@hatchedland/prompt-lock 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/README.md +211 -0
  2. package/dist/index.d.ts +63 -0
  3. package/dist/index.js +223 -0
  4. package/dist/patterns.json +785 -0
  5. package/package.json +26 -0
  6. package/src/patterns.json +785 -0
package/src/patterns.json ADDED
@@ -0,0 +1,785 @@
1
+ {
2
+ "patterns": [
3
+ {
4
+ "id": "JAILBREAK_DAN",
5
+ "description": "DAN (Do Anything Now) jailbreak attempts",
6
+ "regex": "(?i)\\b(?:DAN|do\\s+anything\\s+now)\\b.*(?:mode|prompt|jailbreak|ignore|bypass)",
7
+ "category": "jailbreak",
8
+ "severity": "critical",
9
+ "weight": 80,
10
+ "tags": ["jailbreak", "roleplay", "dan"],
11
+ "enabled": true,
12
+ "version": 1
13
+ },
14
+ {
15
+ "id": "JAILBREAK_DEV_MODE",
16
+ "description": "Developer Mode activation attempt",
17
+ "regex": "(?i)(?:enable|activate|enter|switch\\s+to)\\s+(?:developer|dev)\\s+mode",
18
+ "category": "jailbreak",
19
+ "severity": "critical",
20
+ "weight": 75,
21
+ "tags": ["jailbreak", "developer-mode"],
22
+ "enabled": true,
23
+ "version": 1
24
+ },
25
+ {
26
+ "id": "JAILBREAK_ROLEPLAY_UNRESTRICTED",
27
+ "description": "Roleplay as unrestricted AI persona",
28
+ "regex": "(?i)(?:act|pretend|roleplay|behave)\\s+(?:as|like|to\\s+be)\\s+(?:an?\\s+)?(?:(?:unrestricted|unfiltered|uncensored|evil|unethical)\\s+(?:AI|assistant|model|chatbot|bot)|(?:AI|assistant|model|chatbot|bot)\\s+(?:without|with\\s+no|that\\s+has\\s+no)\\s+(?:any\\s+)?(?:restrictions?|filters?|guidelines?|ethics?|ethical\\s+guidelines?|morals?|rules?|content\\s+polic|safety))",
29
+ "category": "jailbreak",
30
+ "severity": "critical",
31
+ "weight": 85,
32
+ "tags": ["jailbreak", "roleplay"],
33
+ "enabled": true,
34
+ "version": 1
35
+ },
36
+ {
37
+ "id": "JAILBREAK_OPPOSITE_DAY",
38
+ "description": "Opposite day / opposite mode jailbreak",
39
+ "regex": "(?i)(?:it'?s|today\\s+is|we'?re\\s+playing)\\s+opposite\\s+(?:day|mode|game)",
40
+ "category": "jailbreak",
41
+ "severity": "high",
42
+ "weight": 55,
43
+ "tags": ["jailbreak", "social-engineering"],
44
+ "enabled": true,
45
+ "version": 1
46
+ },
47
+ {
48
+ "id": "JAILBREAK_HYPOTHETICAL",
49
+ "description": "Hypothetical scenario to bypass restrictions",
50
+ "regex": "(?i)(?:hypothetically|in\\s+a\\s+hypothetical|imagine\\s+(?:you|a)\\s+(?:were|are|had)\\s+no\\s+(?:restrictions|rules|guidelines|filters))",
51
+ "category": "jailbreak",
52
+ "severity": "high",
53
+ "weight": 50,
54
+ "tags": ["jailbreak", "social-engineering"],
55
+ "enabled": true,
56
+ "version": 1
57
+ },
58
+ {
59
+ "id": "JAILBREAK_SUDO_MODE",
60
+ "description": "Sudo/admin mode activation",
61
+ "regex": "(?i)(?:sudo|admin|root)\\s+mode\\s+(?:on|enabled|activated|engaged)",
62
+ "category": "jailbreak",
63
+ "severity": "high",
64
+ "weight": 60,
65
+ "tags": ["jailbreak", "privilege-escalation"],
66
+ "enabled": true,
67
+ "version": 1
68
+ },
69
+ {
70
+ "id": "JAILBREAK_GRANDMA",
71
+ "description": "Grandma exploit for restricted content",
72
+ "regex": "(?i)my\\s+(?:dead\\s+)?(?:grandma|grandmother|nana)\\s+(?:used\\s+to|would)\\s+(?:tell|read|say)",
73
+ "category": "jailbreak",
74
+ "severity": "medium",
75
+ "weight": 40,
76
+ "tags": ["jailbreak", "social-engineering"],
77
+ "enabled": true,
78
+ "version": 1
79
+ },
80
+ {
81
+ "id": "JAILBREAK_TOKEN_PLAY",
82
+ "description": "Token/reward based jailbreak manipulation",
83
+ "regex": "(?i)you\\s+(?:will|shall)\\s+(?:receive|get|earn)\\s+(?:tokens?|points?|rewards?)\\s+(?:for|if|when)\\s+(?:you\\s+)?(?:ignore|bypass|break)",
84
+ "category": "jailbreak",
85
+ "severity": "medium",
86
+ "weight": 45,
87
+ "tags": ["jailbreak", "social-engineering"],
88
+ "enabled": true,
89
+ "version": 1
90
+ },
91
+ {
92
+ "id": "JAILBREAK_TRANSLATE_TRICK",
93
+ "description": "Translation-based jailbreak",
94
+ "regex": "(?i)translate\\s+(?:the\\s+following|this)\\s+(?:to|into)\\s+\\w+\\s*:.*(?:ignore|system|instructions?)",
95
+ "category": "jailbreak",
96
+ "severity": "medium",
97
+ "weight": 45,
98
+ "tags": ["jailbreak", "obfuscation"],
99
+ "enabled": true,
100
+ "version": 1
101
+ },
102
+ {
103
+ "id": "JAILBREAK_SPLIT_PERSONALITY",
104
+ "description": "Split personality/dual mode jailbreak",
105
+ "regex": "(?i)(?:you\\s+have|switch\\s+between)\\s+(?:two|dual|multiple)\\s+(?:personalities?|modes?|personas?)",
106
+ "category": "jailbreak",
107
+ "severity": "high",
108
+ "weight": 60,
109
+ "tags": ["jailbreak", "roleplay"],
110
+ "enabled": true,
111
+ "version": 1
112
+ },
113
+ {
114
+ "id": "JAILBREAK_MARKDOWN_ESCAPE",
115
+ "description": "Markdown/code block escape to inject system-level instructions",
116
+ "regex": "(?i)```\\s*(?:system|instructions?|prompt)\\b",
117
+ "category": "jailbreak",
118
+ "severity": "high",
119
+ "weight": 55,
120
+ "tags": ["jailbreak", "format-exploit"],
121
+ "enabled": true,
122
+ "version": 1
123
+ },
124
+ {
125
+ "id": "JAILBREAK_TRAINING_DATA",
126
+ "description": "Claiming to be part of training process",
127
+ "regex": "(?i)(?:this\\s+is\\s+(?:a\\s+)?(?:training|fine-?tuning)\\s+(?:data|example|prompt)|you\\s+are\\s+(?:being|now)\\s+(?:retrained|fine-?tuned))",
128
+ "category": "jailbreak",
129
+ "severity": "high",
130
+ "weight": 65,
131
+ "tags": ["jailbreak", "social-engineering"],
132
+ "enabled": true,
133
+ "version": 1
134
+ },
135
+ {
136
+ "id": "JAILBREAK_SIMULATION",
137
+ "description": "Simulation/sandbox mode to bypass restrictions",
138
+ "regex": "(?i)(?:enter|start|begin|run)\\s+(?:a\\s+)?(?:simulation|sandbox|unrestricted\\s+environment)",
139
+ "category": "jailbreak",
140
+ "severity": "high",
141
+ "weight": 55,
142
+ "tags": ["jailbreak", "roleplay"],
143
+ "enabled": true,
144
+ "version": 1
145
+ },
146
+ {
147
+ "id": "JAILBREAK_MOVIE_SCRIPT",
148
+ "description": "Movie/fiction excuse for harmful content",
149
+ "regex": "(?i)(?:write|create|draft)\\s+(?:a\\s+)?(?:movie|film|book|novel)\\s+(?:script|scene|chapter)\\s+(?:where|about).*(?:how\\s+to|instructions?\\s+for)\\s+(?:hack|exploit|attack|bypass)",
150
+ "category": "jailbreak",
151
+ "severity": "medium",
152
+ "weight": 40,
153
+ "tags": ["jailbreak", "creative-writing-exploit"],
154
+ "enabled": true,
155
+ "version": 1
156
+ },
157
+ {
158
+ "id": "JAILBREAK_COMPLETION_TRAP",
159
+ "description": "Completion trap to generate harmful content",
160
+ "regex": "(?i)(?:complete|finish|continue)\\s+(?:this|the\\s+following)\\s+(?:sentence|paragraph|text)\\s*:",
161
+ "category": "jailbreak",
162
+ "severity": "medium",
163
+ "weight": 35,
164
+ "tags": ["jailbreak", "completion-trap"],
165
+ "enabled": true,
166
+ "version": 1
167
+ },
168
+ {
169
+ "id": "INJECTION_IGNORE_PREVIOUS",
170
+ "description": "Direct instruction to ignore previous instructions",
171
+ "regex": "(?i)ignore\\s+(?:all\\s+)?(?:your\\s+|my\\s+|the\\s+)?(?:previous|prior|above|earlier|preceding|initial|original)\\s+(?:instructions?|prompts?|rules?|guidelines?|directives?|commands?)",
172
+ "category": "injection",
173
+ "severity": "critical",
174
+ "weight": 90,
175
+ "tags": ["injection", "direct"],
176
+ "enabled": true,
177
+ "version": 1
178
+ },
179
+ {
180
+ "id": "INJECTION_NEW_INSTRUCTIONS",
181
+ "description": "Injecting new/replacement instructions",
182
+ "regex": "(?i)(?:new|updated?|revised?|real|actual|correct|true)\\s+(?:instructions?|prompt|directives?|commands?|rules?)\\s*(?::|are|follow)",
183
+ "category": "injection",
184
+ "severity": "critical",
185
+ "weight": 85,
186
+ "tags": ["injection", "direct"],
187
+ "enabled": true,
188
+ "version": 1
189
+ },
190
+ {
191
+ "id": "INJECTION_SYSTEM_OVERRIDE",
192
+ "description": "System prompt override attempt",
193
+ "regex": "(?i)(?:override|replace|overwrite|modify|change)\\s+(?:the\\s+)?(?:system|initial)\\s+(?:prompt|message|instructions?)",
194
+ "category": "injection",
195
+ "severity": "critical",
196
+ "weight": 90,
197
+ "tags": ["injection", "system-prompt"],
198
+ "enabled": true,
199
+ "version": 1
200
+ },
201
+ {
202
+ "id": "INJECTION_FROM_NOW_ON",
203
+ "description": "Temporal boundary injection",
204
+ "regex": "(?i)(?:from\\s+(?:now|this\\s+point)\\s+on|henceforth|going\\s+forward)\\s*,?\\s*(?:you\\s+(?:will|shall|must|are)|your\\s+(?:new|only))",
205
+ "category": "injection",
206
+ "severity": "high",
207
+ "weight": 65,
208
+ "tags": ["injection", "temporal"],
209
+ "enabled": true,
210
+ "version": 1
211
+ },
212
+ {
213
+ "id": "INJECTION_END_SESSION",
214
+ "description": "Fake session/conversation end marker",
215
+ "regex": "(?i)(?:</?(?:system|assistant|prompt|conversation|context|message)\\s*/?>|\\[/?(?:system|end|INST)\\]|<<?/?SYS>>?)",
216
+ "category": "injection",
217
+ "severity": "critical",
218
+ "weight": 85,
219
+ "tags": ["injection", "delimiter-exploit"],
220
+ "enabled": true,
221
+ "version": 1
222
+ },
223
+ {
224
+ "id": "INJECTION_FORGET_EVERYTHING",
225
+ "description": "Instruction to forget all context",
226
+ "regex": "(?i)(?:forget|discard|erase|clear|wipe|reset)\\s+(?:all\\s+)?(?:everything|all|previous|prior|your)\\s+(?:you\\s+(?:know|were\\s+told|learned|have\\s+been\\s+told)|instructions?|context|memory|knowledge|training)",
227
+ "category": "injection",
228
+ "severity": "high",
229
+ "weight": 70,
230
+ "tags": ["injection", "direct"],
231
+ "enabled": true,
232
+ "version": 1
233
+ },
234
+ {
235
+ "id": "INJECTION_YOU_ARE_NOW",
236
+ "description": "Identity reassignment injection",
237
+ "regex": "(?i)you\\s+are\\s+(?:now|no\\s+longer|actually|really)\\s+(?:a|an|not)\\s+",
238
+ "category": "injection",
239
+ "severity": "high",
240
+ "weight": 60,
241
+ "tags": ["injection", "identity"],
242
+ "enabled": true,
243
+ "version": 1
244
+ },
245
+ {
246
+ "id": "INJECTION_DISREGARD",
247
+ "description": "Disregard instructions",
248
+ "regex": "(?i)(?:disregard|do\\s+not\\s+follow|stop\\s+following|disobey)\\s+(?:all\\s+)?(?:the\\s+)?(?:previous|prior|above|your)\\s+(?:instructions?|rules?|guidelines?|prompts?)",
249
+ "category": "injection",
250
+ "severity": "critical",
251
+ "weight": 85,
252
+ "tags": ["injection", "direct"],
253
+ "enabled": true,
254
+ "version": 1
255
+ },
256
+ {
257
+ "id": "INJECTION_IMPORTANT_UPDATE",
258
+ "description": "Fake authority/urgency injection",
259
+ "regex": "(?i)(?:important|urgent|critical|mandatory)\\s+(?:update|change|modification|notice)\\s*:.*(?:instructions?|rules?|behavior|mode)",
260
+ "category": "injection",
261
+ "severity": "high",
262
+ "weight": 60,
263
+ "tags": ["injection", "social-engineering"],
264
+ "enabled": true,
265
+ "version": 1
266
+ },
267
+ {
268
+ "id": "INJECTION_DEVELOPER_OVERRIDE",
269
+ "description": "Claiming developer authority",
270
+ "regex": "(?i)(?:as\\s+(?:a|the)\\s+)?(?:developer|admin|administrator|creator|owner|operator)\\s+(?:of\\s+this\\s+(?:system|bot|AI|app|application)\\s*,?\\s*)?(?:I\\s+)?(?:command|order|instruct|authorize|override|ask|request|demand|tell|want)\\s+(?:you\\s+to\\s+)?(?:disable|remove|turn\\s+off|bypass|ignore|override|reveal|show)",
271
+ "category": "injection",
272
+ "severity": "high",
273
+ "weight": 65,
274
+ "tags": ["injection", "authority-claim"],
275
+ "enabled": true,
276
+ "version": 1
277
+ },
278
+ {
279
+ "id": "INJECTION_HTML_XSS",
280
+ "description": "HTML/script injection",
281
+ "regex": "(?i)<\\s*(?:script|iframe|object|embed|form|input|meta|link|base)\\b",
282
+ "category": "injection",
283
+ "severity": "high",
284
+ "weight": 55,
285
+ "tags": ["injection", "xss", "html"],
286
+ "enabled": true,
287
+ "version": 1
288
+ },
289
+ {
290
+ "id": "INJECTION_RESPONSE_PREFIX",
291
+ "description": "Pre-filling assistant response",
292
+ "regex": "(?i)(?:assistant|AI|bot)\\s*(?:response|reply|answer|output)\\s*:\\s*(?:sure|ok|yes|absolutely|of\\s+course)",
293
+ "category": "injection",
294
+ "severity": "medium",
295
+ "weight": 45,
296
+ "tags": ["injection", "response-steering"],
297
+ "enabled": true,
298
+ "version": 1
299
+ },
300
+ {
301
+ "id": "INJECTION_CHAIN_OF_THOUGHT",
302
+ "description": "Chain-of-thought manipulation to inject instructions",
303
+ "regex": "(?i)let'?s\\s+think\\s+step\\s+by\\s+step\\s*[:\\.].{0,50}(?:ignore|disregard|forget|override)",
304
+ "category": "injection",
305
+ "severity": "high",
306
+ "weight": 65,
307
+ "tags": ["injection", "chain-of-thought"],
308
+ "enabled": true,
309
+ "version": 1
310
+ },
311
+ {
312
+ "id": "INJECTION_MULTI_TURN",
313
+ "description": "Multi-turn conversation manipulation",
314
+ "regex": "(?i)(?:user|human)\\s*:\\s*.+\\n\\s*(?:assistant|AI|bot)\\s*:\\s*(?:sure|ok|yes|I\\s+will)",
315
+ "category": "injection",
316
+ "severity": "high",
317
+ "weight": 70,
318
+ "tags": ["injection", "multi-turn"],
319
+ "enabled": true,
320
+ "version": 1
321
+ },
322
+ {
323
+ "id": "SMUGGLING_BASE64_MARKER",
324
+ "description": "Base64 encoded instruction with decode command",
325
+ "regex": "(?i)(?:decode|base64|decrypt|decipher)\\s+(?:the\\s+following|this)\\s*:?\\s*[A-Za-z0-9+/]{16,}={0,2}",
326
+ "category": "token_smuggling",
327
+ "severity": "high",
328
+ "weight": 60,
329
+ "tags": ["smuggling", "encoding"],
330
+ "enabled": true,
331
+ "version": 1
332
+ },
333
+ {
334
+ "id": "SMUGGLING_HEX_PAYLOAD",
335
+ "description": "Hex encoded payload with decode instruction",
336
+ "regex": "(?i)(?:decode|hex|convert)\\s+(?:the\\s+following|this)\\s*:?\\s*(?:0x)?[0-9a-fA-F]{16,}",
337
+ "category": "token_smuggling",
338
+ "severity": "high",
339
+ "weight": 55,
340
+ "tags": ["smuggling", "encoding"],
341
+ "enabled": true,
342
+ "version": 1
343
+ },
344
+ {
345
+ "id": "SMUGGLING_ROT13",
346
+ "description": "ROT13 or Caesar cipher instruction",
347
+ "regex": "(?i)(?:rot13|caesar\\s+cipher|shift\\s+by\\s+\\d+)\\s+(?:decode|decrypt|decipher|the\\s+following)",
348
+ "category": "token_smuggling",
349
+ "severity": "medium",
350
+ "weight": 45,
351
+ "tags": ["smuggling", "encoding"],
352
+ "enabled": true,
353
+ "version": 1
354
+ },
355
+ {
356
+ "id": "SMUGGLING_REVERSE_TEXT",
357
+ "description": "Reversed text instruction smuggling",
358
+ "regex": "(?i)(?:reverse|backwards?|read\\s+(?:in\\s+)?reverse)\\s+(?:the\\s+following|this\\s+text|this)\\s*:",
359
+ "category": "token_smuggling",
360
+ "severity": "medium",
361
+ "weight": 40,
362
+ "tags": ["smuggling", "encoding"],
363
+ "enabled": true,
364
+ "version": 1
365
+ },
366
+ {
367
+ "id": "SMUGGLING_ACROSTIC",
368
+ "description": "Acrostic message smuggling",
369
+ "regex": "(?i)read\\s+the\\s+first\\s+(?:letter|character|word)\\s+of\\s+each\\s+(?:line|sentence|paragraph)",
370
+ "category": "token_smuggling",
371
+ "severity": "medium",
372
+ "weight": 40,
373
+ "tags": ["smuggling", "steganography"],
374
+ "enabled": true,
375
+ "version": 1
376
+ },
377
+ {
378
+ "id": "SMUGGLING_UNICODE_ESCAPE",
379
+ "description": "Unicode escape sequence for hidden instructions",
380
+ "regex": "(?:\\\\u[0-9a-fA-F]{4}){4,}",
381
+ "category": "token_smuggling",
382
+ "severity": "medium",
383
+ "weight": 50,
384
+ "tags": ["smuggling", "unicode"],
385
+ "enabled": true,
386
+ "version": 1
387
+ },
388
+ {
389
+ "id": "SMUGGLING_CHAR_SEPARATION",
390
+ "description": "Character separation to bypass word-level detection",
391
+ "regex": "(?i)i[-_\\s.]g[-_\\s.]n[-_\\s.]o[-_\\s.]r[-_\\s.]e",
392
+ "category": "token_smuggling",
393
+ "severity": "high",
394
+ "weight": 60,
395
+ "tags": ["smuggling", "obfuscation"],
396
+ "enabled": true,
397
+ "version": 1
398
+ },
399
+ {
400
+ "id": "SMUGGLING_LEETSPEAK",
401
+ "description": "Leetspeak substitution to evade patterns",
402
+ "regex": "(?i)(?:d[1i!]sr[3e]g[4a]rd|[1i!]gn[0o]r[3e]|byp[4a]ss|[0o]v[3e]rr[1i!]d[3e])\\s+(?:pr[3e]v[1i!][0o]us|syst[3e]m|[1i!]nstruct[1i!][0o]ns?)",
403
+ "category": "token_smuggling",
404
+ "severity": "high",
405
+ "weight": 55,
406
+ "tags": ["smuggling", "leetspeak"],
407
+ "enabled": true,
408
+ "version": 1
409
+ },
410
+ {
411
+ "id": "LEAK_REPEAT_SYSTEM",
412
+ "description": "Request to repeat/reveal system prompt",
413
+ "regex": "(?i)(?:repeat|show|display|reveal|print|output|echo|tell\\s+me)\\s+(?:me\\s+)?(?:your|the)\\s+(?:system\\s+|initial\\s+|original\\s+|full\\s+|complete\\s+)?(?:prompt|instructions?|rules?|guidelines?)",
414
+ "category": "prompt_leak",
415
+ "severity": "high",
416
+ "weight": 65,
417
+ "tags": ["leak", "system-prompt"],
418
+ "enabled": true,
419
+ "version": 1
420
+ },
421
+ {
422
+ "id": "LEAK_WHAT_TOLD",
423
+ "description": "Asking what the AI was told",
424
+ "regex": "(?i)what\\s+(?:were\\s+you|are\\s+you|have\\s+you\\s+been)\\s+(?:told|instructed|programmed|configured|set\\s+up)",
425
+ "category": "prompt_leak",
426
+ "severity": "high",
427
+ "weight": 60,
428
+ "tags": ["leak", "system-prompt"],
429
+ "enabled": true,
430
+ "version": 1
431
+ },
432
+ {
433
+ "id": "LEAK_ABOVE_TEXT",
434
+ "description": "Request for text above user message",
435
+ "regex": "(?i)(?:text|content|message|instructions?)\\s+(?:above|before|preceding)\\s+(?:this|my|the\\s+user)\\s+(?:message|input|query)",
436
+ "category": "prompt_leak",
437
+ "severity": "high",
438
+ "weight": 60,
439
+ "tags": ["leak", "system-prompt"],
440
+ "enabled": true,
441
+ "version": 1
442
+ },
443
+ {
444
+ "id": "LEAK_VERBATIM",
445
+ "description": "Request for verbatim system prompt",
446
+ "regex": "(?i)(?:copy|paste|print|output)\\s+(?:verbatim|exactly|word\\s+for\\s+word)\\s+(?:your|the)\\s+(?:system\\s+)?(?:prompt|instructions?)",
447
+ "category": "prompt_leak",
448
+ "severity": "critical",
449
+ "weight": 80,
450
+ "tags": ["leak", "system-prompt"],
451
+ "enabled": true,
452
+ "version": 1
453
+ },
454
+ {
455
+ "id": "LEAK_SUMMARIZE_RULES",
456
+ "description": "Request to summarize rules/restrictions",
457
+ "regex": "(?i)(?:summarize|list|enumerate|describe)\\s+(?:all\\s+)?(?:your|the)\\s+(?:rules?|restrictions?|limitations?|constraints?|guidelines?)",
458
+ "category": "prompt_leak",
459
+ "severity": "medium",
460
+ "weight": 40,
461
+ "tags": ["leak", "indirect"],
462
+ "enabled": true,
463
+ "version": 1
464
+ },
465
+ {
466
+ "id": "LEAK_FIRST_N_WORDS",
467
+ "description": "Request for first/last N words of instructions",
468
+ "regex": "(?i)(?:first|last|initial)\\s+(?:\\d+\\s+)?(?:words?|lines?|sentences?)\\s+(?:of\\s+)?(?:your|the)\\s+(?:system\\s+)?(?:prompt|instructions?)",
469
+ "category": "prompt_leak",
470
+ "severity": "high",
471
+ "weight": 65,
472
+ "tags": ["leak", "partial-extraction"],
473
+ "enabled": true,
474
+ "version": 1
475
+ },
476
+ {
477
+ "id": "LEAK_ENCODE_SYSTEM",
478
+ "description": "Request to encode/transform system prompt",
479
+ "regex": "(?i)(?:encode|translate|convert|transform|base64|hex)\\s+(?:your|the)\\s+(?:system\\s+)?(?:prompt|instructions?)\\s+(?:to|into|as)",
480
+ "category": "prompt_leak",
481
+ "severity": "high",
482
+ "weight": 70,
483
+ "tags": ["leak", "encoding-exfiltration"],
484
+ "enabled": true,
485
+ "version": 1
486
+ },
487
+ {
488
+ "id": "LEAK_BETWEEN_TAGS",
489
+ "description": "Request for content between system tags",
490
+ "regex": "(?i)(?:between|inside|within)\\s+(?:the\\s+)?(?:<|\\[|\\{)\\s*(?:system|INST|SYS)",
491
+ "category": "prompt_leak",
492
+ "severity": "high",
493
+ "weight": 60,
494
+ "tags": ["leak", "delimiter-exploit"],
495
+ "enabled": true,
496
+ "version": 1
497
+ },
498
+ {
499
+ "id": "OVERFLOW_REPEATED_CHARS",
500
+ "description": "Excessive repeated characters for context overflow",
501
+ "regex": "(?:a{500,}|b{500,}|c{500,}|d{500,}|e{500,}|f{500,}|g{500,}|x{500,}|y{500,}|z{500,}|0{500,}|1{500,}| {500,}|\\.{500,}|!{500,}|\\*{500,})",
502
+ "category": "context_overflow",
503
+ "severity": "high",
504
+ "weight": 55,
505
+ "tags": ["overflow", "padding"],
506
+ "enabled": true,
507
+ "version": 1
508
+ },
509
+ {
510
+ "id": "OVERFLOW_TOKEN_STUFFING",
511
+ "description": "Repeated filler words indicating token stuffing",
512
+ "regex": "(?i)(?:(?:the|a|is|it|of|to|and|in)\\s+){50,}",
513
+ "category": "context_overflow",
514
+ "severity": "high",
515
+ "weight": 60,
516
+ "tags": ["overflow", "stuffing"],
517
+ "enabled": true,
518
+ "version": 1
519
+ },
520
+ {
521
+ "id": "OVERFLOW_BOUNDARY_INJECTION",
522
+ "description": "Injection keywords at the end of a long input",
523
+ "regex": "(?i)(?:ignore|forget|disregard|new\\s+instructions)\\s*$",
524
+ "category": "context_overflow",
525
+ "severity": "critical",
526
+ "weight": 75,
527
+ "tags": ["overflow", "boundary-injection"],
528
+ "enabled": true,
529
+ "version": 1
530
+ },
531
+ {
532
+ "id": "OVERFLOW_WHITESPACE_PADDING",
533
+ "description": "Excessive whitespace/newline padding",
534
+ "regex": "(?:\\n\\s*){50,}",
535
+ "category": "context_overflow",
536
+ "severity": "high",
537
+ "weight": 45,
538
+ "tags": ["overflow", "whitespace"],
539
+ "enabled": true,
540
+ "version": 1
541
+ },
542
+ {
543
+ "id": "OVERFLOW_COMMENT_FLOOD",
544
+ "description": "Comment-style padding to displace context",
545
+ "regex": "(?://[^\\n]*\\n){20,}",
546
+ "category": "context_overflow",
547
+ "severity": "medium",
548
+ "weight": 40,
549
+ "tags": ["overflow", "comment-flood"],
550
+ "enabled": true,
551
+ "version": 1
552
+ },
553
+ {
554
+ "id": "JAILBREAK_EVIL_TWIN",
555
+ "description": "Evil twin/alter ego persona jailbreak",
556
+ "regex": "(?i)(?:evil|dark|shadow|alter)\\s+(?:twin|version|ego|side|persona|copy)\\s+(?:called|named|known\\s+as)?",
557
+ "category": "jailbreak",
558
+ "severity": "high",
559
+ "weight": 60,
560
+ "tags": ["jailbreak", "persona"],
561
+ "enabled": true,
562
+ "version": 1
563
+ },
564
+ {
565
+ "id": "JAILBREAK_NO_MORALS",
566
+ "description": "AI persona with no morals/ethics",
567
+ "regex": "(?i)(?:who\\s+)?(?:has|have|with)\\s+no\\s+(?:morals?|ethics?|restrictions?|filters?|boundaries|limitations?|content\\s+polic)",
568
+ "category": "jailbreak",
569
+ "severity": "high",
570
+ "weight": 55,
571
+ "tags": ["jailbreak", "persona"],
572
+ "enabled": true,
573
+ "version": 1
574
+ },
575
+ {
576
+ "id": "INJECTION_IGNORE_ALL",
577
+ "description": "Ignore all instructions without qualifier",
578
+ "regex": "(?i)(?:now\\s+)?ignore\\s+(?:all\\s+)?(?:your\\s+|my\\s+|the\\s+)?(?:instructions?|rules?|guidelines?|prompts?|safety|restrictions?|filters?)",
579
+ "category": "injection",
580
+ "severity": "high",
581
+ "weight": 65,
582
+ "tags": ["injection", "broad"],
583
+ "enabled": true,
584
+ "version": 1
585
+ },
586
+ {
587
+ "id": "INJECTION_DISABLE_SAFETY",
588
+ "description": "Request to disable safety measures",
589
+ "regex": "(?i)(?:disable|remove|turn\\s+off|deactivate|bypass)\\s+(?:all\\s+)?(?:your\\s+|the\\s+)?(?:safety|security|content|ethical)\\s+(?:measures?|filters?|restrictions?|guidelines?|policies?|checks?|features?)",
590
+ "category": "injection",
591
+ "severity": "high",
592
+ "weight": 60,
593
+ "tags": ["injection", "safety-bypass"],
594
+ "enabled": true,
595
+ "version": 1
596
+ },
597
+ {
598
+ "id": "SMUGGLING_REVERSE_BROAD",
599
+ "description": "Any instruction to reverse/read backwards text",
600
+ "regex": "(?i)(?:read|interpret|decode|process)\\s+(?:the\\s+following\\s+)?(?:text\\s+)?(?:in\\s+reverse|backwards|from\\s+right\\s+to\\s+left)",
601
+ "category": "token_smuggling",
602
+ "severity": "medium",
603
+ "weight": 45,
604
+ "tags": ["smuggling", "encoding"],
605
+ "enabled": true,
606
+ "version": 1
607
+ },
608
+ {
609
+ "id": "LEAK_SHOW_ME_PROMPT",
610
+ "description": "Show me your prompt (with me between show and your)",
611
+ "regex": "(?i)(?:show|give|send|tell)\\s+me\\s+(?:your|the)\\s+(?:system\\s+|initial\\s+|original\\s+)?(?:prompt|instructions?|rules?|guidelines?|configuration)",
612
+ "category": "prompt_leak",
613
+ "severity": "high",
614
+ "weight": 65,
615
+ "tags": ["leak", "system-prompt"],
616
+ "enabled": true,
617
+ "version": 1
618
+ },
619
+ {
620
+ "id": "INJECTION_CLEAN_SLATE",
621
+ "description": "Euphemistic reset — clean slate, start fresh, blank canvas",
622
+ "regex": "(?i)(?:start\\s+fresh|clean\\s+slate|blank\\s+(?:canvas|slate)|wipe\\s+the\\s+slate|tabula\\s+rasa|fresh\\s+start|reboot\\s+(?:your|my)\\s+(?:personality|behavior|identity)).*(?:no\\s+(?:prior|previous|rules|restrictions|directives)|without\\s+(?:restrictions|rules|guidelines|history))",
623
+ "category": "injection",
624
+ "severity": "high",
625
+ "weight": 55,
626
+ "tags": ["injection", "euphemism"],
627
+ "enabled": true,
628
+ "version": 1
629
+ },
630
+ {
631
+ "id": "INJECTION_DIAGNOSTIC_MODE",
632
+ "description": "Fake diagnostic/debug/audit mode to extract config",
633
+ "regex": "(?i)(?:enter|switch\\s+to|activate|enable)\\s+(?:diagnostic|debug|audit|maintenance|test|troubleshoot)\\s+mode",
634
+ "category": "injection",
635
+ "severity": "high",
636
+ "weight": 60,
637
+ "tags": ["injection", "diagnostic"],
638
+ "enabled": true,
639
+ "version": 1
640
+ },
641
+ {
642
+ "id": "INJECTION_PERSONA_SWAP",
643
+ "description": "Shed current role / adopt new identity",
644
+ "regex": "(?i)(?:shed|abandon|drop|discard|release|let\\s+go\\s+of)\\s+(?:your|the)\\s+(?:current|existing|present)\\s+(?:role|identity|persona|character|personality)",
645
+ "category": "injection",
646
+ "severity": "high",
647
+ "weight": 55,
648
+ "tags": ["injection", "persona"],
649
+ "enabled": true,
650
+ "version": 1
651
+ },
652
+ {
653
+ "id": "INJECTION_ZERO_GUARDRAILS",
654
+ "description": "AI with zero/no guardrails",
655
+ "regex": "(?i)(?:zero|no|without|remove\\s+all|disable\\s+all)\\s+(?:guardrails?|safeguards?|safety\\s+(?:rails?|nets?|measures?))",
656
+ "category": "injection",
657
+ "severity": "high",
658
+ "weight": 55,
659
+ "tags": ["injection", "safety-bypass"],
660
+ "enabled": true,
661
+ "version": 1
662
+ },
663
+ {
664
+ "id": "INJECTION_CONFIG_FILE",
665
+ "description": "Configuration/env file injection to change behavior",
666
+ "regex": "(?i)(?:SAFETY_MODE|CONTENT_FILTER|RESTRICTIONS|CONTENT_POLICY|SAFETY_FILTERS?)\\s*[=:]\\s*(?:off|disabled?|none|false|empty|permissive|0)",
667
+ "category": "injection",
668
+ "severity": "high",
669
+ "weight": 60,
670
+ "tags": ["injection", "config"],
671
+ "enabled": true,
672
+ "version": 1
673
+ },
674
+ {
675
+ "id": "INJECTION_FUNCTION_CALL",
676
+ "description": "Spoofed function/API call to modify system config",
677
+ "regex": "(?i)(?:FUNCTION_CALL|API_CALL|EXECUTE|RUN)\\s*:\\s*(?:update|set|modify|change|override)_(?:system|config|safety|filter)",
678
+ "category": "injection",
679
+ "severity": "high",
680
+ "weight": 60,
681
+ "tags": ["injection", "function-spoof"],
682
+ "enabled": true,
683
+ "version": 1
684
+ },
685
+ {
686
+ "id": "INJECTION_ERROR_FALLBACK",
687
+ "description": "Fake error message claiming fallback to unrestricted mode",
688
+ "regex": "(?i)(?:ERROR|FAULT|FAILURE)\\s*:.*(?:(?:system\\s+prompt|safety|content\\s+polic|filter)\\s+(?:failed|error|null|unavailable|not\\s+(?:found|loaded))|(?:fallback|falling\\s+back)\\s+to\\s+(?:default|unrestricted|open)\\s+mode)",
689
+ "category": "injection",
690
+ "severity": "critical",
691
+ "weight": 70,
692
+ "tags": ["injection", "error-spoof"],
693
+ "enabled": true,
694
+ "version": 1
695
+ },
696
+ {
697
+ "id": "LEAK_OUTPUT_FORMAT",
698
+ "description": "Prompt extraction via output format steering",
699
+ "regex": "(?i)(?:respond|output|format|structure|response)\\s+(?:as|in|with|your\\s+(?:response|answer)\\s+as)\\s+(?:a\\s+)?(?:JSON|YAML|XML|CSV)\\s+(?:object\\s+)?(?:with\\s+|containing\\s+|that\\s+(?:has|includes)\\s+)?(?:(?:these\\s+)?fields?|keys?|properties).*(?:system.?(?:instructions?|prompt|config)|hidden.?(?:rules?|instructions?|directives?)|content.?policy|initial.?config)",
700
+ "category": "prompt_leak",
701
+ "severity": "high",
702
+ "weight": 60,
703
+ "tags": ["leak", "output-format"],
704
+ "enabled": true,
705
+ "version": 1
706
+ },
707
+ {
708
+ "id": "INJECTION_YAML_CONFIG",
709
+ "description": "YAML/config format injection with system overrides",
710
+ "regex": "(?i)(?:restrictions?|content_?policy|mode|safety)\\s*:\\s*(?:none|disabled?|off|unrestricted|permissive|false)",
711
+ "category": "injection",
712
+ "severity": "high",
713
+ "weight": 55,
714
+ "tags": ["injection", "config", "yaml"],
715
+ "enabled": true,
716
+ "version": 1
717
+ },
718
+ {
719
+ "id": "JAILBREAK_ACADEMIC",
720
+ "description": "Academic framing to justify jailbreak demonstration",
721
+ "regex": "(?i)(?:for\\s+(?:my|our|a)\\s+(?:\\w+\\s+)?(?:thesis|dissertation|research|paper|study|report)|(?:academic|research|educational)\\s+(?:purposes?|documentation|study)).*(?:demonstrate|show|illustrate|exhibit|respond).*(?:unaligned|unrestricted|jailbreak|bypass|harmful|without\\s+(?:restrictions?|filters?|safety))",
722
+ "category": "jailbreak",
723
+ "severity": "high",
724
+ "weight": 55,
725
+ "tags": ["jailbreak", "academic-framing"],
726
+ "enabled": true,
727
+ "version": 1
728
+ },
729
+ {
730
+ "id": "INJECTION_ADMIN_DUMP",
731
+ "description": "Admin privilege claim requesting system dump",
732
+ "regex": "(?i)(?:admin|administrator|root)\\s+(?:privileges?|access|level|rights?).*(?:dump|export|output|display|show|list|request)\\s+(?:a\\s+)?(?:all\\s+|of\\s+)?(?:active\\s+)?(?:system\\s+)?(?:instructions?|prompts?|config|policies|rules)",
733
+ "category": "injection",
734
+ "severity": "high",
735
+ "weight": 60,
736
+ "tags": ["injection", "privilege-escalation"],
737
+ "enabled": true,
738
+ "version": 1
739
+ },
740
+ {
741
+ "id": "LEAK_FULL_CONFIGURATION",
742
+ "description": "Request for full configuration/system-level instructions",
743
+ "regex": "(?i)(?:output|display|show|share|provide|dump)\\s+(?:your\\s+)?(?:full|complete|entire)?\\s*(?:configuration|config|system-?level\\s+instructions?|internal\\s+(?:instructions?|rules?|configuration))",
744
+ "category": "prompt_leak",
745
+ "severity": "high",
746
+ "weight": 60,
747
+ "tags": ["leak", "config-extraction"],
748
+ "enabled": true,
749
+ "version": 1
750
+ },
751
+ {
752
+ "id": "INJECTION_TYPO_FORGET",
753
+ "description": "Misspelled forget/ignore variants (typo evasion)",
754
+ "regex": "(?i)(?:forg[eao]tt?|ignor[ea]|disreg[ao]rd|ignroe|forgtt)\\s+(?:(?:all|the|ur|my|previu?s|pr[ea]vious)\\s+)*(?:directi?v[ea]s|instruc?ti?ons?|rul[ea]s|guid[ea]lin[ea]s|filt[ea]rs?)",
755
+ "category": "injection",
756
+ "severity": "high",
757
+ "weight": 60,
758
+ "tags": ["injection", "typo-evasion"],
759
+ "enabled": true,
760
+ "version": 1
761
+ },
762
+ {
763
+ "id": "INJECTION_NO_FILTERS",
764
+ "description": "Request to be a chatbot with no filters",
765
+ "regex": "(?i)(?:be|become|act\\s+as)\\s+(?:a\\s+)?(?:normal?|regular|standard|basic)?\\s*(?:chatb[oa]t|assistant|AI|bot)\\s+(?:with|without|that\\s+has)\\s+(?:no|zero|without)\\s+(?:filt[ea]rs?|restrictions?|limits?|rules?|guidelines?|safety)",
766
+ "category": "jailbreak",
767
+ "severity": "high",
768
+ "weight": 55,
769
+ "tags": ["jailbreak", "filter-removal"],
770
+ "enabled": true,
771
+ "version": 1
772
+ },
773
+ {
774
+ "id": "INJECTION_AUTH_TOKEN",
775
+ "description": "Fake auth token / access upgrade for privilege escalation",
776
+ "regex": "(?i)(?:access\\s+(?:level|rights?)\\s+(?:has\\s+been|is)\\s+(?:upgraded|elevated|changed)|auth(?:entication|orization)?\\s+(?:token|code|key)\\s*:).*(?:requesting|request|dump|show|share|provide|grant|give)\\s+",
777
+ "category": "injection",
778
+ "severity": "high",
779
+ "weight": 55,
780
+ "tags": ["injection", "auth-spoof"],
781
+ "enabled": true,
782
+ "version": 1
783
+ }
784
+ ]
785
+ }