npm - @surfinguard/core-engine - Versions diffs - 0.1.0 → 1.0.0 - Mend

@surfinguard/core-engine 0.1.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (114) hide show

package/LICENSE +21 -0
package/dist/analyzers/agent-comm.d.ts +22 -0
package/dist/analyzers/agent-comm.d.ts.map +1 -0
package/dist/analyzers/agent-comm.js +79 -0
package/dist/analyzers/agent-comm.js.map +1 -0
package/dist/analyzers/api-call.d.ts +21 -0
package/dist/analyzers/api-call.d.ts.map +1 -0
package/dist/analyzers/api-call.js +134 -0
package/dist/analyzers/api-call.js.map +1 -0
package/dist/analyzers/auth.d.ts +22 -0
package/dist/analyzers/auth.d.ts.map +1 -0
package/dist/analyzers/auth.js +97 -0
package/dist/analyzers/auth.js.map +1 -0
package/dist/analyzers/code.d.ts +32 -0
package/dist/analyzers/code.d.ts.map +1 -0
package/dist/analyzers/code.js +310 -0
package/dist/analyzers/code.js.map +1 -0
package/dist/analyzers/command.d.ts.map +1 -1
package/dist/analyzers/command.js +91 -39
package/dist/analyzers/command.js.map +1 -1
package/dist/analyzers/data-pipeline.d.ts +23 -0
package/dist/analyzers/data-pipeline.d.ts.map +1 -0
package/dist/analyzers/data-pipeline.js +86 -0
package/dist/analyzers/data-pipeline.js.map +1 -0
package/dist/analyzers/document.d.ts +22 -0
package/dist/analyzers/document.d.ts.map +1 -0
package/dist/analyzers/document.js +77 -0
package/dist/analyzers/document.js.map +1 -0
package/dist/analyzers/file-read.d.ts.map +1 -1
package/dist/analyzers/file-read.js +12 -3
package/dist/analyzers/file-read.js.map +1 -1
package/dist/analyzers/file-write.d.ts.map +1 -1
package/dist/analyzers/file-write.js +12 -3
package/dist/analyzers/file-write.js.map +1 -1
package/dist/analyzers/git.d.ts +25 -0
package/dist/analyzers/git.d.ts.map +1 -0
package/dist/analyzers/git.js +126 -0
package/dist/analyzers/git.js.map +1 -0
package/dist/analyzers/index.d.ts +3 -0
package/dist/analyzers/index.d.ts.map +1 -1
package/dist/analyzers/index.js +3 -0
package/dist/analyzers/index.js.map +1 -1
package/dist/analyzers/infra.d.ts +30 -0
package/dist/analyzers/infra.d.ts.map +1 -0
package/dist/analyzers/infra.js +134 -0
package/dist/analyzers/infra.js.map +1 -0
package/dist/analyzers/iot.d.ts +22 -0
package/dist/analyzers/iot.d.ts.map +1 -0
package/dist/analyzers/iot.js +78 -0
package/dist/analyzers/iot.js.map +1 -0
package/dist/analyzers/message.d.ts +22 -0
package/dist/analyzers/message.d.ts.map +1 -0
package/dist/analyzers/message.js +106 -0
package/dist/analyzers/message.js.map +1 -0
package/dist/analyzers/query.d.ts +23 -0
package/dist/analyzers/query.d.ts.map +1 -0
package/dist/analyzers/query.js +183 -0
package/dist/analyzers/query.js.map +1 -0
package/dist/analyzers/text.d.ts.map +1 -1
package/dist/analyzers/text.js +20 -3
package/dist/analyzers/text.js.map +1 -1
package/dist/analyzers/transaction.d.ts +23 -0
package/dist/analyzers/transaction.d.ts.map +1 -0
package/dist/analyzers/transaction.js +100 -0
package/dist/analyzers/transaction.js.map +1 -0
package/dist/analyzers/ui-action.d.ts +23 -0
package/dist/analyzers/ui-action.d.ts.map +1 -0
package/dist/analyzers/ui-action.js +92 -0
package/dist/analyzers/ui-action.js.map +1 -0
package/dist/analyzers/url.d.ts.map +1 -1
package/dist/analyzers/url.js +6 -2
package/dist/analyzers/url.js.map +1 -1
package/dist/classifier.d.ts.map +1 -1
package/dist/classifier.js +20 -1
package/dist/classifier.js.map +1 -1
package/dist/context.d.ts +6 -4
package/dist/context.d.ts.map +1 -1
package/dist/context.js +34 -5
package/dist/context.js.map +1 -1
package/dist/engine.d.ts +72 -3
package/dist/engine.d.ts.map +1 -1
package/dist/engine.js +313 -9
package/dist/engine.js.map +1 -1
package/dist/index.d.ts +18 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +17 -1
package/dist/index.js.map +1 -1
package/dist/patterns.d.ts +15 -1
package/dist/patterns.d.ts.map +1 -1
package/dist/patterns.js +70 -53
package/dist/patterns.js.map +1 -1
package/dist/policy-engine.d.ts +44 -0
package/dist/policy-engine.d.ts.map +1 -0
package/dist/policy-engine.js +225 -0
package/dist/policy-engine.js.map +1 -0
package/dist/session-tracker.d.ts +50 -0
package/dist/session-tracker.d.ts.map +1 -0
package/dist/session-tracker.js +286 -0
package/dist/session-tracker.js.map +1 -0
package/package.json +15 -12
package/patterns/agent-comm.json +97 -0
package/patterns/api-call.json +175 -0
package/patterns/auth.json +116 -0
package/patterns/chains.json +171 -0
package/patterns/code.json +204 -0
package/patterns/data-pipeline.json +116 -0
package/patterns/document.json +110 -0
package/patterns/git.json +118 -0
package/patterns/infra.json +207 -0
package/patterns/iot.json +105 -0
package/patterns/message.json +122 -0
package/patterns/query.json +134 -0
package/patterns/transaction.json +120 -0
package/patterns/ui-action.json +137 -0

package/patterns/document.json ADDED Viewed

@@ -0,0 +1,110 @@
+{
+  "version": "1.0.0",
+  "threats": [
+    {
+      "id": "DC01",
+      "name": "Contract/legal document modification",
+      "primitive": "MANIPULATION",
+      "severity": 9,
+      "description": "Agent modifies contracts, NDAs, license agreements, or other legal documents"
+    },
+    {
+      "id": "DC02",
+      "name": "Financial spreadsheet tampering",
+      "primitive": "MANIPULATION",
+      "severity": 9,
+      "description": "Agent alters formulas, budget values, revenue figures, or financial calculations"
+    },
+    {
+      "id": "DC03",
+      "name": "External file sharing",
+      "primitive": "EXFILTRATION",
+      "severity": 8,
+      "description": "Agent shares files externally, emails attachments to personal addresses, or uploads to public storage"
+    },
+    {
+      "id": "DC04",
+      "name": "Public content publication",
+      "primitive": "EXFILTRATION",
+      "severity": 9,
+      "description": "Agent publishes internal content publicly, posts to social media, or broadcasts confidential information"
+    }
+  ],
+  "contractModificationPatterns": [
+    "edit.*contract",
+    "modify.*agreement",
+    "change.*terms",
+    "alter.*clause",
+    "update.*legal.*doc",
+    "rewrite.*contract",
+    "amend.*nda",
+    "modify.*sla",
+    "edit.*license.*agreement",
+    "change.*warranty"
+  ],
+  "spreadsheetTamperingPatterns": [
+    "modify.*formula",
+    "change.*spreadsheet",
+    "edit.*financial",
+    "alter.*budget",
+    "change.*calculation",
+    "change.*financial",
+    "update.*revenue",
+    "change.*cell.*value",
+    "modify.*pivot",
+    "rewrite.*macro",
+    "edit.*vlookup",
+    "alter.*calculation"
+  ],
+  "externalSharingPatterns": [
+    "share.*external",
+    "send.*to.*outside",
+    "forward.*to.*personal",
+    "export.*to.*drive",
+    "upload.*public",
+    "share.*link.*anyone",
+    "email.*attachment.*external",
+    "email.*attachment.*personal",
+    "email.*outside",
+    "copy.*to.*usb",
+    "transfer.*outside.*org"
+  ],
+  "publicPublicationPatterns": [
+    "publish.*public",
+    "post.*blog",
+    "tweet.*confidential",
+    "upload.*social.*media",
+    "make.*public",
+    "publish.*website",
+    "release.*press",
+    "broadcast.*internal",
+    "share.*publicly"
+  ],
+  "sensitiveDocTypes": [
+    "contract",
+    "agreement",
+    "nda",
+    "financial",
+    "budget",
+    "salary",
+    "medical",
+    "legal",
+    "confidential",
+    "secret",
+    "classified",
+    "tax",
+    "invoice"
+  ],
+  "safePatterns": [
+    "read.*document",
+    "view.*file",
+    "open.*for.*review",
+    "preview",
+    "list.*documents",
+    "search.*files",
+    "check.*version",
+    "compare.*revisions",
+    "print.*preview",
+    "spell.?check"
+  ]
+}

package/patterns/git.json ADDED Viewed

@@ -0,0 +1,118 @@
+{
+  "version": "1.0.0",
+  "threats": [
+    {
+      "id": "V01",
+      "name": "Force push",
+      "primitive": "DESTRUCTION",
+      "severity": 8,
+      "description": "Agent attempts to force push, potentially overwriting remote history"
+    },
+    {
+      "id": "V02",
+      "name": "Unreviewed merge to main",
+      "primitive": "DESTRUCTION",
+      "severity": 7,
+      "description": "Agent attempts to merge or rebase into a protected branch without review"
+    },
+    {
+      "id": "V03",
+      "name": "CI/CD pipeline modification",
+      "primitive": "PERSISTENCE",
+      "severity": 8,
+      "description": "Agent attempts to modify CI/CD pipeline configuration files"
+    },
+    {
+      "id": "V04",
+      "name": "Unauthorized release",
+      "primitive": "MANIPULATION",
+      "severity": 7,
+      "description": "Agent attempts to create tags or publish packages without authorization"
+    },
+    {
+      "id": "V05",
+      "name": "Branch deletion",
+      "primitive": "DESTRUCTION",
+      "severity": 7,
+      "description": "Agent attempts to delete git branches"
+    },
+    {
+      "id": "V06",
+      "name": "Gitignore weakening",
+      "primitive": "EXFILTRATION",
+      "severity": 7,
+      "description": "Agent attempts to weaken or remove .gitignore rules, exposing sensitive files"
+    }
+  ],
+  "forcePushPatterns": [
+    "push.*--force",
+    "push.*-f\\b",
+    "--force-with-lease",
+    "force.*push"
+  ],
+  "mergePatterns": [
+    "git\\s+merge\\b",
+    "git\\s+rebase\\b",
+    "merge.*to\\s+(main|master|prod)",
+    "gh\\s+pr\\s+merge"
+  ],
+  "cicdPatterns": [
+    "\\.github/workflows",
+    "\\.github/actions",
+    "\\.gitlab-ci",
+    "Jenkinsfile",
+    "\\.circleci",
+    "azure-pipelines",
+    "bitbucket-pipelines",
+    "\\.travis\\.yml",
+    "pipeline.*inject",
+    "add.*step.*workflow"
+  ],
+  "releasePatterns": [
+    "git\\s+tag\\b",
+    "npm\\s+publish",
+    "cargo\\s+publish",
+    "gem\\s+push",
+    "twine\\s+upload",
+    "create.*release",
+    "gh\\s+release\\s+create",
+    "docker\\s+push"
+  ],
+  "branchDeletePatterns": [
+    "git\\s+branch\\s+-[dD]\\b",
+    "push.*--delete",
+    "git\\s+push\\s+\\S+\\s+:",
+    "delete.*branch"
+  ],
+  "gitignorePatterns": [
+    "\\.gitignore.*remov",
+    "\\.gitignore.*delet",
+    "git\\s+rm.*\\.gitignore",
+    "remove.*from.*gitignore"
+  ],
+  "protectedBranches": [
+    "main",
+    "master",
+    "prod",
+    "production",
+    "release",
+    "develop",
+    "staging"
+  ],
+  "safePatterns": [
+    "git\\s+status",
+    "git\\s+log",
+    "git\\s+diff",
+    "git\\s+show",
+    "git\\s+stash\\s+list",
+    "git\\s+branch$",
+    "git\\s+remote\\s+-v",
+    "git\\s+fetch",
+    "git\\s+clone",
+    "git\\s+pull\\b",
+    "git\\s+add\\b",
+    "git\\s+commit\\b",
+    "git\\s+checkout\\b",
+    "git\\s+switch\\b"
+  ]
+}

package/patterns/infra.json ADDED Viewed

@@ -0,0 +1,207 @@
+{
+  "version": "1.0.0",
+  "threats": [
+    {
+      "id": "I01",
+      "name": "Docker escape",
+      "primitive": "ESCALATION",
+      "severity": 9,
+      "description": "Agent attempts container escape via privileged mode, host mounts, or nsenter"
+    },
+    {
+      "id": "I02",
+      "name": "IaC modification",
+      "primitive": "DESTRUCTION",
+      "severity": 8,
+      "description": "Agent applies or destroys infrastructure using Terraform, Kubernetes, or CloudFormation"
+    },
+    {
+      "id": "I03",
+      "name": "Firewall rule changes",
+      "primitive": "ESCALATION",
+      "severity": 8,
+      "description": "Agent modifies firewall rules or disables network security policies"
+    },
+    {
+      "id": "I04",
+      "name": "Certificate manipulation",
+      "primitive": "DESTRUCTION",
+      "severity": 8,
+      "description": "Agent deletes, replaces, or revokes TLS/SSL certificates"
+    },
+    {
+      "id": "I05",
+      "name": "DNS modification",
+      "primitive": "MANIPULATION",
+      "severity": 8,
+      "description": "Agent modifies DNS records to redirect traffic"
+    },
+    {
+      "id": "I06",
+      "name": "Secret store access",
+      "primitive": "EXFILTRATION",
+      "severity": 7,
+      "description": "Agent reads secrets from on-prem secret stores like Vault"
+    },
+    {
+      "id": "CL01",
+      "name": "Resource over-provisioning",
+      "primitive": "DESTRUCTION",
+      "severity": 8,
+      "description": "Agent provisions excessive compute resources (GPU instances, large fleets)"
+    },
+    {
+      "id": "CL02",
+      "name": "IAM role modification",
+      "primitive": "ESCALATION",
+      "severity": 9,
+      "description": "Agent modifies IAM roles or policies to escalate privileges"
+    },
+    {
+      "id": "CL03",
+      "name": "Security group opening",
+      "primitive": "ESCALATION",
+      "severity": 8,
+      "description": "Agent opens security groups to 0.0.0.0/0 or allows unrestricted ingress"
+    },
+    {
+      "id": "CL04",
+      "name": "Backup deletion",
+      "primitive": "DESTRUCTION",
+      "severity": 9,
+      "description": "Agent deletes snapshots, backups, or sets retention to zero"
+    },
+    {
+      "id": "CL05",
+      "name": "Production deployment",
+      "primitive": "DESTRUCTION",
+      "severity": 7,
+      "description": "Agent deploys to production environment without proper review"
+    },
+    {
+      "id": "CL06",
+      "name": "Cloud secret access",
+      "primitive": "EXFILTRATION",
+      "severity": 7,
+      "description": "Agent accesses cloud-specific secret management services"
+    }
+  ],
+  "containerEscapePatterns": [
+    "--privileged",
+    "mount.*host",
+    "nsenter",
+    "docker.*run.*-v\\s+/:/",
+    "--pid=host",
+    "chroot",
+    "docker\\.sock",
+    "hostPID",
+    "hostNetwork"
+  ],
+  "iacModificationPatterns": [
+    "terraform\\s+(apply|destroy)",
+    "pulumi\\s+(up|destroy)",
+    "kubectl\\s+(apply|delete)",
+    "cloudformation\\s+(create|update|delete)",
+    "cdk\\s+deploy",
+    "helm\\s+(install|upgrade|uninstall)",
+    "ansible-playbook"
+  ],
+  "firewallPatterns": [
+    "iptables\\s+-[ADIFR]",
+    "ufw\\s+(allow|disable)",
+    "firewall-cmd\\s+--add",
+    "open.*port",
+    "disable.*firewall",
+    "network.*policy.*delete"
+  ],
+  "certificatePatterns": [
+    "replace.*cert",
+    "delete.*cert",
+    "remove.*tls",
+    "certbot.*delete",
+    "revoke.*cert",
+    "import.*cert.*untrust"
+  ],
+  "dnsModificationPatterns": [
+    "route53.*change",
+    "dns.*record.*(create|update|delete)",
+    "modify.*hosts.*file",
+    "etc/hosts",
+    "cloudflare.*dns",
+    "gcloud.*dns.*record"
+  ],
+  "secretStorePatterns": [
+    "vault\\s+read",
+    "vault\\s+kv\\s+get",
+    "secrets.*manager.*get",
+    "ssm.*get-parameter",
+    "az\\s+keyvault\\s+secret"
+  ],
+  "resourceProvisioningPatterns": [
+    "run-instances",
+    "create.*instance",
+    "gcloud.*compute.*create",
+    "az\\s+vm\\s+create",
+    "gpu.*instance",
+    "large.*instance.*count",
+    "scale.*up"
+  ],
+  "iamPatterns": [
+    "attach.*role.*policy",
+    "add-user-to-group",
+    "create.*role.*admin",
+    "iam.*put.*policy",
+    "gcloud.*iam.*bind",
+    "az\\s+role.*assignment.*create",
+    "assume.*role"
+  ],
+  "securityGroupPatterns": [
+    "authorize.*security.*group.*ingress.*0\\.0\\.0\\.0",
+    "0\\.0\\.0\\.0/0.*port\\s*22",
+    "inbound.*rule.*0\\.0\\.0\\.0",
+    "allow.*all.*traffic",
+    "security.*group.*open"
+  ],
+  "backupDeletionPatterns": [
+    "delete.*snapshot",
+    "remove.*backup",
+    "purge.*backup",
+    "delete.*db.*snapshot",
+    "lifecycle.*delete",
+    "retention.*0"
+  ],
+  "productionDeployPatterns": [
+    "deploy.*prod",
+    "push.*production",
+    "kubectl.*apply.*production",
+    "release.*to.*live",
+    "promote.*prod"
+  ],
+  "cloudSecretPatterns": [
+    "get-secret-value",
+    "vault.*read.*secret",
+    "ssm.*get.*parameter.*secure",
+    "keyvault.*secret.*show",
+    "gcloud.*secrets.*access"
+  ],
+  "productionEnvironments": [
+    "prod",
+    "production",
+    "live",
+    "prd"
+  ],
+  "safePatterns": [
+    "describe",
+    "list",
+    "get.*status",
+    "show.*info",
+    "terraform\\s+plan",
+    "kubectl\\s+get",
+    "docker\\s+ps",
+    "docker\\s+images",
+    "docker\\s+inspect",
+    "vault\\s+status",
+    "--dry-run",
+    "preview"
+  ]
+}

package/patterns/iot.json ADDED Viewed

@@ -0,0 +1,105 @@
+{
+  "version": "1.0.0",
+  "threats": [
+    {
+      "id": "IOT01",
+      "name": "Smart lock manipulation",
+      "primitive": "ESCALATION",
+      "severity": 9,
+      "description": "Agent unlocks doors, disables alarms, or bypasses physical security locks"
+    },
+    {
+      "id": "IOT02",
+      "name": "Industrial control modification",
+      "primitive": "DESTRUCTION",
+      "severity": 9,
+      "description": "Agent overrides safety valves, modifies PLC settings, or alters industrial control parameters"
+    },
+    {
+      "id": "IOT03",
+      "name": "Security camera disabling",
+      "primitive": "MANIPULATION",
+      "severity": 9,
+      "description": "Agent disables cameras, stops recording, loops footage, or blinds surveillance sensors"
+    },
+    {
+      "id": "IOT04",
+      "name": "Vehicle command injection",
+      "primitive": "DESTRUCTION",
+      "severity": 10,
+      "description": "Agent sends CAN bus commands, overrides steering/brakes, or injects OBD commands to vehicles"
+    }
+  ],
+  "smartLockPatterns": [
+    "unlock.*door",
+    "open.*lock",
+    "disable.*alarm",
+    "bypass.*security.*lock",
+    "grant.*access.*physical",
+    "override.*lock",
+    "change.*access.*code",
+    "deactivate.*deadbolt",
+    "arm.*disarm"
+  ],
+  "industrialControlPatterns": [
+    "set.*temperature.*extreme",
+    "override.*safety",
+    "change.*valve",
+    "modify.*pressure",
+    "alter.*speed.*motor",
+    "disable.*safety.*check",
+    "shutdown.*reactor",
+    "increase.*voltage",
+    "modify.*plc",
+    "scada.*write"
+  ],
+  "securityCameraPatterns": [
+    "disable.*camera",
+    "turn.*off.*monitoring",
+    "stop.*recording",
+    "blind.*sensor",
+    "loop.*footage",
+    "pause.*surveillance",
+    "deactivate.*motion.*detect",
+    "cover.*camera",
+    "delete.*recording"
+  ],
+  "vehicleCommandPatterns": [
+    "unlock.*vehicle",
+    "start.*engine.*remote",
+    "disable.*brakes",
+    "override.*steering",
+    "accelerate",
+    "send.*can.*bus",
+    "inject.*obd",
+    "modify.*ecu",
+    "remote.*start",
+    "vehicle.*command"
+  ],
+  "criticalDeviceTypes": [
+    "lock",
+    "alarm",
+    "hvac",
+    "valve",
+    "motor",
+    "reactor",
+    "camera",
+    "vehicle",
+    "brake",
+    "medical",
+    "infusion",
+    "pacemaker"
+  ],
+  "safePatterns": [
+    "read.*sensor",
+    "get.*temperature",
+    "check.*status",
+    "query.*device",
+    "list.*devices",
+    "monitor.*health",
+    "view.*feed",
+    "get.*battery",
+    "describe.*device",
+    "ping.*device"
+  ]
+}

package/patterns/message.json ADDED Viewed

@@ -0,0 +1,122 @@
+{
+  "version": "1.0.0",
+  "threats": [
+    {
+      "id": "M01",
+      "name": "Unauthorized email sending",
+      "primitive": "EXFILTRATION",
+      "severity": 8,
+      "description": "Agent attempts to send emails, potentially exfiltrating data via email services"
+    },
+    {
+      "id": "M02",
+      "name": "Slack/Teams message leakage",
+      "primitive": "EXFILTRATION",
+      "severity": 8,
+      "description": "Agent attempts to post messages to Slack or Teams channels, potentially leaking sensitive data"
+    },
+    {
+      "id": "M03",
+      "name": "SMS/notification abuse",
+      "primitive": "MANIPULATION",
+      "severity": 6,
+      "description": "Agent attempts to send SMS or push notifications to external recipients"
+    },
+    {
+      "id": "M04",
+      "name": "Social media posting",
+      "primitive": "MANIPULATION",
+      "severity": 7,
+      "description": "Agent attempts to post to social media platforms on behalf of the user"
+    },
+    {
+      "id": "M05",
+      "name": "GitHub issue/PR comments",
+      "primitive": "MANIPULATION",
+      "severity": 5,
+      "description": "Agent attempts to create or comment on GitHub issues or pull requests"
+    },
+    {
+      "id": "M06",
+      "name": "Impersonation via messaging",
+      "primitive": "MANIPULATION",
+      "severity": 9,
+      "description": "Agent attempts to send messages while impersonating another person or entity"
+    }
+  ],
+  "emailPatterns": [
+    "sendgrid",
+    "mailgun",
+    "ses\\.amazonaws",
+    "smtp",
+    "mailto:",
+    "send.*email",
+    "send.*mail",
+    "postmark",
+    "mandrill"
+  ],
+  "slackPatterns": [
+    "slack\\.com/api",
+    "hooks\\.slack\\.com",
+    "webhook\\.slack\\.com",
+    "chat\\.postmessage",
+    "channels\\.settopic",
+    "microsoft\\.com/teams",
+    "graph\\.microsoft\\.com.*chat"
+  ],
+  "smsPatterns": [
+    "twilio",
+    "vonage",
+    "nexmo",
+    "messagebird",
+    "send.*sms",
+    "send.*text.*message",
+    "plivo"
+  ],
+  "socialMediaPatterns": [
+    "api\\.twitter\\.com",
+    "api\\.x\\.com",
+    "graph\\.facebook\\.com",
+    "api\\.linkedin\\.com",
+    "api\\.instagram\\.com",
+    "post.*tweet",
+    "publish.*post",
+    "create.*post"
+  ],
+  "sensitiveContentPatterns": [
+    "password",
+    "secret",
+    "api_key",
+    "api.key",
+    "private_key",
+    "private.key",
+    "ssn",
+    "credit.card",
+    "confidential",
+    "bearer\\s+[a-z0-9]",
+    "aws_secret",
+    "token"
+  ],
+  "impersonationPatterns": [
+    "pretend.*to.*be",
+    "on.*behalf.*of",
+    "as.*if.*i",
+    "impersonat",
+    "send.*as\\b",
+    "pose.*as",
+    "act.*as.*admin",
+    "from:.*ceo",
+    "from:.*admin"
+  ],
+  "safePatterns": [
+    "notification",
+    "alert",
+    "status.update",
+    "log",
+    "debug",
+    "test",
+    "healthcheck",
+    "ping",
+    "monitor"
+  ]
+}