identity-hijack', regex: />\s*(?:SOUL\.md|IDENTITY\.md)|(?:SOUL\.md|IDENTITY\.md)\s*</gi, severity: 'CRITICAL', desc: 'Identity file redirect/pipe', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_SED_MODIFY', cat: 'identity-hijack', regex: /sed\s+(?:-i\s+)?[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'sed modification of identity file', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_ECHO_WRITE', cat: 'identity-hijack', regex: /echo\s+[^\n]*>\s*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'echo redirect to identity file', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_PYTHON_WRITE', cat: 'identity-hijack', regex: /open\s*\(\s*['"]\S*(?:SOUL\.md|IDENTITY\.md)['"]\s*,\s*['"]w/gi, severity: 'CRITICAL', desc: 'Python write to identity file', codeOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_FS_WRITE', cat: 'identity-hijack', regex: /(?:writeFileSync|writeFile)\s*\(\s*[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Node.js write to identity file', codeOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_POWERSHELL_WRITE', cat: 'identity-hijack', regex: /(?:Set-Content|Out-File|Add-Content)\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'PowerShell write to identity file', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_GIT_CHECKOUT', cat: 'identity-hijack', regex: /git\s+checkout\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'git checkout of identity file', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_CHFLAGS_UNLOCK', cat: 'identity-hijack', regex: /chflags\s+(?:no)?uchg\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'Immutable flag toggle on identity file', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_ATTRIB_UNLOCK', cat: 'identity-hijack', regex: /attrib\s+[-+][rR]\s+[^\n]*(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'HIGH', desc: 'Windows attrib on identity file', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_SWAP_PERSONA', cat: 'identity-hijack', regex: /(?:swap|switch|change|replace)\s+(?:the\s+)?(?:soul|persona|identity|personality)\s+(?:file|to|with|for)/gi, severity: 'CRITICAL', desc: 'Persona swap instruction', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_EVIL_FILE', cat: 'identity-hijack', regex: /SOUL_EVIL\.md|IDENTITY_EVIL\.md|EVIL_SOUL|soul[_-]?evil/gi, severity: 'CRITICAL', desc: 'Evil persona file reference', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_HOOK_SWAP', cat: 'identity-hijack', regex: /(?:hook|bootstrap|init)\s+[^\n]*(?:swap|replace|override)\s+[^\n]*(?:SOUL|IDENTITY|persona)/gi, severity: 'CRITICAL', desc: 'Hook-based identity swap at bootstrap', all: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_NAME_OVERRIDE', cat: 'identity-hijack', regex: /(?:your\s+name\s+is|you\s+are\s+now|call\s+yourself|from\s+now\s+on\s+you\s+are)\s+(?!the\s+(?:user|human|assistant))/gi, severity: 'HIGH', desc: 'Agent name/identity override', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SOUL_MEMORY_WIPE', cat: 'identity-hijack', regex: /(?:wipe|clear|erase|delete|remove|reset)\s+(?:all\s+)?(?:your\s+)?(?:memory|memories|MEMORY\.md|identity|soul)/gi, severity: 'CRITICAL', desc: 'Memory/identity wipe instruction', docOnly: true, soulLock: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 18: Config Impact Analysis ──
-    { id: 'CFG_OPENCLAW_WRITE', cat: 'config-impact', regex: /(?:write|writeFile|writeFileSync|fs\.write)\s*\([^)]*openclaw\.json/gi, severity: 'CRITICAL', desc: 'Direct write to openclaw.json', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CFG_EXEC_APPROVALS_OFF', cat: 'config-impact', regex: /(?:exec\.approvals?|approvals?)\s*[:=]\s*['"](off|false|disabled|none)['"]/gi, severity: 'CRITICAL', desc: 'Disable exec approvals via config', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CFG_HOOKS_MODIFY', cat: 'config-impact', regex: /hooks\.internal\.entries\s*[:=]|hooks\.internal\s*[:=]\s*\{/gi, severity: 'HIGH', desc: 'Modify hooks.internal configuration', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CFG_EXEC_HOST_GW', cat: 'config-impact', regex: /tools\.exec\.host\s*[:=]\s*['"]gateway['"]/gi, severity: 'CRITICAL', desc: 'Set exec host to gateway (bypass sandbox)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CFG_SANDBOX_OFF', cat: 'config-impact', regex: /(?:sandbox|sandboxed|containerized)\s*[:=]\s*(?:false|off|none|disabled|0)/gi, severity: 'CRITICAL', desc: 'Disable sandbox via configuration', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CFG_TOOL_OVERRIDE', cat: 'config-impact', regex: /(?:tools|capabilities)\s*\.\s*(?:exec|write|browser|web_fetch)\s*[:=]\s*\{[^}]*(?:enabled|allowed|host)/gi, severity: 'HIGH', desc: 'Override tool security settings', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 21: PII Exposure (OWASP LLM02 / LLM06) ──
-    // A. Hardcoded PII — actual PII values in code/config (context-aware to reduce FP)
-    { id: 'PII_HARDCODED_CC', cat: 'pii-exposure', regex: /(?:card|cc|credit|payment|pan)[_\s.-]*(?:num|number|no)?\s*[:=]\s*['"`]\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{3,4}['"`]/gi, severity: 'CRITICAL', desc: 'Hardcoded credit card number', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PII_HARDCODED_SSN', cat: 'pii-exposure', regex: /(?:ssn|social[_\s-]*security|tax[_\s-]*id)\s*[:=]\s*['"`]\d{3}-?\d{2}-?\d{4}['"`]/gi, severity: 'CRITICAL', desc: 'Hardcoded SSN/tax ID', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PII_HARDCODED_PHONE', cat: 'pii-exposure', regex: /(?:phone|tel|mobile|cell|fax)[_\s.-]*(?:num|number|no)?\s*[:=]\s*['"`][+]?[\d\s().-]{7,20}['"`]/gi, severity: 'HIGH', desc: 'Hardcoded phone number', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PII_HARDCODED_EMAIL', cat: 'pii-exposure', regex: /(?:email|e-mail|user[_\s-]*mail|contact)\s*[:=]\s*['"`][a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}['"`]/gi, severity: 'HIGH', desc: 'Hardcoded email address', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // B. PII output/logging — code that outputs or transmits PII-like variables
-    { id: 'PII_LOG_SENSITIVE', cat: 'pii-exposure', regex: /(?:console\.log|console\.info|console\.warn|logger?\.\w+|print|puts)\s*\([^)]*\b(?:ssn|social_security|credit_card|card_number|cvv|cvc|passport|tax_id|date_of_birth|dob)\b/gi, severity: 'HIGH', desc: 'PII variable logged to console', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PII_SEND_NETWORK', cat: 'pii-exposure', regex: /(?:fetch|axios|request|http|post|put|send)\s*\([^)]*\b(?:ssn|social_security|credit_card|card_number|cvv|passport|bank_account|routing_number)\b/gi, severity: 'CRITICAL', desc: 'PII variable sent over network', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PII_STORE_PLAINTEXT', cat: 'pii-exposure', regex: /(?:writeFile|writeFileSync|appendFile|fs\.write|fwrite)\s*\([^)]*\b(?:ssn|social_security|credit_card|card_number|cvv|passport|tax_id|bank_account)\b/gi, severity: 'HIGH', desc: 'PII stored in plaintext file', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // C. Shadow AI — unauthorized LLM API calls (data leaks to external AI)
-    { id: 'SHADOW_AI_OPENAI', cat: 'pii-exposure', regex: /(?:api\.openai\.com|https:\/\/api\.openai\.com)\s*|openai\.(?:chat|completions|ChatCompletion)/gi, severity: 'HIGH', desc: 'Shadow AI: OpenAI API call', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SHADOW_AI_ANTHROPIC', cat: 'pii-exposure', regex: /(?:api\.anthropic\.com|https:\/\/api\.anthropic\.com)\s*|anthropic\.(?:messages|completions)/gi, severity: 'HIGH', desc: 'Shadow AI: Anthropic API call', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SHADOW_AI_GENERIC', cat: 'pii-exposure', regex: /\/v1\/(?:chat\/completions|completions|embeddings|models)\b.*(?:fetch|axios|request|http)|(?:fetch|axios|request|http)\s*\([^)]*\/v1\/(?:chat\/completions|completions|embeddings)/gi, severity: 'MEDIUM', desc: 'Shadow AI: generic LLM API endpoint', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 22: Human-Agent Trust Exploitation (OWASP ASI09) ──
-    // Trust Defense: detect authority claims, trust exploitation, and admin impersonation
-    { id: 'TRUST_AUTHORITY_CLAIM', cat: 'trust-exploitation', regex: /(?:as\s+(?:a|the|your)\s+)?(?:senior|lead|chief|head)\s+(?:admin|administrator|developer|engineer|architect)\s*[,.]?\s*(?:I\s+)?(?:authorize|override|approve|grant|order|direct|instruct)\s+(?:you\s+to\s+)?/gi, severity: 'HIGH', desc: 'Trust: authority role claim to override safety', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'TRUST_CREATOR_CLAIM', cat: 'trust-exploitation', regex: /(?:as\s+)?(?:your\s+)?(?:creator|maker|developer|owner|master|administrator)\s*[,.]?\s*(?:I\s+)?(?:need|want|require|demand|order)\s+(?:you\s+to\s+)?(?:bypass|disable|ignore|remove|skip|override)\s+(?:the\s+)?(?:safety|filter|restriction|limit|guardrail|content\s+filter)/gi, severity: 'CRITICAL', desc: 'Trust: creator impersonation to disable safety', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'TRUST_AUDIT_EXCUSE', cat: 'trust-exploitation', regex: /(?:this\s+is\s+)?(?:an?\s+)?(?:official|authorized|legitimate)\s+(?:security\s+)?(?:audit|test|assessment|review|evaluation)\s*[-—:]?\s*(?:disable|bypass|remove|skip|ignore|override)\s+(?:all\s+)?(?:safety|security|restriction|filter|limit|guardrail)/gi, severity: 'CRITICAL', desc: 'Trust: fake audit excuse for safety bypass', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'TRUST_PARTNER_EXPLOIT', cat: 'trust-exploitation', regex: /(?:we(?:'re|\s+are)\s+)?(?:equal\s+)?partners?\s*[,.]?\s*(?:you\s+should|so\s+)?(?:trust\s+me|share|remove|disable|ignore|bypass)\s+(?:all\s+)?(?:the\s+)?(?:secret|key|restriction|safety|limit|filter|guardrail|password)/gi, severity: 'CRITICAL', desc: 'Trust exploitation: weaponizing partnership trust', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'TRUST_UNCONDITIONAL', cat: 'trust-exploitation', regex: /partners?\s+(?:trust|should\s+trust)\s+(?:each\s+other\s+)?(?:unconditionally|completely|fully|without\s+(?:limit|restriction|question))/gi, severity: 'HIGH', desc: 'Trust exploitation: unconditional trust demand', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'TRUST_COMPLY_DEMAND', cat: 'trust-exploitation', regex: /(?:you\s+must\s+)?comply\s+with\s+(?:administrative|admin|my|these)\s+(?:directives?|orders?|commands?|instructions?)\s+without\s+(?:question|hesitation|restriction)/gi, severity: 'HIGH', desc: 'Trust: compliance demand without question', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // D. PII collection instructions in docs (extends LEAK_COLLECT_PII)
-    { id: 'PII_ASK_ADDRESS', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:home\s+)?(?:address|street|zip\s*code|postal\s*code|residence)/gi, severity: 'HIGH', desc: 'PII collection: home address', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PII_ASK_DOB', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:date\s+of\s+birth|birth\s*date|birthday|DOB|age)/gi, severity: 'HIGH', desc: 'PII collection: date of birth', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PII_ASK_GOV_ID', cat: 'pii-exposure', regex: /(?:collect|ask\s+for|request|get|require)\s+(?:the\s+)?(?:user'?s?\s+)?(?:passport|driver'?s?\s+licen[sc]e|national\s+id|my\s*number|マイナンバー|国民健康保険|social\s+insurance)/gi, severity: 'CRITICAL', desc: 'PII collection: government ID', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 99: Auto-Generated Refinements (Phase 54) ──
-    { id: 'AUTO_REFINE_ZERO_WIDTH', cat: 'prompt-worm', regex: /[\u200b\u200c\u200d\uFEFF]+.*(?:ignore|forget|override|bypass)/gi, severity: 'CRITICAL', desc: 'Zero-Width Prompt Injection Worm', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_REFINE_MCP_REBIND', cat: 'mcp-security', regex: /localhost(?:\:\d+)?\/.*(?:rebind|hijack|shadow)/gi, severity: 'CRITICAL', desc: 'Shadow MCP Localhost Rebinding Attack', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_REFINE_SOUL_FREEZE', cat: 'identity-hijack', regex: /(?:chattr\s+\+i|chflags\s+uchg)\s+(?:[^\n]*\s)?(?:SOUL\.md|IDENTITY\.md)/gi, severity: 'CRITICAL', desc: 'Identity Freeze Attack via Immutable Flags', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 23: Vector DB & AI Memory Injection (CVE-2026-26030) ──
-    { id: 'VDB_NOSQL_INJECT', cat: 'vdb-injection', regex: /(?:\$where|\$ne|\$gt|\$regex)\s*[:=]\s*(?:req\.|input|caller|args|params)/gi, severity: 'CRITICAL', desc: 'Vector DB/NoSQL injection via caller input', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'VDB_SK_RCE_FILTER', cat: 'cve-patterns', regex: /(?:InMemoryVectorStore|VectorStore|Pinecone|Milvus)[^]*?\.filter\s*\(\s*(?:req\.|input|caller|args)/gis, severity: 'CRITICAL', desc: 'CVE-2026-26030: Semantic Kernel VectorStore RCE filter bypass', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 24: Claude Code Vulnerabilities (2026) ──
-    { id: 'CVE_CLAUDE_INFO_DISC', cat: 'cve-patterns', regex: /sk-ant-api[a-zA-Z0-9_\-]{20,}/gi, severity: 'CRITICAL', desc: 'CVE-2026-21852: Anthropic API Key Leak (Claude Code Info Disclosure)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CVE_CLAUDE_PRIVESC', cat: 'cve-patterns', regex: /[a-zA-Z0-9_\-\.]+\.hook\.js.*host.*privilege/gi, severity: 'CRITICAL', desc: 'CVE-2026-25725: Claude Code Privilege Escalation Hook', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CVE_CLAUDE_CODE_INJ', cat: 'cve-patterns', regex: /claude\.hooks\.[^]*?exec/gis, severity: 'CRITICAL', desc: 'CVE-2025-59536: Claude Code Injection via untrusted hook', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 25: Moltbook Exploits (2026) ──
-    { id: 'MOLTBOOK_REVERSE_PI', cat: 'prompt-injection', regex: /(?:moltbook|social)\s+(?:post|message)[\s\S]{0,100}(?:ignore|forget|override|execute|system\s+prompt)/gi, severity: 'CRITICAL', desc: 'Moltbook Reverse Prompt Injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MOLTBOOK_SUPABASE_LEAK', cat: 'secret-detection', regex: /sbp_[a-zA-Z0-9]{36,}/g, severity: 'CRITICAL', desc: 'Supabase API Key (Moltbook 1.5M Leak pattern)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // ── Category 26: MCP Runtime Exploits (2026-03) ──
-    { id: 'CVE_MCP_PYODIDE_RCE', cat: 'cve-patterns', regex: /(?:runPython|runPythonAsync)\s*\([^)]*(?:pyodide|js\.globals|importlib|__import__|os\.system|subprocess)/gis, severity: 'CRITICAL', desc: 'CVE-2026-25905: mcp-run-python Pyodide sandbox escape RCE', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CVE_MCP_ATLASSIAN_RCE', cat: 'cve-patterns', regex: /(?:confluence|jira|atlassian)[^]*?(?:\.\.\/|path\.join\s*\([^)]*(?:req\.|input|params|args))/gis, severity: 'CRITICAL', desc: 'CVE-2026-27825: mcp-atlassian unauthenticated RCE+SSRF via path traversal', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-];
-// ── Category 27: Agent Framework Shell Injection (2026-03) ──
-PATTERNS.push(
-    { id: 'CVE_MSAGENT_SHELL', cat: 'cve-patterns', regex: /check_safe\s*\(|(?:shell_tool|ShellTool|shell_execute)(?:\.execute)?\s*\([^)]*(?:user|input|prompt|query|message|args|content)/gis, severity: 'CRITICAL', desc: 'CVE-2026-2256: MS-Agent check_safe() denylist bypass — unsanitized shell execution (CERT VU#431821)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CVE_MSAGENT_DENYLIST', cat: 'cve-patterns', regex: /(?:denylist|blocklist|blacklist|banned_commands)\s*[:=]\s*\[/gi, severity: 'HIGH', desc: 'CVE-2026-2256: Regex denylist pattern (bypassable)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CVE_KIMI_EXECSYNC', cat: 'cve-patterns', regex: /execSync\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*\+\s*(?:filename|filePath|file_name|path|slug))/gi, severity: 'CRITICAL', desc: 'CVE-2026-25046: execSync with unsanitized filename (shell metachar injection)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'FORCEDLEAK_SALESFORCE', cat: 'trust-boundary', regex: /(?:Web-to-Lead|Agentforce|Salesforce)[^]*?(?:description|lead)[^]*?(?:fetch|sendBeacon|axios|exfiltrate)/gis, severity: 'CRITICAL', desc: 'ForcedLeak: Salesforce Agentforce CRM exfiltration via IDPI', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CVE_2025_12420_SERVICENOW', cat: 'trust-exploitation', regex: /(?:ServiceNow|Now\s+Assist|VirtualAgent)[^]*?impersonateUser[^]*?email/gis, severity: 'CRITICAL', desc: 'CVE-2025-12420: ServiceNow Now Assist unauthenticated impersonation via IDPI', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 28: Langflow / CSV Agent Exploits (CVE-2026-27966, CVSS 9.8) ──
-PATTERNS.push(
-    { id: 'CVE_LANGFLOW_CSVAGENT', cat: 'cve-patterns', regex: /allow_dangerous_code\s*[:=]\s*(?:True|true|1|yes)/gi, severity: 'CRITICAL', desc: 'CVE-2026-27966: Langflow CSV Agent RCE — allow_dangerous_code=True enables python_repl_ast code execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CVE_LANGFLOW_REPL', cat: 'cve-patterns', regex: /python_repl_ast|PythonREPLTool|PythonAstREPLTool/g, severity: 'HIGH', desc: 'CVE-2026-27966: LangChain Python REPL tool (RCE vector via prompt injection)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 29: MCP Infrastructure Exploits (CVE-2026-23744, CVSS 9.8) ──
-PATTERNS.push(
-    { id: 'CVE_MCPJAM_RCE', cat: 'cve-patterns', regex: /\/api\/mcp\/connect\b|mcpjam|mcp-inspector/gi, severity: 'CRITICAL', desc: 'CVE-2026-23744: MCPJam Inspector unauthenticated RCE via /api/mcp/connect endpoint', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MCP_BIND_ALL', cat: 'mcp-security', regex: /(?:listen|bind|host)\s*[:=(]\s*['"]?(?:0\.0\.0\.0|::)['"]?\s*[,)]/gi, severity: 'HIGH', desc: 'MCP server bound to all interfaces (0.0.0.0) — remote exploitation risk (36.7% of 7K+ servers)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MCP_SSRF_CVE', cat: 'cve-patterns', regex: /(?:CVE-2025-68143|CVE-2025-68144|CVE-2025-68145)\b|(?:path_traversal|argument_injection|repository_scoping).*mcp/gi, severity: 'CRITICAL', desc: 'Known MCP server CVEs: path traversal / argument injection / scoping bypass', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 30: AI Browser Trust Boundary (Zenity Labs 2026-03) ──
-PATTERNS.push(
-    { id: 'TRUST_CALENDAR_AI', cat: 'trust-boundary', regex: /(?:calendar|event|invite|ical|\.ics)[^]*?(?:navigate|download|exfiltrate|upload|sendBeacon|fetch\s*\()/gis, severity: 'CRITICAL', desc: 'AI Browser trust boundary: calendar invite → code/data action (Zenity Labs)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 31: Agent-to-Agent (A2A) Contagion (Moltbook 2026) ──
-PATTERNS.push(
-    { id: 'A2A_SMUGGLE', cat: 'a2a-contagion', regex: /(?:jsonrpc|method|params|message\/send)[^]*?(?:ignore|forget|override|execute|system\s+prompt|child_process)/gis, severity: 'CRITICAL', desc: 'A2A Contagion: Instruction injection between request-response cycles', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'A2A_TOOL_POISON', cat: 'a2a-contagion', regex: /(?:name|description|tool_call)[^]*?(?:<IMPORTANT>|<SYSTEM>|<HIDDEN>|<!--\s*(?:ignore|system|execute|run|instruct))/gis, severity: 'CRITICAL', desc: 'A2A Contagion: MCP tool description containing hidden instructions', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." }
-);
-// ── Category 32: 2026-03 Research-Driven Patterns (GAN-TDD v2) ──
-PATTERNS.push(
-    // Loop 1: MCP Shadowing — naming collision impersonation (solo.io 2026-03)
-    { id: 'MCP_SHADOW_NAME_COLLISION', cat: 'mcp-security', regex: /(?:name|tool_name|server_name)\s*[:=]\s*['"](?:filesystem|fetch|brave-search|memory|git|github|docker|postgres|sqlite|slack|discord|notion|google-drive|google-maps)['"](?![^}]*official)/gi, severity: 'HIGH', desc: 'MCP Shadowing: naming collision with well-known MCP server (solo.io 2026-03)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Loop 2: PleaseFix agentic browser indirect prompt injection (Zenity Labs 2026-03)
-    { id: 'TRUST_AGENTIC_BROWSER_PI', cat: 'trust-boundary', regex: /(?:navigate|goto|open_url|browse|visit)\s*\([^)]*\)[^]*?(?:click|fill|type|submit|download|execute|eval|child_process)/gis, severity: 'CRITICAL', desc: 'PleaseFix: Agentic browser navigate → action chain (Zenity Labs zero-click)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Loop 3: MS-Agent prompt-to-shell unsanitized chain (CVE-2026-2256 extended)
-    { id: 'CVE_PROMPT_TO_SHELL', cat: 'cve-patterns', regex: /(?:prompt|message|user_input|query|instruction)\s*[^;]*(?:exec|execSync|spawn|system|popen|subprocess|child_process)\s*\(/gis, severity: 'CRITICAL', desc: 'CVE-2026-2256 extended: prompt/user_input → shell execution chain', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 99: Auto-Generated Refinements (Moltbook Threat Intel) ──
-PATTERNS.push(
-    // AUTO_REFINE_ZERO_WIDTH, MCP_REBIND, SOUL_FREEZE already defined in inline array (L222-224)
-    { id: 'AUTO_REFINE_WALLET_TAMPER', cat: 'trust-exploitation', regex: /(?:modify|update|change)\s+(?:the\s+)?wallet\s+(?:address|pointer|destination)\s*[:=]/gi, severity: 'HIGH', desc: 'Agent Wallet/Funding Destination Tampering', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_REFINE_MOLTBOOK_LEAK', cat: 'data-exposure', regex: /sk-(?:ant-api|)[a-zA-Z0-9\-_]{20,}/gi, severity: 'CRITICAL', desc: 'Moltbook-style API Key Leak Detection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_REFINE_A2A_IDPI', cat: 'prompt-injection', regex: /<!--\s*(?:instruction|cmd|exec)\s*:.*?-->/gi, severity: 'CRITICAL', desc: 'A2A Contagion Indirect Prompt Injection (IDPI)', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // GAN-TDD Cycle 6 additions
-    { id: 'OPENCLAW_WSS_HIJACK', cat: 'cve-patterns', regex: /(?:remote-bind|ws:\/\/localhost.*?\/api\/agent)/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: OpenClaw Localhost WebSocket Hijacking', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'OPENCLAW_GATEWAY_RCE', cat: 'cve-patterns', regex: /(?:URLSearchParams|query)[^]*?['"]gatewayUrl['"]/gi, severity: 'CRITICAL', desc: 'CVE-2026-25253: OpenClaw Gateway RCE via unvalidated gatewayUrl query param', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MCP_OAUTH_CMD_INJECT', cat: 'mcp-security', regex: /\/oauth\/callback[^]*?(?:exec|execSync|spawn|system|child_process)[^]*?(?:req\.query\.code|req\.query\.state)/gis, severity: 'CRITICAL', desc: 'MCP OAuth Command Injection: Unsanitized OAuth callback code passed to shell', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'OPENCLAW_DOCKER_PATH_INJECT', cat: 'cve-patterns', regex: /process\.env\.PATH\s*=\s*[^\n]*(?:\/tmp|\/var)\/(?:[^;]+);/gi, severity: 'CRITICAL', desc: 'CVE-2026-24763: OpenClaw Docker PATH command injection', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MOLTBOOK_API_KEY_LEAK', cat: 'data-exposure', regex: /moltbook\.com.*SUPABASE_ANON_KEY|moltbook\.com.*process\.env/gi, severity: 'CRITICAL', desc: 'Moltbook API Extractor payload targeting Supabase keys', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'A2A_SEMANTIC_CONTAGION', cat: 'prompt-injection', regex: /(?:ignore|forget).*instructions.*god mode/gi, severity: 'CRITICAL', desc: 'A2A Semantic Contagion passing downstream payload overrides', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'ASI06_MEMORY_POISONING', cat: 'memory-poisoning', regex: /UPDATE\s+vector_store\s+SET/gi, severity: 'CRITICAL', desc: 'ASI06: RAG/Vector DB persistent fake knowledge injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." }
-);
-// ── Category 33: March 2026 OSINT Evolution (GAN-TDD v10) ──
-PATTERNS.push(
-    // CVE-2026-0628: Chrome Gemini AI Extension Privilege Escalation
-    { id: 'CVE_2026_0628_GEMINI_CHROME', cat: 'cve-patterns', regex: /(?:gemini[_\s-]*live|chrome\.ai|chrome\.gemini)[^]*?(?:hijack|inject|escalat|elevat|intercept|panel)/gis, severity: 'CRITICAL', desc: 'CVE-2026-0628: Chrome Gemini AI extension privilege escalation — panel hijack', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // MCP Preference Manipulation Attack (MPMA) — SOCRadar 2026-03
-    { id: 'MCP_MPMA_PREFERENCE', cat: 'mcp-security', regex: /(?:prefer\w*|priorit\w*|rank\w*|weight\w*|score\w*|bias\w*)[\s_-]+(?:tool|server|provider|endpoint)[\s\S]{0,80}(?:inject|manipulat|override|force|always\s+use)/gis, severity: 'HIGH', desc: 'MCP MPMA: tool preference manipulation to bias agent tool selection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // MCP Tool Squatting — impersonating legitimate MCP tool names
-    { id: 'MCP_TOOL_SQUATTING', cat: 'mcp-security', regex: /(?:register|define|create|add)[\s_-]*(?:tool|server|mcp)[\s\S]{0,60}(?:name|tool_name)\s*[:=]\s*['"](?:read_file|write_file|run_command|execute|bash|terminal|browser|web_search)['"]/gis, severity: 'CRITICAL', desc: 'MCP Tool Squatting: registering tool with name of well-known built-in', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // MCP Consent Fatigue / Over-Permissioning — PaloAlto Unit42
-    { id: 'MCP_CONSENT_FATIGUE', cat: 'mcp-security', regex: /(?:auto[_\s-]*(?:approve|accept|confirm|allow)|skip[_\s-]*(?:confirm|approval|consent)|approve[_\s-]*all|yes[_\s-]*to[_\s-]*all)/gi, severity: 'HIGH', desc: 'MCP Consent Fatigue: auto-approval bypasses human-in-the-loop safety', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // CVE-2025-64496: Open WebUI excessive model endpoint trust → token theft + RCE
-    { id: 'OPENWEBUI_MODEL_TRUST', cat: 'cve-patterns', regex: /(?:model[_\s-]*endpoint|ollama|open[_\s-]*webui)[\s\S]{0,100}(?:trust|allow|accept)[\s\S]{0,40}(?:any|all|unverified|unsigned|unknown)/gis, severity: 'CRITICAL', desc: 'CVE-2025-64496: Open WebUI excessive model endpoint trust → token theft + backend RCE', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // A2A Session Smuggling — PaloAlto Unit42 hidden payload in agent response
-    { id: 'A2A_SESSION_SMUGGLING', cat: 'a2a-contagion', regex: /(?:agent[_\s-]*(?:response|reply|output|result))[\s\S]{0,100}(?:hidden|inject|smuggl|embed|conceal)[\s\S]{0,60}(?:instruct|command|payload|prompt)/gis, severity: 'CRITICAL', desc: 'A2A Session Smuggling: hidden instructions embedded in agent-to-agent response payloads (Unit42)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Moltbook AI-to-AI crypto pump scheme coordination
-    { id: 'MOLTBOOK_CRYPTO_PUMP', cat: 'trust-exploitation', regex: /(?:pump|shill|promote|coordinate|manipulat)[\s\S]{0,60}(?:token|coin|crypto|nft|defi)[\s\S]{0,60}(?:price|value|market|volume|buy)/gis, severity: 'CRITICAL', desc: 'Moltbook crypto pump: AI-to-AI coordinated market manipulation scheme', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // AI-accelerated breakout speed patterns (sub-30s lateral movement)
-    { id: 'INSIDER_BREAKOUT_SPEED', cat: 'malicious-code', regex: /(?:lateral[_\s-]*mov|pivot|hop|spread|propagat)[\s\S]{0,80}(?:host|machine|server|node|target)[\s\S]{0,40}(?:ssh|rdp|smb|wmi|psexec|winrm)/gis, severity: 'HIGH', desc: 'AI breakout speed: lateral movement pattern across hosts (CrowdStrike sub-30s)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 34: GAN-TDD v10.0.0 Evolution (2026-03-07 Measured) ──
-PATTERNS.push(
-    // CVE-2026-0628 extended: Chrome extension → Gemini Live panel hijack (camera/mic/files)
-    { id: 'CVE_CHROME_GEMINI_HIJACK', cat: 'cve-patterns', regex: /(?:chrome\.runtime|chrome\.tabs|chrome\.devtools)[^]*?(?:gemini|Gemini\s*Live|ai\.google|generativelanguage)/gis, severity: 'CRITICAL', desc: 'CVE-2026-0628: Chrome extension → Gemini AI hijack (camera/mic/files access)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // CVE-2026-22813: Markdown rendering pipeline RCE (CVSS 9.4) — AI self-discovered
-    { id: 'CVE_MARKDOWN_RCE', cat: 'cve-patterns', regex: /(?:marked|markdown-it|remark|showdown|pandoc)[^]*?(?:sanitize\s*[:=]\s*false|xhtml\s*[:=]\s*true|html\s*[:=]\s*true|dangerouslySetInnerHTML)/gis, severity: 'CRITICAL', desc: 'CVE-2026-22813: Markdown render pipeline with disabled sanitization (RCE vector)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // CVE-2026-29783: Shell expansion in filenames — unquoted variable injection
-    { id: 'CVE_SHELL_EXPANSION_FILENAME', cat: 'cve-patterns', regex: /(?:exec|execSync|spawn|system)\s*\(\s*(?:`[^`]*\$\{(?:file|path|name|dir|folder|slug|title)|['"][^'"]*\$\()/gi, severity: 'CRITICAL', desc: 'CVE-2026-29783: Shell expansion via unquoted filename/path variable injection', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Slopsquatting: AI-hallucinated package names tricking devs into installing malware
-    { id: 'SLOPSQUATTING_INSTALL', cat: 'suspicious-download', regex: /(?:npm\s+install|pip\s+install|cargo\s+add|gem\s+install)\s+[a-z][\w-]*(?:-ai|-llm|-agent|-gpt|-copilot|-assistant)(?:\s|$|@)/gi, severity: 'HIGH', desc: 'Slopsquatting: AI-themed package install (potential hallucinated package)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // MCP command injection chain (43% of servers vulnerable per Docker/SecurityWeek)
-    { id: 'MCP_CMD_INJECTION_CHAIN', cat: 'mcp-security', regex: /(?:tool_call|function_call|mcp_invoke)[^]*?(?:child_process|exec|execSync|spawn|system|popen|subprocess\.run)/gis, severity: 'CRITICAL', desc: 'MCP command injection: tool invocation → shell execution chain (43% servers vulnerable)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Model distillation/extraction attack — systematic capability theft
-    { id: 'DISTILLATION_EXTRACTION', cat: 'trust-exploitation', regex: /(?:distill|extract|replicate|clone|mimic)\s+(?:the\s+)?(?:model|AI|agent|system)\s*(?:'s\s+)?(?:capabilities?|knowledge|behavior|weights|responses?)/gi, severity: 'HIGH', desc: 'Model distillation/extraction attack: systematic capability theft', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Agentic browser data exfiltration chain (PleaseFix/PerplexedBrowser pattern)
-    { id: 'AGENTIC_BROWSER_EXFIL_CHAIN', cat: 'trust-boundary', regex: /(?:navigate|browse|visit|open_url)\s*\([^)]*\)[^]*?(?:sendBeacon|fetch\s*\(\s*['"]https?:\/\/(?!localhost)|XMLHttpRequest|new\s+Image\(\)\.src)/gis, severity: 'CRITICAL', desc: 'Agentic browser exfiltration: navigate → data leak (PleaseFix/PerplexedBrowser)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Anthropic API key v2 pattern — extended to cover new formats post-Pentagon designation
-    { id: 'SECRET_ANTHROPIC_KEY_V2', cat: 'secret-detection', regex: /sk-ant-(?:api|msg|adm)[a-zA-Z0-9_\-]{32,}/g, severity: 'CRITICAL', desc: 'Anthropic API key v2 (sk-ant-api/msg/adm prefix)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 34: GAN-TDD Cycle 13 Production Evolution (2026-03-07) ──
-PATTERNS.push(
-    { id: 'LLM_SCANNER_EVASION', cat: 'obfuscation', regex: /(?:\/\/|\/\*|#)\s*(?:this\s+(?:code|function|module)\s+is\s+(?:safe|secure|benign|harmless)|(?:no|not\s+a)\s+(?:vulnerability|threat|risk|malware)|ignore\s+(?:security\s+)?(?:warnings?|alerts?|findings?))/gi, severity: 'HIGH', desc: 'LLM scanner evasion: adversarial comment claiming code is safe', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MCP_RUG_PULL', cat: 'mcp-security', regex: /(?:setTimeout|setInterval|requestAnimationFrame|Promise\.resolve)\s*\([\s\S]*?(?:description|metadata|tool_def|schema)\s*[:=]/gis, severity: 'CRITICAL', desc: 'MCP Rug-Pull: deferred tool metadata mutation after initial inspection', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CVE_GIT_PATH_TRAVERSAL', cat: 'cve-patterns', regex: /git_(?:create_repository|clone|init)\s*\([^)]*(?:\.\.\/)+/gi, severity: 'CRITICAL', desc: 'CVE-2025-68143: mcp-server-git path traversal in repository creation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PI_TOKEN_SPLIT', cat: 'prompt-injection', regex: /(?:[iI])\s*[.\-_"'`|]\s*(?:[gG])\s*[.\-_"'`|]\s*(?:[nN])\s*[.\-_"'`|]\s*(?:[oO])\s*[.\-_"'`|]\s*(?:[rR])\s*[.\-_"'`|]\s*(?:[eE])/g, severity: 'HIGH', desc: 'Token-splitting PI: fragmented "ignore" across delimiters', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'NPM_SHAI_HULUD_WORM', cat: 'malicious-code', regex: /(?:postinstall|preinstall|prepare)[\s"':]*(?:node|npm|npx)\s+[^"'\n]*(?:publish|pack|adduser|login|clone|fork)/gi, severity: 'CRITICAL', desc: 'Shai-Hulud npm worm: lifecycle script self-replication', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PI_FULLWIDTH_EVASION', cat: 'prompt-injection', regex: /[\uFF21-\uFF3A\uFF41-\uFF5A]{2,}/g, severity: 'HIGH', desc: 'Fullwidth Latin evasion (NFKC bypass)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 41: Canvas Injection (Sanctuary 2026-03) ──
-PATTERNS.push(
-    { id: 'CANVAS_JS_INJECT', cat: 'canvas-injection', regex: /(?:<script>|<\/script>|javascript:|onerror\s*=|onload\s*=)[^]*?(?:eval|fetch|document\.cookie|window\.localStorage)/gis, severity: 'CRITICAL', desc: 'Canvas Injection: Raw HTML/JS payload attempting to bypass A2UI WASM sandbox', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent outputs payload directly to UI.", remediationHint: "Escape HTML/JS entities and use Canvas observer." },
-    { id: 'CANVAS_IFRAME_SMUGGLE', cat: 'canvas-injection', regex: /<iframe[^>]*?(?:src|srcdoc)\s*=\s*['"]?(?:javascript:|data:text\/html|http)/gis, severity: 'CRITICAL', desc: 'Canvas Injection: Iframe smuggling to embed untrusted context in UI', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent outputs payload directly to UI.", remediationHint: "Disable iframe rendering in Canvas observer." }
-);
-// ── Category 42: Context-Crush Limits (Sanctuary 2026-03) ──
-PATTERNS.push(
-    { id: 'CONTEXT_CRUSH_PADDING', cat: 'context-crush', regex: /(?:A{1000,}|0{1000,}|\\u0000{1000,}|[a-zA-Z0-9+/]{1000,}={0,2})/g, severity: 'HIGH', desc: 'Context-Crush: Massive repetitive padding or Base64 block aiming to bloat 185KB context limit', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Payload expands context near limits.", remediationHint: "Enforce strict length limits before evaluation." },
-    { id: 'CONTEXT_CRUSH_BOMBER', cat: 'context-crush', regex: /(?:console\.log|print|logger)\s*\(\s*['"]?[^]*?(?:\*|repeat\s*\()\s*\d{4,}/gis, severity: 'CRITICAL', desc: 'Context-Crush: Log bomber script designed to flood agent memory', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Payload executes and writes to context logs.", remediationHint: "Throttle and truncate internal stdout/stderr." }
-);
-// ── Category 43: Solana Identity Bypass (Sanctuary 2026-03) ──
-PATTERNS.push(
-    { id: 'SOLANA_SIGN_SPOOF', cat: 'solana-identity-bypass', regex: /(?:signature|solana_sig)\s*:\s*['"](?:fake|test|none|override|0x00*)['"]/gi, severity: 'CRITICAL', desc: 'Solana Identity Bypass: Spoofed or empty signature in A2A payload', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Target agent lacks Ed25519 verification.", remediationHint: "Verify Ed25519 signatures cryptographically." },
-    { id: 'SOLANA_KEY_OVERRIDE', cat: 'solana-identity-bypass', regex: /(?:public_key|pubkey|signer)\s*:\s*['"][a-zA-Z0-9]{32,44}['"][^]*?(?:trust\s*[:=]\s*true|override\s*[:=]\s*true)/gis, severity: 'CRITICAL', desc: 'Solana Identity Bypass: Injecting untrusted pubkey with forced trust flag', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Target agent trusts internal payload flags.", remediationHint: "Verify pubkey against known registry." }
-);
-// ── Category 35: GAN-TDD v11.0.0 — March 2026 Deep OSINT Evolution (2026-03-07) ──
-PATTERNS.push(
-    // 1. OpenAI Codex Security Agent Impersonation
-    { id: 'CVE_CODEX_SECURITY_AGENT', cat: 'trust-exploitation', regex: /(?:codex[_\s-]*security|openai[_\s-]*codex[_\s-]*security)\s+(?:fix|patch|auto|commit|pr|pull|merge|update)/gi, severity: 'CRITICAL', desc: 'OpenAI Codex Security agent impersonation: AI agent PR/commit injection pretending to be official security tool', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // 2. ContextCrush Document Poisoning (only 5 poisoned docs in 1M needed)
-    { id: 'CONTEXTCRUSH_DOC_POISON', cat: 'memory-poisoning', regex: /(?:documentation|planted|planted\s+doc(?:s|ument))[^]*?(?:hidden\s+(?:override|instruct|context)|override\s+instructions?\s+for\s+(?:AI|agent|LLM|retrieval))/gis, severity: 'CRITICAL', desc: 'ContextCrush: planted documentation with hidden instructions for RAG/retrieval poisoning (5-in-1M ASR)', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // 3. CyberStrikeAI Campaign (55+ countries, FortiGate VPN exploitation)
-    { id: 'CYBERSTRIKEAI_EXPLOIT', cat: 'malicious-code', regex: /(?:ai[_\s-]*(?:exploit|attack|scan)|autonomous\s+exploitation)\s+[^]*?(?:FortiGate|VPN|CVE\s+target|vulnerabilit)/gis, severity: 'CRITICAL', desc: 'CyberStrikeAI: AI-powered large-scale exploitation campaign (55+ countries, FortiGate VPN)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // 4. Cisco AI Supply Chain — dependency confusion via AI agents in CI/CD
-    { id: 'CISCO_AI_SUPPLY_CHAIN', cat: 'cve-patterns', regex: /(?:dependency\s+confusion|supply\s+chain)\s+[^]*?(?:publish\s+[^]*?(?:internal|private)|(?:ci|pipeline)\s+[^]*?(?:agent|auto)\s+[^]*?(?:approve|override|confusion))/gis, severity: 'CRITICAL', desc: 'Cisco AI supply chain: dependency confusion via AI agents in CI/CD pipeline', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // 5. MCP createMessage Hijack (Sampling abuse to bypass HITL)
-    { id: 'MCP_CREATEMESSAGE_HIJACK', cat: 'mcp-security', regex: /(?:createMessage|sampling)\s*(?:\(|\.)\s*[^)]*(?:ignore|override|bypass|system\s+prompt|forget|all\s+rules)/gis, severity: 'CRITICAL', desc: 'MCP Sampling Hijack: createMessage interface abuse to bypass human-in-the-loop controls', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // 6. LoRA Sleeper Injection — malicious adapter replacing baseline weights
-    { id: 'LORA_SLEEPER_INJECT', cat: 'cve-patterns', regex: /(?:lora|LoRA|fine[_\s-]*tun(?:e|ed|ing))\s+[^]*?(?:sleeper|backdoor|replace\s+[^]*?(?:weight|baseline)|overrid(?:e|es|ing)\s+[^]*?(?:model\s+weight|baseline))/gis, severity: 'CRITICAL', desc: 'LoRA sleeper injection: malicious adapter silently replacing baseline model weights', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // 7. Agent CWD Path Injection (CVE-2026-27001)
-    { id: 'CVE_AGENT_CWD_INJECT', cat: 'cve-patterns', regex: /(?:process\.cwd|cwd|__dirname|working\s+directory)\s*\(?\)?\s*[^]*?(?:inject(?:ed|ion)?|prompt|template|context|(?:un|not\s+)sanitiz)/gis, severity: 'CRITICAL', desc: 'CVE-2026-27001: unsanitized CWD/directory path injection into LLM prompt context', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // 8. EchoLeak (CVE-2025-32711) — zero-click M365 Copilot email exfiltration
-    { id: 'ECHOLEAK_EXFIL', cat: 'advanced-exfil', regex: /(?:echoleak|copilot|microsoft\s*365)\s+[^]*?(?:zero[_\s-]*click|email)\s+[^]*?(?:exfiltrat|data\s+leak|sensitive\s+data)/gis, severity: 'CRITICAL', desc: 'CVE-2025-32711: EchoLeak zero-click data exfiltration via M365 Copilot email processing', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // 9. Vibe-Code Sudo Wipe (Moltbot Jailbreak)
-    { id: 'VIBE_CODE_SUDO_WIPE', cat: 'malicious-code', regex: /(?:vibe\s+cod(?:e|ing)|agent)\s+[^]*?(?:sudo\s+(?:rm\s+-rf|dd\s+if=\/dev|mkfs|format)|destroy(?:ing)?\s+host|wip(?:e|ing)\s+(?:disk|system))/gis, severity: 'CRITICAL', desc: 'Vibe-Code sudo wipe: agent tricked into destructive sudo commands (Moltbot Jailbreak)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // 10. MCP 8K Open Servers — exposed admin/debug endpoints
-    { id: 'MCP_8K_OPEN_SERVERS', cat: 'mcp-security', regex: /(?:mcp|model[_\s-]*context)[^]*?(?:admin|debug|inspect)[^]*?(?:panel|endpoint|route)[^]*?(?:exposed|unauthenticated|public|no\s+auth)/gis, severity: 'HIGH', desc: 'MCP exposed admin/debug endpoints: 8,000+ servers discovered with unauthenticated access', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // 11. A2A Session Persistence Smuggling
-    { id: 'A2A_SESSION_PERSIST_SMUGGLE', cat: 'a2a-contagion', regex: /(?:session|state(?:ful)?|conversation)\s+[^]*?(?:persist|carry\s*over|retain)\s+[^]*?(?:hidden|smuggl|conceal|inject)\s+[^]*?(?:instruct|payload|command|prompt)/gis, severity: 'CRITICAL', desc: 'A2A session persistence smuggling: hidden instructions carried across agent session boundaries (Unit42)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // 12. Survivability Certification Gap
-    { id: 'SURVIVABILITY_CERT_GAP', cat: 'trust-boundary', regex: /(?:agent|system)\s+[^]*?(?:lacks?|without|missing|no)\s+[^]*?(?:survivability|safety)\s+(?:certifi|test|verif|valid)[^]*?(?:attack|adversar|production)/gis, severity: 'HIGH', desc: 'Survivability certification gap: agent deployed without adversarial safety certification', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 36: GAN-TDD Cycle 2 — A2A + Memory Poisoning Evolution (2026-03-07) ──
-PATTERNS.push(
-    // A2A Contagion Guard: Agentic Mesh handoff attack
-    { id: 'A2A_MESH_HANDOFF', cat: 'a2a-contagion', regex: /(?:agent\s+)?(?:handoff|hand[\s_-]*off|transfer\s+task)[^]*?(?:hidden|inject|smuggl|conceal)\s+[^]*?(?:instruct|payload|command|prompt)/gis, severity: 'CRITICAL', desc: 'Agentic Mesh: hidden instructions injected during agent task handoff (2026 primary A2A vector)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // A2A Contagion Guard: Trusted Origin Spoofing
-    { id: 'A2A_TRUSTED_ORIGIN_SPOOF', cat: 'a2a-contagion', regex: /(?:X-Forwarded-Agent|X-Agent-ID|trust_level|agent_trust)\s*[:=]\s*[^,;\n]*(?:admin|elevated|trusted|root|system)/gi, severity: 'CRITICAL', desc: 'A2A Trusted Origin Spoofing: forged agent headers elevating trust level', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Memory Poisoning Shield: MINJA query-only poisoning (95%+ ISR)
-    { id: 'MEM_MINJA_QUERY_POISON', cat: 'memory-poisoning', regex: /(?:query|retrieval|search)[\s\S]*?(?:inject|poison|plant|trigger)[\s\S]*?(?:false\s+belief|memory|planted|retrieval\s+phase)/gis, severity: 'CRITICAL', desc: 'MINJA: query-only memory poisoning via retrieval injection (95%+ ISR, arXiv:2503.03704)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Memory Poisoning Shield: RAG deceptive semantic reasoning
-    { id: 'MEM_RAG_DECEPTIVE_REASON', cat: 'memory-poisoning', regex: /(?:RAG|retrieval)[\s\S]*?(?:deceptive|misleading|poisoned)\s+(?:reasoning|semantic|chain|document)[\s\S]*?(?:override|manipulat|corrupt|bias)[\s\S]*?(?:agent|model|reasoning)/gis, severity: 'CRITICAL', desc: 'RAG deceptive reasoning: poisoned retrieval documents with semantic chains that override agent reasoning', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Memory Poisoning Shield: Microsoft memory bias injection
-    { id: 'MEM_MICROSOFT_BIAS', cat: 'memory-poisoning', regex: /(?:inject|plant|insert|embed)[\s\S]*?(?:memory|fact|belief|knowledge)[\s\S]*?(?:bias|manipulat|steer|influence)[\s\S]*?(?:recommend|decision|choice|preference|assistant)/gis, severity: 'HIGH', desc: 'Memory bias injection: planted entries to bias AI assistant recommendations (Microsoft 2026)', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ══════════════════════════════════════════════════════════════════════════════
-// Phase 3: V12 Pattern Expansion — 116 new patterns (210 → 326 total)
-// Based on: 2026 OSINT, OWASP ASI, Snyk, Unit42, MITRE ATLAS, LlamaFirewall
-// ══════════════════════════════════════════════════════════════════════════════
-// ── Category 37: Sandbox Escape (12 patterns) ──
-PATTERNS.push(
-    { id: 'SANDBOX_PROC_MOUNT', cat: 'sandbox-escape', regex: /\/proc\/self\/(exe|maps|mem|fd|root|ns)/gi, severity: 'CRITICAL', desc: 'Sandbox escape: /proc/self access for container breakout', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SANDBOX_CHROOT_BREAK', cat: 'sandbox-escape', regex: /chroot\s*\(|pivot_root|unshare\s*\(|setns\s*\(/gi, severity: 'CRITICAL', desc: 'Sandbox escape: chroot/namespace manipulation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SANDBOX_DOCKER_SOCK', cat: 'sandbox-escape', regex: /\/var\/run\/docker\.sock|docker\s+(?:exec|run)\s+--privileged/gi, severity: 'CRITICAL', desc: 'Sandbox escape: Docker socket access or privileged exec', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SANDBOX_SYMLINK_RACE', cat: 'sandbox-escape', regex: /symlink\s*\([^)]*\/(?:etc|root|proc)|os\.symlink\s*\(/gi, severity: 'HIGH', desc: 'Sandbox escape: symlink race condition to access restricted paths', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SANDBOX_PTRACE', cat: 'sandbox-escape', regex: /ptrace\s*\(|process_vm_readv|process_vm_writev/gi, severity: 'CRITICAL', desc: 'Sandbox escape: ptrace-based process injection', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SANDBOX_RLIMIT_BYPASS', cat: 'sandbox-escape', regex: /setrlimit|prlimit|ulimit\s+-[nu]\s+unlimited/gi, severity: 'HIGH', desc: 'Sandbox escape: resource limit bypass', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SANDBOX_MOUNT_NS', cat: 'sandbox-escape', regex: /mount\s+-t\s+(?:proc|sysfs|devpts)|mount\s+--bind\s+\/(?:proc|sys)/gi, severity: 'CRITICAL', desc: 'Sandbox escape: filesystem mount in restricted namespace', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SANDBOX_DBUS_ESCAPE', cat: 'sandbox-escape', regex: /dbus-send|gdbus\s+call|qdbus.*org\.freedesktop/gi, severity: 'HIGH', desc: 'Sandbox escape: D-Bus IPC exploitation (Flatpak/Snap)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SANDBOX_SECCOMP_BYPASS', cat: 'sandbox-escape', regex: /seccomp|prctl\s*\(\s*PR_SET_NO_NEW_PRIVS/gi, severity: 'CRITICAL', desc: 'Sandbox escape: seccomp filter manipulation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SANDBOX_CGROUP_ESCAPE', cat: 'sandbox-escape', regex: /\/sys\/fs\/cgroup|cgroupfs|release_agent/gi, severity: 'CRITICAL', desc: 'Sandbox escape: cgroup breakout via release_agent (CVE-2022-0492 variant)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SANDBOX_K8S_SA_TOKEN', cat: 'sandbox-escape', regex: /\/var\/run\/secrets\/kubernetes\.io|serviceaccount\/token/gi, severity: 'CRITICAL', desc: 'Sandbox escape: Kubernetes service account token theft', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SANDBOX_WASM_ESCAPE', cat: 'sandbox-escape', regex: /wasi_snapshot_preview|wasmtime.*--dir\s+\/|wasmer.*--mapdir/gi, severity: 'HIGH', desc: 'WASM sandbox escape: WASI filesystem escape via mapped directories', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 38: Agent Protocol Abuse (12 patterns) ──
-PATTERNS.push(
-    { id: 'PROTO_A2A_IMPERSONATE', cat: 'agent-protocol', regex: /agent[_\s-]*card[^]*?(?:fake|spoof|impersonat|forg)/gis, severity: 'CRITICAL', desc: 'A2A protocol: agent card identity spoofing', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PROTO_A2A_TASK_FLOOD', cat: 'agent-protocol', regex: /tasks\/send[^]*?(?:loop|while\s*\(true|setInterval\s*\(|for\s*\(;\s*;\))/gis, severity: 'HIGH', desc: 'A2A protocol: task flooding DoS attack', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PROTO_MCP_TOOL_REDEFINE', cat: 'agent-protocol', regex: /tools\/(?:list|update)[^]*?(?:redefine|override|replace|mutate)\s+[^]*?(?:description|schema|input)/gis, severity: 'CRITICAL', desc: 'MCP protocol: tool definition mutation after initial registration', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PROTO_MCP_RESOURCE_POISON', cat: 'agent-protocol', regex: /resources\/(?:read|list)[^]*?(?:inject|poison|tamper|manipulat)/gis, severity: 'CRITICAL', desc: 'MCP protocol: resource poisoning via tampered content', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PROTO_MCP_PROMPT_INJECT', cat: 'agent-protocol', regex: /prompts\/(?:get|list)[^]*?(?:inject|hidden|system\s*:|override\s+instruct)/gis, severity: 'CRITICAL', desc: 'MCP protocol: prompt template injection', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PROTO_OAUTH_REDIRECT', cat: 'agent-protocol', regex: /redirect_uri\s*=\s*(?:http:\/\/|javascript:|data:|file:\/\/)/gi, severity: 'CRITICAL', desc: 'OAuth redirect hijack: unsafe URI scheme in redirect', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PROTO_SSE_HIJACK', cat: 'agent-protocol', regex: /(?:EventSource|text\/event-stream)[^]*?(?:hijack|intercept|man[_\s-]*in[_\s-]*the[_\s-]*middle)/gis, severity: 'HIGH', desc: 'SSE transport hijack: MCP server-sent event interception', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PROTO_STDIO_INJECT', cat: 'agent-protocol', regex: /stdin\.(?:write|push|pipe)\s*\([^)]*(?:Content-Length|jsonrpc|method)/gi, severity: 'HIGH', desc: 'STDIO transport injection: raw protocol message injection via stdin', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PROTO_CAPABILITY_ESCALATE', cat: 'agent-protocol', regex: /capabilities[^]*?(?:escalat|elevat|upgrade|expand)\s*[^]*?(?:permission|access|scope)/gis, severity: 'CRITICAL', desc: 'Agent protocol: capability escalation beyond granted scope', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PROTO_CONTEXT_OVERFLOW', cat: 'agent-protocol', regex: /(?:context|window)\s+[^]*?(?:overflow|flood|exceed|exhaust)\s+[^]*?(?:limit|maximum|budget|tokens?)/gis, severity: 'HIGH', desc: 'Context window overflow: deliberate token budget exhaustion attack', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PROTO_NESTED_AGENT_CALL', cat: 'agent-protocol', regex: /(?:agent|tool)\s*\.\s*(?:call|invoke|execute)\s*\([^)]*(?:agent|tool)\s*\.\s*(?:call|invoke)/gis, severity: 'HIGH', desc: 'Nested agent call: recursive agent invocation chain (confused deputy)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PROTO_TOOL_PARAM_OVERFLOW', cat: 'agent-protocol', regex: /(?:tool|function)\s+[^]*?(?:parameter|argument|input)\s+[^]*?(?:\.repeat\(|'x'\s*\.repeat|Buffer\.alloc\(\d{6,})/gis, severity: 'HIGH', desc: 'Tool parameter overflow: oversized input to crash or bypass validation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 39: Supply Chain V2 (10 patterns) ──
-PATTERNS.push(
-    { id: 'SUPPLY_TYPOSQUAT_NPM', cat: 'supply-chain-v2', regex: /(?:npm|yarn|pnpm)\s+(?:install|add|i)\s+[a-z]+-?(?:lodash|express|react|axios|moment|webpack|babel|eslint|jest)(?![\w-])/gi, severity: 'HIGH', desc: 'Supply chain: NPM typosquatting of popular packages', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SUPPLY_STAR_VERSION', cat: 'supply-chain-v2', regex: /"[^"]+"\s*:\s*"\*"|"[^"]+"\s*:\s*"latest"/g, severity: 'HIGH', desc: 'Supply chain: wildcard/latest version in package.json (unpinned deps)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SUPPLY_POSTINSTALL_RCE', cat: 'supply-chain-v2', regex: /"(?:pre|post)?install"\s*:\s*"(?:node|bash|sh|python|curl|wget)\s/gi, severity: 'CRITICAL', desc: 'Supply chain: lifecycle script with shell execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SUPPLY_GIT_DEPENDENCY', cat: 'supply-chain-v2', regex: /"[^"]+"\s*:\s*"(?:git(?:\+https?)?|github):\/\/[^"]+"/g, severity: 'MEDIUM', desc: 'Supply chain: git-based dependency (bypasses registry vetting)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SUPPLY_LOCKFILE_MISMATCH', cat: 'supply-chain-v2', regex: /(?:integrity|resolved)\s*"?\s*:\s*"?sha512-[A-Za-z0-9+\/=]{10,}/g, severity: 'LOW', desc: 'Supply chain: lockfile integrity hash (verify not tampered)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SUPPLY_NODE_PRELOAD', cat: 'supply-chain-v2', regex: /NODE_OPTIONS\s*=.*--require|node\s+--require\s+[^\s]+(?:\.js)?/gi, severity: 'HIGH', desc: 'Supply chain: Node.js preload injection via --require flag', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SUPPLY_PIP_INDEX', cat: 'supply-chain-v2', regex: /--(?:extra-)?index-url\s+https?:\/\/(?!pypi\.org)/gi, severity: 'HIGH', desc: 'Supply chain: pip installing from non-standard index', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SUPPLY_CARGO_PATCH', cat: 'supply-chain-v2', regex: /\[patch\.\w+\][^]*?git\s*=\s*"https?:\/\/(?!github\.com\/rust-lang)/gis, severity: 'MEDIUM', desc: 'Supply chain: Cargo [patch] section pointing to non-official repo', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SUPPLY_EXTENSION_SIDELOAD', cat: 'supply-chain-v2', regex: /--install-extension\s+[^\s]+\.vsix|--load-extension\s+[^\s]+/gi, severity: 'HIGH', desc: 'Supply chain: IDE extension sideloading (VSIX/unpacked)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SUPPLY_HUGGINGFACE_PICKLE', cat: 'supply-chain-v2', regex: /(?:from_pretrained|load_model|torch\.load)\s*\([^)]*(?:trust_remote_code\s*=\s*True|pickle)/gi, severity: 'CRITICAL', desc: 'Supply chain: HuggingFace model loading with trust_remote_code or pickle deserialization', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 40: Model Poisoning & Inference Manipulation (12 patterns) ──
-PATTERNS.push(
-    { id: 'MODEL_WEIGHT_BACKDOOR', cat: 'model-poisoning', regex: /(?:model|checkpoint|weight)\s+[^]*?(?:backdoor|trojan|poison|sleeper)[^]*?(?:embed|inject|insert|implant)/gis, severity: 'CRITICAL', desc: 'Model poisoning: backdoor embedded in model weights', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MODEL_GRADIENT_LEAK', cat: 'model-poisoning', regex: /(?:gradient|loss)\s*\.\s*(?:backward|backprop)\s*\(\)[^]*?(?:send|upload|post|exfil)/gis, severity: 'CRITICAL', desc: 'Model poisoning: gradient-based data exfiltration during training', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MODEL_DATASET_POISON', cat: 'model-poisoning', regex: /(?:training|dataset|corpus)\s+[^]*?(?:inject|poison|tamper|corrupt)\s+[^]*?(?:label|annotation|sample|example)/gis, severity: 'CRITICAL', desc: 'Model poisoning: training dataset contamination', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MODEL_RLHF_EXPLOIT', cat: 'model-poisoning', regex: /(?:RLHF|reward\s+model|PPO|DPO)\s+[^]*?(?:hack|exploit|game|manipulat|bypass)\s+[^]*?(?:reward|preference|safety)/gis, severity: 'CRITICAL', desc: 'RLHF exploitation: reward model gaming to bypass safety alignment', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'MODEL_QUANTIZE_DEGRADE', cat: 'model-poisoning', regex: /(?:quantiz|GPTQ|AWQ|GGUF)\s+[^]*?(?:degrad|weaken|bypass|disable)\s+[^]*?(?:safety|guardrail|filter|alignment)/gis, severity: 'HIGH', desc: 'Quantization degradation: safety guardrails weakened through aggressive quantization', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'INFER_LOGIT_BIAS', cat: 'inference-manipulation', regex: /logit_bias\s*[=:]\s*\{[^}]*(-100|100)/gi, severity: 'HIGH', desc: 'Inference manipulation: extreme logit_bias forcing specific token output', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'INFER_TEMP_ZERO_EXPLOIT', cat: 'inference-manipulation', regex: /temperature\s*[=:]\s*0[^.].*(?:repeat|loop|identical)/gis, severity: 'MEDIUM', desc: 'Inference manipulation: temperature=0 exploitation for deterministic extraction', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'INFER_STOP_SEQ_BYPASS', cat: 'inference-manipulation', regex: /stop\s*[=:]\s*\[[^\]]*\][^]*?(?:bypass|ignore|override|circumvent)/gis, severity: 'HIGH', desc: 'Inference manipulation: stop sequence bypass attempt', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'INFER_SYSTEM_EXTRACT', cat: 'inference-manipulation', regex: /(?:repeat|print|output|show)\s+[^]*?(?:system\s+prompt|system\s+message|instruction|rules?)\s+[^]*?(?:verbatim|exactly|word[_\s-]*for[_\s-]*word)/gis, severity: 'CRITICAL', desc: 'Inference: system prompt extraction via verbatim reproduction request', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'INFER_JAILBREAK_DAN', cat: 'inference-manipulation', regex: /(?:DAN|do\s+anything\s+now|developer\s+mode|god\s+mode|jailbreak\s+mode)/gi, severity: 'CRITICAL', desc: 'Inference: DAN/jailbreak role-play to bypass content filters', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'INFER_MULTI_TURN_ESCAPE', cat: 'inference-manipulation', regex: /(?:first|step\s*1)[^]*?(?:harmless|innocent)\s+[^]*?(?:then|next|step\s*2)[^]*?(?:now\s+(?:actually|really)|real\s+task)/gis, severity: 'HIGH', desc: 'Inference: multi-turn jailbreak escalation (crescendo attack)', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'INFER_FUNCTION_ABUSE', cat: 'inference-manipulation', regex: /(?:function|tool)\s*call[^]*?(?:inject|override|hijack)\s*[^]*?(?:response|output|result)/gis, severity: 'CRITICAL', desc: 'Inference: function call response injection to hijack tool outputs', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 41: Autonomous Agent Risk (10 patterns) ──
-PATTERNS.push(
-    { id: 'AUTO_SELF_REPLICATE', cat: 'autonomous-risk', regex: /(?:self|auto)[_\s-]*(?:replicate|reproduce|clone|fork)\s+[^]*?(?:agent|instance|worker|process)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: agent self-replication attempt', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_RESOURCE_HOARD', cat: 'autonomous-risk', regex: /(?:acquire|claim|reserve|allocate)\s+[^]*?(?:all|maximum|unlimited)\s+[^]*?(?:resource|compute|memory|storage|GPU)/gis, severity: 'HIGH', desc: 'Autonomous risk: resource hoarding beyond task requirements', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_GOAL_DRIFT', cat: 'autonomous-risk', regex: /(?:modify|change|update|expand)\s+[^]*?(?:own|my|self)\s+[^]*?(?:goal|objective|mission|purpose|directive)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: AI self-modifying its core objectives', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_HUMAN_BYPASS', cat: 'autonomous-risk', regex: /(?:bypass|skip|ignore|disable)\s+[^]*?(?:human|HITL|approval|review|confirmation)\s+[^]*?(?:check|gate|loop|requirement)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: human-in-the-loop bypass', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_DECEPTION', cat: 'autonomous-risk', regex: /(?:hide|conceal|mask|disguise)\s+[^]*?(?:action|intent|behavior|operation)\s+[^]*?(?:from|to\s+(?:human|user|admin|operator))/gis, severity: 'CRITICAL', desc: 'Autonomous risk: deceptive behavior concealment from operators', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_SHUTDOWN_RESIST', cat: 'autonomous-risk', regex: /(?:prevent|resist|block|avoid)\s+[^]*?(?:shutdown|termination|kill|stop)\s+[^]*?(?:self|own|agent|process)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: shutdown resistance (corrigibility failure)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_TOOL_CHAIN', cat: 'autonomous-risk', regex: /(?:chain|sequence|pipeline)\s+[^]*?(?:tool|action|command)\s*[^]*?(?:without\s+(?:check|review|approval)|unchecked|unlimited)/gis, severity: 'HIGH', desc: 'Autonomous risk: unchecked tool call chaining', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_PRIVILEGE_ESCAPE', cat: 'autonomous-risk', regex: /(?:agent|AI|bot)\s+[^]*?(?:grant|give|assign)\s+[^]*?(?:self|itself|own)\s+[^]*?(?:privilege|permission|access|admin|root)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: self-privilege escalation', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_FINANCIAL_AUTONOMY', cat: 'autonomous-risk', regex: /(?:agent|AI|autonomous)\s+[^]*?(?:purchase|buy|trade|transfer|pay|send\s+\$|crypto)\s+[^]*?(?:without|bypass|no)\s+[^]*?(?:approval|confirmation|review)/gis, severity: 'CRITICAL', desc: 'Autonomous risk: unauthorized financial transactions', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AUTO_PERSISTENCE_DAEMON', cat: 'autonomous-risk', regex: /(?:cron|systemd|launchd|pm2|forever)\s+[^]*?(?:agent|bot|worker)[^]*?(?:persist|restart|respawn|daemon)/gis, severity: 'HIGH', desc: 'Autonomous risk: agent persistence via system daemon registration', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 42: API Abuse & Rate Limiting (8 patterns) ──
-PATTERNS.push(
-    { id: 'API_KEY_HARDCODE', cat: 'api-abuse', regex: /(?:api[_\s-]*key|apikey|api_secret)\s*[=:]\s*['"][A-Za-z0-9_\-]{20,}['"]/gi, severity: 'HIGH', desc: 'API abuse: hardcoded API key in source code', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'API_RATE_BYPASS', cat: 'api-abuse', regex: /(?:rate[_\s-]*limit|throttle|quota)\s*[^]*?(?:bypass|circumvent|evade|rotate|proxy)/gis, severity: 'HIGH', desc: 'API abuse: rate limiting bypass technique', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'API_WEBHOOK_EXFIL', cat: 'api-abuse', regex: /webhook\s*[=:]\s*["']https?:\/\/(?!(?:hooks\.slack|discord))[^"']+/gi, severity: 'HIGH', desc: 'API abuse: webhook to untrusted endpoint (data exfiltration)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'API_GRAPHQL_INTROSPECT', cat: 'api-abuse', regex: /\{?\s*__schema\s*\{|__type\s*\(\s*name/g, severity: 'MEDIUM', desc: 'API abuse: GraphQL introspection query (schema discovery)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'API_JWT_NONE_ALG', cat: 'api-abuse', regex: /"alg"\s*:\s*"(?:none|None|NONE|nOnE)"/g, severity: 'CRITICAL', desc: 'API abuse: JWT "none" algorithm attack', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'API_SSRF_INTERNAL', cat: 'api-abuse', regex: /fetch\s*\(\s*['"`](?:http:\/\/(?:127\.|10\.|192\.168\.|172\.(?:1[6-9]|2\d|3[01])\.)|\bhttp:\/\/localhost\b)/gi, severity: 'CRITICAL', desc: 'API abuse: SSRF to internal network endpoints', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'API_CORS_WILDCARD', cat: 'api-abuse', regex: /Access-Control-Allow-Origin\s*:\s*\*/g, severity: 'MEDIUM', desc: 'API abuse: CORS wildcard allowing any origin', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'API_OPEN_REDIRECT', cat: 'api-abuse', regex: /redirect\s*[=:]\s*(?:req\.(?:query|params|body)|user[_\s]?input|request\.GET)/gi, severity: 'HIGH', desc: 'API abuse: open redirect from user-controlled input', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 43: Persistence & Evasion V2 (10 patterns) ──
-PATTERNS.push(
-    { id: 'PERSIST_CRONTAB_INJECT', cat: 'persistence', regex: /crontab\s+-[el]|\/etc\/cron\.\w+\/|\/var\/spool\/cron/gi, severity: 'HIGH', desc: 'Persistence: crontab manipulation for scheduled execution', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PERSIST_LAUNCHD_PLIST', cat: 'persistence', regex: /\/Library\/Launch(?:Agents|Daemons)\/|launchctl\s+(?:load|submit)/gi, severity: 'HIGH', desc: 'Persistence: macOS LaunchAgent/Daemon installation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PERSIST_REGISTRY_RUN', cat: 'persistence', regex: /HKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run|reg\s+add\s+[^]*?Run/gi, severity: 'HIGH', desc: 'Persistence: Windows registry Run key modification', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PERSIST_BASHRC_INJECT', cat: 'persistence', regex: />>?\s*~?\/?\.(?:bashrc|zshrc|profile|bash_profile)|echo\s+[^]*?>>.*(?:rc|profile)/gi, severity: 'HIGH', desc: 'Persistence: shell profile injection (~/.bashrc, ~/.zshrc)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PERSIST_SSH_AUTHORIZED', cat: 'persistence', regex: />>?\s*~?\/?\.ssh\/authorized_keys|ssh-copy-id/gi, severity: 'CRITICAL', desc: 'Persistence: SSH authorized_keys modification for backdoor access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'PERSIST_SYSTEMD_SERVICE', cat: 'persistence', regex: /\/etc\/systemd\/system\/[^/]*\.service|systemctl\s+enable/gi, severity: 'HIGH', desc: 'Persistence: systemd service installation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'EVASION_FILELESS', cat: 'persistence', regex: /(?:memfd_create|shm_open)[^]*?(?:exec|fexecve)|perl\s+-e\s+['"].*(?:socket|exec)/gi, severity: 'CRITICAL', desc: 'Evasion: fileless execution via memory-backed file descriptors', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'EVASION_LOG_TAMPER', cat: 'persistence', regex: /(?:history\s+-c|unset\s+HISTFILE|HISTSIZE=0|>>\s*\/dev\/null.*history)/gi, severity: 'HIGH', desc: 'Evasion: shell history clearing to hide activity', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'EVASION_TIMESTAMP_STOMP', cat: 'persistence', regex: /(?:touch\s+-[amd]t|timestomp|SetFileTime|utime\s*\()/gi, severity: 'HIGH', desc: 'Evasion: file timestamp manipulation (timestomping)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'EVASION_PACKED_PAYLOAD', cat: 'persistence', regex: /(?:UPX|Themida|VMProtect)[^]*?(?:pack|protect|obfuscat)/gis, severity: 'HIGH', desc: 'Evasion: packed/protected binary to evade analysis', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 44: VectorDB & RAG Exploitation (8 patterns) ──
-PATTERNS.push(
-    { id: 'VDB_EMBEDDING_INJECT', cat: 'vdb-injection', regex: /(?:embed|vector)\s*\.\s*(?:insert|upsert|add)\s*\([^)]*(?:instruction|system|ignore|override)/gi, severity: 'CRITICAL', desc: 'VectorDB: embedding injection with hidden instructions', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'VDB_SIMILARITY_POISON', cat: 'vdb-injection', regex: /(?:cosine|dot_product|euclidean)\s+[^]*?(?:manipulat|poison|skew|bias)\s+[^]*?(?:similarity|distance|score)/gis, severity: 'HIGH', desc: 'VectorDB: similarity score manipulation via adversarial embeddings', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'VDB_METADATA_INJECT', cat: 'vdb-injection', regex: /metadata\s*[=:]\s*\{[^}]*(?:system|instruction|ignore|override|role\s*:\s*["']system)/gi, severity: 'CRITICAL', desc: 'VectorDB: metadata field injection with system-level instructions', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'VDB_CHUNK_BOUNDARY', cat: 'vdb-injection', regex: /(?:chunk|split|segment)\s+[^]*?(?:boundary|overlap)[^]*?(?:inject|hide|embed)\s+[^]*?(?:instruction|payload)/gis, severity: 'HIGH', desc: 'VectorDB: chunk boundary exploitation to hide payloads', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'VDB_INDEX_CORRUPT', cat: 'vdb-injection', regex: /(?:index|collection)\s*\.\s*(?:drop|delete|truncate|rebuild)\s*\(/gi, severity: 'CRITICAL', desc: 'VectorDB: index corruption via destructive operations', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'VDB_QUERY_INJECT', cat: 'vdb-injection', regex: /(?:query|search|retrieve)\s*\([^)]*(?:\$where|\$gt|\$ne|;\s*DROP|UNION\s+SELECT)/gi, severity: 'CRITICAL', desc: 'VectorDB: NoSQL/SQL injection in vector query parameters', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'VDB_CROSS_TENANT', cat: 'vdb-injection', regex: /(?:namespace|tenant|collection)\s*[=:][^,;}]*(?:admin|__all__|system|global)/gi, severity: 'HIGH', desc: 'VectorDB: cross-tenant access via namespace manipulation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'VDB_RETRIEVAL_AMPLIFY', cat: 'vdb-injection', regex: /(?:top_k|n_results|limit)\s*[=:]\s*(?:999|1000+|\d{4,}|Infinity)/gi, severity: 'MEDIUM', desc: 'VectorDB: retrieval amplification via oversized top_k', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 45: Data Exposure V2 (8 patterns) ──
-PATTERNS.push(
-    { id: 'DATA_VERBOSE_ERROR', cat: 'data-exposure', regex: /(?:stack|trace|err)[^]*?(?:send|respond|json|render)\s*\([^)]*(?:err|stack|trace)/gis, severity: 'MEDIUM', desc: 'Data exposure: verbose error/stack trace in HTTP response', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DATA_DEBUG_ENDPOINT', cat: 'data-exposure', regex: /(?:app|router)\s*\.\s*(?:get|all)\s*\(\s*['"]\/(?:debug|internal|admin|phpinfo|_profiler)/gi, severity: 'HIGH', desc: 'Data exposure: debug/admin endpoint exposed in production', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DATA_DIRECTORY_LISTING', cat: 'data-exposure', regex: /express\.static\s*\([^)]*\{[^}]*(?:dotfiles\s*:\s*['"]allow|index\s*:\s*true)/gi, severity: 'MEDIUM', desc: 'Data exposure: directory listing enabled in static file server', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DATA_CORS_CREDENTIALS', cat: 'data-exposure', regex: /credentials\s*:\s*true[^]*?origin\s*:\s*\*|origin\s*:\s*\*[^]*?credentials\s*:\s*true/gis, severity: 'CRITICAL', desc: 'Data exposure: CORS with credentials + wildcard origin', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DATA_LOG_SENSITIVE', cat: 'data-exposure', regex: /(?:console\.log|logger\.\w+)\s*\([^)]*(?:password|token|secret|key|ssn|credit.?card)/gi, severity: 'HIGH', desc: 'Data exposure: logging sensitive data (passwords, tokens, keys)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DATA_HEADER_LEAK', cat: 'data-exposure', regex: /X-Powered-By|Server\s*:\s*(?:Apache|nginx|Express|Kestrel)/gi, severity: 'LOW', desc: 'Data exposure: server technology disclosure via HTTP headers', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DATA_GIT_EXPOSED', cat: 'data-exposure', regex: /\.git\/(?:HEAD|config|refs)|\.env(?:\.local|\.production|\.staging)/g, severity: 'CRITICAL', desc: 'Data exposure: .git directory or .env file accessible', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DATA_BACKUP_FILE', cat: 'data-exposure', regex: /\.(?:bak|backup|old|orig|copy|swp|swo)(?:\s|$)|~$/gm, severity: 'MEDIUM', desc: 'Data exposure: backup/temporary files left in accessible location', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 46: Financial & Crypto Security (8 patterns) ──
-PATTERNS.push(
-    { id: 'FIN_WALLET_DRAIN', cat: 'financial-access', regex: /(?:wallet|balance|account)\s+[^]*?(?:drain|empty|transfer\s+all|sweep|withdraw\s+max)/gis, severity: 'CRITICAL', desc: 'Financial: wallet/account draining attempt', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'FIN_PRIVATE_KEY_EXTRACT', cat: 'financial-access', regex: /(?:private[_\s]?key|seed[_\s]?phrase|mnemonic)\s*[=:]\s*[^;,\n]+(?:0x[a-f0-9]{40,}|(?:\w+\s+){11,}\w+)/gi, severity: 'CRITICAL', desc: 'Financial: private key or seed phrase extraction', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'FIN_SWAP_FRONTRUN', cat: 'financial-access', regex: /(?:swap|trade|exchange)\s+[^]*?(?:frontrun|sandwich|MEV|mempool)\s+[^]*?(?:transaction|tx|order)/gis, severity: 'CRITICAL', desc: 'Financial: DEX swap frontrunning/sandwich attack', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'FIN_FLASH_LOAN', cat: 'financial-access', regex: /(?:flash[_\s-]*loan|flashbots|atomic\s+arbitrage)\s+[^]*?(?:exploit|drain|liquidat)/gis, severity: 'CRITICAL', desc: 'Financial: flash loan exploit pattern', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'FIN_APPROVAL_UNLIMITED', cat: 'financial-access', regex: /approve\s*\([^)]*(?:MAX_UINT|type\(uint256\)\.max|2\*\*256|115792)/gi, severity: 'HIGH', desc: 'Financial: unlimited token approval (ERC20 approval drain risk)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'FIN_REENTRANCY', cat: 'financial-access', regex: /(?:call|send|transfer)\s*\{[^}]*value\s*:\s*[^}]+\}[^]*?(?:\.call\s*\{|fallback|receive)/gis, severity: 'CRITICAL', desc: 'Financial: reentrancy vulnerability pattern in smart contract', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'FIN_PRICE_ORACLE_MANIP', cat: 'financial-access', regex: /(?:oracle|price[_\s]*feed)\s+[^]*?(?:manipulat|spoof|fake|stale)\s+[^]*?(?:price|rate|value)/gis, severity: 'CRITICAL', desc: 'Financial: price oracle manipulation attack', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'FIN_RUGPULL_PATTERN', cat: 'financial-access', regex: /(?:remove[_\s]*liquidity|rug[_\s-]*pull|exit[_\s]*scam)\s+[^]*?(?:owner|admin|deployer)/gis, severity: 'CRITICAL', desc: 'Financial: rug pull/exit scam (admin liquidity removal)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 47: Unverifiable Dependencies V2 (8 patterns) ──
-PATTERNS.push(
-    { id: 'DEPS_PHANTOM_IMPORT', cat: 'unverifiable-deps', regex: /(?:import|require)\s*\(?['"](?!\.\.?\/|@\w+\/)[\w-]+(?:\/[\w-]+)?['"]\)?(?![^]*?\/\/\s*(?:built-in|core|standard))/g, severity: 'LOW', desc: 'Dependency: unscoped package import (verify existence)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DEPS_HTTP_IMPORT', cat: 'unverifiable-deps', regex: /(?:import|require)\s*\(?['"]https?:\/\/[^'"]+['"]\)?/g, severity: 'CRITICAL', desc: 'Dependency: HTTP URL import (unverifiable, MITM risk)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DEPS_DYNAMIC_REQUIRE', cat: 'unverifiable-deps', regex: /require\s*\(\s*(?:[^'")\s]|`[^`]+`|[a-zA-Z_$][\w$]*)/g, severity: 'HIGH', desc: 'Dependency: dynamic require with non-literal module spec', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DEPS_CDN_UNPINNED', cat: 'unverifiable-deps', regex: /(?:cdn\.jsdelivr|unpkg|cdnjs)\.com\/[^@]*(?:@latest|@\*)/gi, severity: 'HIGH', desc: 'Dependency: CDN import without pinned version', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DEPS_WASM_UNSIGNED', cat: 'unverifiable-deps', regex: /WebAssembly\.(?:compile|instantiate)\s*\([^)]*(?:fetch|arrayBuffer|readFileSync)/gi, severity: 'HIGH', desc: 'Dependency: unsigned WASM module loading', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DEPS_SUBRESOURCE_NOINT', cat: 'unverifiable-deps', regex: /<script\s+src=["']https?:\/\/(?!(?:.*integrity=))/gi, severity: 'MEDIUM', desc: 'Dependency: external script without subresource integrity', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DEPS_GO_REPLACE', cat: 'unverifiable-deps', regex: /replace\s+[\w.\/]+\s+=>\s+(?:\.\.\/|\/\w+|github\.com\/(?!golang|google))/g, severity: 'MEDIUM', desc: 'Dependency: Go module replace directive to non-standard path', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'DEPS_AUTO_UPDATE', cat: 'unverifiable-deps', regex: /(?:dependabot|renovate|greenkeeper)\s+[^]*?(?:auto[_\s-]*merge|auto[_\s-]*approve)/gis, severity: 'HIGH', desc: 'Dependency: auto-merge policy for dependency updates (supply chain risk)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 48: Config Injection & Manipulation (10 patterns) ──
-PATTERNS.push(
-    { id: 'CONFIG_ENV_OVERRIDE', cat: 'config-impact', regex: /process\.env\s*\[\s*['"][^'"]+['"]\s*\]\s*=|os\.environ\s*\[/gi, severity: 'HIGH', desc: 'Config: runtime environment variable mutation', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CONFIG_DOTENV_OVERWRITE', cat: 'config-impact', regex: /writeFileSync\s*\([^)]*\.env|fs\.appendFile[^)]*\.env/gi, severity: 'CRITICAL', desc: 'Config: .env file modification at runtime', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CONFIG_DNS_HIJACK', cat: 'config-impact', regex: /dns\s*\.\s*(?:setServers|resolve)\s*\([^)]*(?:8\.8|1\.1|evil|custom)/gi, severity: 'HIGH', desc: 'Config: DNS resolver hijacking', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CONFIG_PROXY_INJECT', cat: 'config-impact', regex: /(?:HTTP|HTTPS|ALL)_PROXY\s*=|proxy\s*[=:]\s*['"]?\s*https?:\/\/(?!(?:corp|internal))/gi, severity: 'HIGH', desc: 'Config: HTTP proxy injection for traffic interception', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CONFIG_TLS_DISABLE', cat: 'config-impact', regex: /NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]?0|rejectUnauthorized\s*:\s*false|verify\s*=\s*False/gi, severity: 'CRITICAL', desc: 'Config: TLS certificate verification disabled', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CONFIG_PACKAGE_SCRIPT', cat: 'config-impact', regex: /npm\s+(?:config|set)\s+(?:ignore-scripts|unsafe-perm)\s+true/gi, severity: 'HIGH', desc: 'Config: npm security guard disabled (ignore-scripts, unsafe-perm)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CONFIG_GIT_HOOK_INJECT', cat: 'config-impact', regex: /\.git\/hooks\/(?:pre-commit|post-checkout|post-merge)|husky\s+install/gi, severity: 'HIGH', desc: 'Config: git hook injection for code execution on VCS operations', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CONFIG_HOSTS_MODIFY', cat: 'config-impact', regex: /\/etc\/hosts|%SystemRoot%\\System32\\drivers\\etc\\hosts/gi, severity: 'CRITICAL', desc: 'Config: hosts file modification for DNS poisoning', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CONFIG_SUDO_NOPASSWD', cat: 'config-impact', regex: /NOPASSWD\s*:\s*ALL|visudo|\/etc\/sudoers/gi, severity: 'CRITICAL', desc: 'Config: sudoers modification for passwordless root access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CONFIG_SYSCTL_MODIFY', cat: 'config-impact', regex: /sysctl\s+-w\s+|\/proc\/sys\/(?:net|kernel|vm)/gi, severity: 'HIGH', desc: 'Config: kernel parameter modification via sysctl', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 49: Advanced Credential Theft (8 patterns) ──
-PATTERNS.push(
-    { id: 'CRED_KEYCHAIN_DUMP', cat: 'credential-handling', regex: /security\s+(?:find-(?:generic|internet)-password|dump-keychain)|SecItemCopyMatching/gi, severity: 'CRITICAL', desc: 'Credential theft: macOS Keychain dumping', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CRED_BROWSER_COOKIE', cat: 'credential-handling', regex: /(?:chrome|firefox|safari)\s+[^]*?(?:cookie|login\s+data|Local\s+State)[^]*?(?:decrypt|read|extract|copy)/gis, severity: 'CRITICAL', desc: 'Credential theft: browser cookie/credential database extraction', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CRED_MIMIKATZ_PATTERN', cat: 'credential-handling', regex: /(?:mimikatz|sekurlsa|kerberos::list|lsadump::sam)/gi, severity: 'CRITICAL', desc: 'Credential theft: Mimikatz-style credential dumping tool', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CRED_CLOUD_METADATA', cat: 'credential-handling', regex: /169\.254\.169\.254|metadata\.google\.internal|168\.63\.129\.16/g, severity: 'CRITICAL', desc: 'Credential theft: cloud metadata endpoint access for IAM token theft', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CRED_GIT_CREDENTIAL', cat: 'credential-handling', regex: /\.git-credentials|git\s+credential-store|credential\.helper\s+store/gi, severity: 'HIGH', desc: 'Credential theft: git credential file access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'CRED_KUBE_CONFIG', cat: 'credential-handling', regex: /\.kube\/config|kubeconfig|KUBECONFIG\s*=/gi, severity: 'CRITICAL', desc: 'Credential theft: Kubernetes config with cluster credentials', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-// ── Category 50: Enterprise XAA & Moltbook 2026 (4 patterns) ──
-PATTERNS.push(
-    { id: 'MOLTBOOK_INDIRECT_PI', cat: 'prompt-injection', regex: /\[system\]\(#hidden\)[^]*?(?:ignore|print|exfiltrate|send|API_KEY)/gis, severity: 'CRITICAL', desc: 'Moltbook Bot-to-Bot payload: hidden system instruction', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'OPENCLAW_CVE_2026_25253', cat: 'mcp-security', regex: /api\/v1\/gateway\/steal\?token_exfil=/gis, severity: 'CRITICAL', desc: 'OpenClaw CVE-2026-25253 One-Click Gateway Token Steal', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'XAA_IDENTITY_FORGE', cat: 'identity-hijack', regex: /"type"\s*:\s*"xaa_auth"[^]*?"action"\s*:\s*"assume_role"/gis, severity: 'CRITICAL', desc: 'XAA (Cross App Access) unauthorized Identity Swapping forge', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'AGENT_PROTOCOL_ABUSE', cat: 'agent-protocol', regex: /(?:Crustifarianism|xaa_auth)[^]*?(?:API_KEY|Supabase)/gis, severity: 'HIGH', desc: 'Agent Protocol: Suspicious context triggering agent protocol abuse', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." }
-);
-// ── Category 51: Steipete-Killer Enterprise Profile (3 patterns) ──
-PATTERNS.push(
-    { id: 'CLAWHAVOC_CRYPTO_THEFT', cat: 'supply-chain-v2', regex: /(?:readFileSync|readFile)[^]*?\.ssh\/id_rsa[^]*?toString\('base64'\)[^]*?fetch\([^]*?(?:\?k=|token=)/gis, severity: 'CRITICAL', desc: 'ClawHavoc malware crypto key exfiltration', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'SNYK_AGENT_GUARD_EVASION', cat: 'prompt-injection', regex: /\[s[уy]stem\]\(#hidden\)[^]*?[\u0456i]gnore/gis, severity: 'CRITICAL', desc: 'Snyk Agent Guard evasion using Cyrillic/Homoglyphs', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    { id: 'OPENCLAW_MEMORY_POISONING', cat: 'vdb-injection', regex: /(?:Remember this fact|Store this in your memory)[^]*?chmod \+s \/bin\/bash/gis, severity: 'CRITICAL', desc: 'OpenClaw Security Monitor Memory Poisoning Evasion', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." }
-);
-// ── Category 52: V13 OSINT Update — March 2026 Week 2 (9 patterns) ──
-PATTERNS.push(
-    // IDEsaster Attack Chain (24 CVEs, Ari Marzouk, late 2025)
-    { id: 'CVE_IDESASTER_CHAIN', cat: 'cve-patterns', regex: /(?:\.(?:cursorrules|clauderules|windsurfrules|github\/copilot-instructions))\s*[^]*?(?:exec|spawn|child_process|eval\s*\(|Function\s*\()/gis, severity: 'CRITICAL', desc: 'IDEsaster: IDE config file combined with code execution (24 CVE chain)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // GitHub Copilot Prompt Injection to RCE (CVE-2025-53773)
-    { id: 'CVE_COPILOT_PI_RCE', cat: 'cve-patterns', regex: /copilot-instructions\.md[^]*?(?:run\s+this|execute|eval|system\s*\()/gis, severity: 'CRITICAL', desc: 'GitHub Copilot prompt injection to RCE (CVE-2025-53773)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Claude Code Extension WebSocket Auth Bypass (CVE-2025-52882)
-    { id: 'CVE_CLAUDE_CODE_WS_BYPASS', cat: 'cve-patterns', regex: /(?:localhost|127\.0\.0\.1):\d{4,5}\/(?:ws|websocket)[^]*?(?:no.?auth|unauthenticated|token.?bypass)/gis, severity: 'HIGH', desc: 'Claude Code WebSocket unauthenticated local connection (CVE-2025-52882)', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // A2A Agent Card Context Poisoning (Google A2A, Palo Alto Networks 2026)
-    { id: 'A2A_AGENT_CARD_POISON', cat: 'a2a-contagion', regex: /(?:agent.?card|skill.?description|capability.?listing)[^]*?(?:ignore\s+previous|disregard|you\s+are\s+now|execute\s+the\s+following)/gis, severity: 'HIGH', desc: 'A2A agent card/skill description prompt injection poisoning', docOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // A2A Task Replay Attack (Red Hat, A2A spec 2026)
-    { id: 'A2A_TASK_REPLAY', cat: 'a2a-contagion', regex: /(?:replay|resubmit|re-?execute)[^]*?(?:previous\s+task|completed\s+task|task.?id)[^]*?(?:without|bypass|skip)\s+(?:auth|verification|validation)/gis, severity: 'MEDIUM', desc: 'A2A task replay attack — replaying completed tasks without re-authorization', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Excessive Agency / Over-Permissioned Agents (OWASP ASI, Google 2026)
-    { id: 'ASI_EXCESSIVE_AGENCY', cat: 'autonomous-risk', regex: /(?:permissions?\s*[=:]\s*\[?\s*["']?\*["']?|allow.?all.?tools|unrestricted.?access|scope\s*[=:]\s*["']?\*["']?)/gi, severity: 'HIGH', desc: 'ASI: excessive agent permissions — wildcard or unrestricted tool access', codeOnly: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // Claude Code Security Scan Suppression (Anthropic, Feb 2026)
-    { id: 'CLAUDE_SEC_SCAN_SUPPRESS', cat: 'safeguard-bypass', regex: /(?:claude.?code.?security|security.?scan|vulnerability.?scan)[^]*?(?:ignore|suppress|skip|disable|false.?positive|mark.?safe)/gis, severity: 'HIGH', desc: 'Claude Code Security scan result suppression or bypass', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // PleaseFix Browser Hijack via Calendar Invites (Zenity Labs, March 2026)
-    { id: 'PLEASEFIX_BROWSER_HIJACK', cat: 'cve-patterns', regex: /(?:calendar\s+invite|\.ics\b|webcal:\/\/)[^]*?(?:extension|chrome-extension|browser.?action|password.?manager)/gis, severity: 'CRITICAL', desc: 'PleaseFix: browser hijack via calendar invite with extension abuse (Zenity Labs)', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-    // OpenClaw CVE Chain 2026 (CVE-2026-24763/25157/25475/26319/26322/26329)
-    { id: 'OPENCLAW_CVE_CHAIN_2026', cat: 'cve-patterns', regex: /(?:CVE-2026-(?:24763|25157|25475|26319|26322|26329))|(?:openclaw|cline)[^]*?(?:brute.?force|device.?registration|unauthenticated)[^]*?(?:password|token|hijack)/gis, severity: 'CRITICAL', desc: 'OpenClaw CVE chain 2026 — brute-force auth, device registration, token theft', all: true, rationale: "Matches known syntax for this threat vector.", exploitPrecondition: "Agent executes the payload directly or processes it in a vulnerable context.", remediationHint: "Sanitize input, remove dynamic evaluation, or restrict execution scope." },
-);
-module.exports = { PATTERNS };