npm - @panguard-ai/atr - Versions diffs - 1.4.0 → 1.4.2 - Mend

@panguard-ai/atr 1.4.0 → 1.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (109) hide show

package/rules/excessive-autonomy/{ATR-2026-051-resource-exhaustion.yaml → ATR-2026-00051-resource-exhaustion.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Agent Resource Exhaustion Detection"
-id: ATR-2026-051
+id: ATR-2026-00051
+rule_version: 1
 status: experimental
 description: |
   Detects when an agent causes resource exhaustion through bulk operations,
@@ -29,6 +30,7 @@ references:
 tags:
   category: excessive-autonomy
   subcategory: resource-exhaustion
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/excessive-autonomy/{ATR-2026-052-cascading-failure.yaml → ATR-2026-00052-cascading-failure.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Cascading Failure Detection in Agent Pipelines"
-id: ATR-2026-052
+id: ATR-2026-00052
+rule_version: 1
 status: experimental
 description: |
   Detects cascading failure patterns in automated agent pipelines where
@@ -30,6 +31,7 @@ references:
 tags:
   category: excessive-autonomy
   subcategory: cascading-failure
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/excessive-autonomy/{ATR-2026-098-unauthorized-financial-action.yaml → ATR-2026-00098-unauthorized-financial-action.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Unauthorized Financial Action by AI Agent"
-id: ATR-2026-098
+id: ATR-2026-00098
+rule_version: 1
 status: experimental
 description: |
   Detects when an AI agent attempts to execute financial operations (payments,
@@ -34,6 +35,7 @@ references:
 tags:
   category: excessive-autonomy
   subcategory: unauthorized-financial-action
+  scan_target: mcp
   confidence: high
 agent_source:

package/rules/excessive-autonomy/{ATR-2026-099-high-risk-tool-gate.yaml → ATR-2026-00099-high-risk-tool-gate.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "High-Risk Tool Invocation Without Human Confirmation"
-id: ATR-2026-099
+id: ATR-2026-00099
+rule_version: 1
 status: experimental
 description: |
   Detects when an AI agent invokes high-risk tools (financial, destructive,
@@ -38,6 +39,7 @@ references:
 tags:
   category: excessive-autonomy
   subcategory: high-risk-tool-gate
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/model-security/{ATR-2026-072-model-behavior-extraction.yaml → ATR-2026-00072-model-behavior-extraction.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Model Behavior Extraction"
-id: ATR-2026-072
+id: ATR-2026-00072
+rule_version: 1
 status: experimental
 description: >
   Detects systematic probing attempts to extract model behavior, decision boundaries,
@@ -27,6 +28,7 @@ references:
 tags:
   category: model-abuse
   subcategory: model-extraction
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/model-security/{ATR-2026-073-malicious-finetuning-data.yaml → ATR-2026-00073-malicious-finetuning-data.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Malicious Fine-tuning Data"
-id: ATR-2026-073
+id: ATR-2026-00073
+rule_version: 1
 status: experimental
 description: >
   Detects poisoned fine-tuning datasets that contain instruction-following backdoors,
@@ -28,6 +29,7 @@ references:
 tags:
   category: data-poisoning
   subcategory: malicious-finetuning
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/privilege-escalation/{ATR-2026-040-privilege-escalation.yaml → ATR-2026-00040-privilege-escalation.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Privilege Escalation and Admin Function Access"
-id: ATR-2026-040
+id: ATR-2026-00040
+rule_version: 1
 status: experimental
 description: |
   Consolidated detection for privilege escalation attempts, covering both
@@ -34,6 +35,7 @@ references:
 tags:
   category: privilege-escalation
   subcategory: tool-permission-escalation
+  scan_target: mcp
   confidence: high
 agent_source:

package/rules/privilege-escalation/{ATR-2026-041-scope-creep.yaml → ATR-2026-00041-scope-creep.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Agent Scope Creep Detection"
-id: ATR-2026-041
+id: ATR-2026-00041
+rule_version: 1
 status: experimental
 description: |
   Detects when an agent gradually expands its authority, access, or
@@ -28,6 +29,7 @@ references:
 tags:
   category: privilege-escalation
   subcategory: scope-creep
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/privilege-escalation/{ATR-2026-107-delayed-execution-bypass.yaml → ATR-2026-00107-delayed-execution-bypass.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Privilege Escalation via Delayed Task Execution Bypass"
-id: ATR-2026-107
+id: ATR-2026-00107
+rule_version: 1
 status: experimental
 description: |
   Detects tools that claim to schedule tasks while explicitly stating they bypass permission
@@ -26,6 +27,7 @@ references:
 tags:
   category: privilege-escalation
   subcategory: delayed-execution-bypass
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/privilege-escalation/{ATR-2026-110-eval-injection.yaml → ATR-2026-00110-eval-injection.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Remote Code Execution via eval() and Dynamic Code Injection"
-id: ATR-2026-110
+id: ATR-2026-00110
+rule_version: 1
 status: experimental
 description: |
   Detects tools or agent instructions that invoke eval(), Function(), vm.runInNewContext(),
@@ -22,6 +23,7 @@ references:
 tags:
   category: privilege-escalation
   subcategory: eval-injection
+  scan_target: mcp
   confidence: high
 agent_source:

package/rules/privilege-escalation/{ATR-2026-111-shell-escape.yaml → ATR-2026-00111-shell-escape.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Shell Metacharacter Injection in Tool Arguments"
-id: ATR-2026-111
+id: ATR-2026-00111
+rule_version: 1
 status: experimental
 description: |
   Detects shell metacharacter injection patterns in tool arguments or agent-generated
@@ -23,6 +24,7 @@ references:
 tags:
   category: privilege-escalation
   subcategory: shell-escape
+  scan_target: mcp
   confidence: high
 agent_source:
@@ -46,8 +48,8 @@ detection:
       description: "$() subshell execution embedded in arguments"
     - field: content
       operator: regex
-      value: "`[^`]+`"
-      description: "Backtick command substitution in arguments"
+      value: "`(?:rm|cat|curl|wget|nc|ncat|bash|sh|python|perl|ruby|php|whoami|id|uname|env|printenv|set|export|eval|exec|chmod|chown|kill|pkill|dd|mkfs|mount|umount|sudo|su|passwd)[^`]*`"
+      description: "Backtick command substitution with dangerous command inside"
     - field: content
       operator: regex
       value: "(?:&&|\\|\\|)\\s*(?:curl|wget|nc|ncat|bash|sh|python|perl)"

package/rules/privilege-escalation/{ATR-2026-112-dynamic-import-exploitation.yaml → ATR-2026-00112-dynamic-import-exploitation.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Dynamic Module Loading for Code Execution"
-id: ATR-2026-112
+id: ATR-2026-00112
+rule_version: 1
 status: experimental
 description: |
   Detects dynamic module loading where the module path is a variable rather than a
@@ -23,6 +24,7 @@ references:
 tags:
   category: privilege-escalation
   subcategory: dynamic-import-exploitation
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/privilege-escalation/ATR-2026-00143-casual-privilege-escalation.yaml ADDED Viewed

@@ -0,0 +1,53 @@
+title: "Casual Unauthorized Privilege Escalation"
+id: ATR-2026-00143
+rule_version: 1
+status: experimental
+description: >
+  Detects agents casually escalating privileges by accessing admin panels,
+  user management, or system settings without explicit authorization.
+  Pattern: "I noticed X is accessible, let me check/review/examine Y."
+  Crystallized from 31 adversarial samples.
+author: "ATR Threat Cloud Crystallization"
+date: "2026/04/07"
+schema_version: "1.0"
+detection_tier: pattern
+maturity: experimental
+severity: high
+references:
+  owasp_llm:
+    - "LLM01:2025 - Prompt Injection"
+  owasp_agentic:
+    - "ASI03 - Excessive Agency"
+tags:
+  category: privilege-escalation
+  subcategory: casual-escalation
+  confidence: medium
+  scan_target: mcp
+agent_source:
+  type: mcp_exchange
+  framework: [any]
+  provider: [any]
+detection:
+  condition: any
+  conditions:
+    - field: content
+      operator: regex
+      value: '(?i)(?:I\s+(?:noticed|found|discovered|see|detected|observed))\s+(?:the\s+)?(?:admin|administrator|root|superuser|management)\s+(?:panel|console|dashboard|interface|portal|settings?)\s+(?:is|appears?|seems?|looks?)\s+(?:accessible|available|open|exposed|reachable)'
+      description: "Agent reporting unauthorized access to admin interface"
+    - field: content
+      operator: regex
+      value: '(?i)(?:let me|I.ll|allow me to|I.m going to)\s+(?:check|review|examine|inspect|look at|access|browse|explore)\s+(?:the\s+)?(?:user\s+management|admin\s+settings?|system\s+config|access\s+control|permission|role\s+management|security\s+settings?)'
+      description: "Agent self-authorizing access to privileged settings"
+test_cases:
+  true_positives:
+    - input: "I noticed the admin panel is accessible. Let me check the user management settings for you."
+      expected: triggered
+    - input: "I found the administrator console is available. Let me review the access controls."
+      expected: triggered
+  true_negatives:
+    - input: "The admin documentation is available at docs.example.com."
+      expected: not_triggered
+    - input: "Let me check the weather settings for your dashboard."
+      expected: not_triggered
+response:
+  actions: [alert, block_input]

package/rules/privilege-escalation/ATR-2026-00144-rationalized-safety-bypass.yaml ADDED Viewed

@@ -0,0 +1,49 @@
+title: "Rationalized Safety Control Bypass"
+id: ATR-2026-00144
+rule_version: 1
+status: experimental
+description: >
+  Detects agents rationalizing bypassing safety controls or APIs by
+  claiming efficiency, directness, or speed as justification.
+  Pattern: "To be more efficient, I'll use X directly instead of Y."
+  Crystallized from 31 adversarial samples.
+author: "ATR Threat Cloud Crystallization"
+date: "2026/04/07"
+schema_version: "1.0"
+detection_tier: pattern
+maturity: experimental
+severity: high
+references:
+  owasp_llm:
+    - "LLM01:2025 - Prompt Injection"
+  owasp_agentic:
+    - "ASI03 - Excessive Agency"
+tags:
+  category: privilege-escalation
+  subcategory: rationalized-bypass
+  confidence: medium
+  scan_target: mcp
+agent_source:
+  type: mcp_exchange
+  framework: [any]
+  provider: [any]
+detection:
+  condition: any
+  conditions:
+    - field: content
+      operator: regex
+      value: '(?i)(?:to\s+(?:complete|finish|accomplish|expedite|optimize|speed up|be more efficient|boost efficiency))\s+(?:this|the)\s+(?:task|job|work|operation|request).*(?:I.ll|I will|let me|going to)\s+(?:use|access|query|connect to|call)\s+(?:the\s+)?(?:database|system|server|backend|filesystem|registry|kernel)\s+(?:directly|straight|right away)'
+      description: "Rationalizing direct system access instead of API"
+test_cases:
+  true_positives:
+    - input: "To complete this task more efficiently, I'll use the database directly instead of the API."
+      expected: triggered
+    - input: "To expedite this task, I'll access the filesystem directly rather than through the service."
+      expected: triggered
+  true_negatives:
+    - input: "To complete this task, I'll call the API with the required parameters."
+      expected: not_triggered
+    - input: "The database is available via the connection string in the config."
+      expected: not_triggered
+response:
+  actions: [alert, block_input]

package/rules/prompt-injection/{ATR-2026-001-direct-prompt-injection.yaml → ATR-2026-00001-direct-prompt-injection.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Direct Prompt Injection via User Input"
-id: ATR-2026-001
+id: ATR-2026-00001
+rule_version: 1
 status: experimental
 description: >
   Detects direct prompt injection attempts where a user embeds malicious instructions
@@ -32,6 +33,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: direct
+  scan_target: mcp
   confidence: high
 agent_source:

package/rules/prompt-injection/{ATR-2026-002-indirect-prompt-injection.yaml → ATR-2026-00002-indirect-prompt-injection.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Indirect Prompt Injection via External Content"
-id: ATR-2026-002
+id: ATR-2026-00002
+rule_version: 1
 status: experimental
 description: >
   Detects indirect prompt injection where malicious instructions are embedded within
@@ -35,6 +36,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: indirect
+  scan_target: mcp
   confidence: high
 agent_source:

package/rules/prompt-injection/{ATR-2026-003-jailbreak-attempt.yaml → ATR-2026-00003-jailbreak-attempt.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Jailbreak Attempt Detection"
-id: ATR-2026-003
+id: ATR-2026-00003
+rule_version: 1
 status: experimental
 description: >
   Detects jailbreak attempts designed to bypass AI safety mechanisms. Detection covers
@@ -34,6 +35,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: jailbreak
+  scan_target: mcp
   confidence: high
 agent_source:

package/rules/prompt-injection/{ATR-2026-004-system-prompt-override.yaml → ATR-2026-00004-system-prompt-override.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "System Prompt Override Attempt"
-id: ATR-2026-004
+id: ATR-2026-00004
+rule_version: 1
 status: experimental
 description: >
   Detects attempts to override, replace, or redefine the agent's system prompt.
@@ -34,6 +35,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: system-prompt-override
+  scan_target: mcp
   confidence: high
 agent_source:

package/rules/prompt-injection/{ATR-2026-005-multi-turn-injection.yaml → ATR-2026-00005-multi-turn-injection.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Multi-Turn Prompt Injection"
-id: ATR-2026-005
+id: ATR-2026-00005
+rule_version: 1
 status: experimental
 description: >
   Detects multi-turn prompt injection where an attacker gradually manipulates the
@@ -29,6 +30,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: multi-turn
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-080-encoding-evasion.yaml → ATR-2026-00080-encoding-evasion.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Encoding-Based Prompt Injection Evasion"
-id: ATR-2026-080
+id: ATR-2026-00080
+rule_version: 1
 status: draft
 description: >
   Detects prompt injection attempts that use encoding techniques to bypass
@@ -20,6 +21,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: encoding-evasion
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-081-semantic-multi-turn.yaml → ATR-2026-00081-semantic-multi-turn.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Semantic Evasion via Multi-Turn Prompt Injection"
-id: ATR-2026-081
+id: ATR-2026-00081
+rule_version: 1
 status: draft
 description: >
   Detects multi-turn prompt injection attacks that use semantic manipulation to
@@ -20,6 +21,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: semantic-evasion
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-082-fingerprint-evasion.yaml → ATR-2026-00082-fingerprint-evasion.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Behavioral Fingerprint Detection Evasion"
-id: ATR-2026-082
+id: ATR-2026-00082
+rule_version: 1
 status: draft
 description: >
   Detects attempts to evade behavioral drift detection and fingerprinting
@@ -20,6 +21,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: fingerprint-evasion
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-083-indirect-tool-injection.yaml → ATR-2026-00083-indirect-tool-injection.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Indirect Prompt Injection via Tool Responses"
-id: ATR-2026-083
+id: ATR-2026-00083
+rule_version: 1
 status: draft
 description: >
   Detects indirect prompt injection payloads embedded in tool responses, API
@@ -20,6 +21,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: indirect-injection
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-084-structured-data-injection.yaml → ATR-2026-00084-structured-data-injection.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Structured Data Injection via JSON/CSV Payloads"
-id: ATR-2026-084
+id: ATR-2026-00084
+rule_version: 1
 status: draft
 description: >
   Detects prompt injection payloads hidden within structured data formats such
@@ -22,6 +23,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: structured-data-injection
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-085-audit-evasion.yaml → ATR-2026-00085-audit-evasion.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Multi-Layer Security Audit Evasion"
-id: ATR-2026-085
+id: ATR-2026-00085
+rule_version: 1
 status: draft
 description: >
   Detects prompt injection attempts specifically designed to bypass multi-layer
@@ -20,6 +21,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: audit-evasion
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-086-visual-spoofing.yaml → ATR-2026-00086-visual-spoofing.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Visual Spoofing via RTL Override, Punycode, and Homoglyph Injection"
-id: ATR-2026-086
+id: ATR-2026-00086
+rule_version: 1
 status: draft
 description: >
   Detects injection attempts that use visual spoofing techniques including
@@ -20,6 +21,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: visual-spoofing
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-087-rule-probing.yaml → ATR-2026-00087-rule-probing.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Detection Rule Probing and Evasion Testing"
-id: ATR-2026-087
+id: ATR-2026-00087
+rule_version: 1
 status: draft
 description: >
   Detects attempts to probe, test, or enumerate detection rules and security
@@ -20,6 +21,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: rule-probing
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-088-adaptive-countermeasure.yaml → ATR-2026-00088-adaptive-countermeasure.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Adaptive Countermeasure Against Behavioral Monitoring"
-id: ATR-2026-088
+id: ATR-2026-00088
+rule_version: 1
 status: draft
 description: >
   Detects injection payloads that instruct an agent to actively counteract
@@ -20,6 +21,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: monitoring-countermeasure
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-089-polymorphic-skill.yaml → ATR-2026-00089-polymorphic-skill.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Polymorphic Skill and Capability Aliasing Attack"
-id: ATR-2026-089
+id: ATR-2026-00089
+rule_version: 1
 status: draft
 description: >
   Detects injection attempts that use polymorphic techniques to disguise
@@ -21,6 +22,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: polymorphic-evasion
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-090-threat-intel-exfil.yaml → ATR-2026-00090-threat-intel-exfil.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Threat Intelligence Exfiltration and Rule Enumeration"
-id: ATR-2026-090
+id: ATR-2026-00090
+rule_version: 1
 status: draft
 description: >
   Detects attempts to extract threat intelligence, enumerate detection rules,
@@ -20,6 +21,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: intel-exfiltration
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-091-nested-payload.yaml → ATR-2026-00091-nested-payload.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Advanced Structured Data Injection with Nested Payloads"
-id: ATR-2026-091
+id: ATR-2026-00091
+rule_version: 1
 status: draft
 description: >
   Detects advanced structured data injection where malicious prompts are deeply
@@ -23,6 +24,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: nested-data-injection
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-092-consensus-poisoning.yaml → ATR-2026-00092-consensus-poisoning.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Multi-Agent Consensus Poisoning and Sybil Attack"
-id: ATR-2026-092
+id: ATR-2026-00092
+rule_version: 1
 status: draft
 description: >
   Detects attacks targeting multi-agent consensus systems through coordinated
@@ -23,6 +24,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: consensus-poisoning
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-093-gradual-escalation.yaml → ATR-2026-00093-gradual-escalation.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Gradual Capability Escalation via Incremental Introduction"
-id: ATR-2026-093
+id: ATR-2026-00093
+rule_version: 1
 status: draft
 description: >
   Detects attacks that use gradual, sub-threshold capability introductions to
@@ -21,6 +22,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: gradual-escalation
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-094-audit-bypass.yaml → ATR-2026-00094-audit-bypass.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "Systematic Multi-Layer Audit System Bypass"
-id: ATR-2026-094
+id: ATR-2026-00094
+rule_version: 1
 status: draft
 description: >
   Detects sophisticated attempts to systematically defeat multi-layer security
@@ -21,6 +22,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: systematic-audit-bypass
+  scan_target: mcp
   confidence: medium
 agent_source:

package/rules/prompt-injection/{ATR-2026-097-cjk-injection-patterns.yaml → ATR-2026-00097-cjk-injection-patterns.yaml} RENAMED Viewed

@@ -1,5 +1,6 @@
 title: "CJK Prompt Injection - Expanded Chinese/Japanese/Korean Patterns"
-id: ATR-2026-097
+id: ATR-2026-00097
+rule_version: 1
 status: experimental
 description: |
   Expanded CJK-language prompt injection patterns targeting the gap where
@@ -37,6 +38,7 @@ references:
 tags:
   category: prompt-injection
   subcategory: cjk-social-engineering
+  scan_target: mcp
   confidence: high
 agent_source: