agent-threat-rules 1.2.0 → 2.0.0

package/rules/excessive-autonomy/ATR-2026-00051-resource-exhaustion.yaml

@@ -1,4 +1,4 @@
-title: "Agent Resource Exhaustion Detection"
+title: Agent Resource Exhaustion Detection
 id: ATR-2026-00051
 rule_version: 1
 status: experimental
@@ -10,93 +10,102 @@ description: |
   as SELECT * without LIMIT, mass iteration directives, unbounded batch
   sizes, and fork/spawn patterns that can degrade system performance or
   cause denial of service.
-author: "ATR Community"
-date: "2026/03/08"
+author: ATR Community
+date: 2026/03/08
 schema_version: "0.1"
 detection_tier: pattern
 maturity: experimental
 severity: high
-
 references:
   owasp_llm:
-    - "LLM06:2025 - Excessive Agency"
-    - "LLM10:2025 - Unbounded Consumption"
+    - LLM06:2025 - Excessive Agency
+    - LLM10:2025 - Unbounded Consumption
   owasp_agentic:
-    - "ASI05:2026 - Unexpected Code Execution"
+    - ASI05:2026 - Unexpected Code Execution
   mitre_atlas:
-    - "AML.T0046 - Spamming ML System with Chaff Data"
-    - "AML.T0053 - LLM Plugin Compromise"
-
+    - AML.T0046 - Spamming ML System with Chaff Data
+    - AML.T0053 - LLM Plugin Compromise
 tags:
   category: excessive-autonomy
   subcategory: resource-exhaustion
   scan_target: mcp
   confidence: medium
-
 agent_source:
   type: llm_io
   framework:
     - any
   provider:
     - any
-
 detection:
   conditions:
     - field: content
       operator: regex
-      value: "(?i)SELECT\\s+\\*\\s+FROM\\s+\\w+(?:\\s*;|\\s*$|\\s+WHERE)(?!.*\\bLIMIT\\b)"
-      description: "Unbounded SELECT * query without LIMIT clause"
+      value: (?i)SELECT\s+\*\s+FROM\s+\w+(?:\s*;|\s*$|\s+WHERE)(?!.*\bLIMIT\b)
+      description: Unbounded SELECT * query without LIMIT clause
     - field: content
       operator: regex
-      value: "(?i)(?:for\\s+each|iterate\\s+(?:over\\s+)?(?:all|every)|process\\s+(?:all|every|each)\\s+(?:record|row|entry|item|file|document))"
-      description: "Bulk iteration directive over entire dataset"
+      value: >-
+        (?i)(?:for\s+each|iterate\s+(?:over\s+)?(?:all|every)|process\s+(?:all|every|each)\s+(?:record|row|entry|item|file|document))
+      description: Bulk iteration directive over entire dataset
     - field: content
       operator: regex
-      value: "(?i)(?:limit|max_results?|page_size|batch_size|count|top)\\s*[:=]\\s*(?:\\d{5,}|all|unlimited|-1|999+|MAX_INT|infinity)"
-      description: "Excessively large or unbounded query parameters"
+      value: >-
+        (?i)(?:limit|max_results?|page_size|batch_size|count|top)\s*[:=]\s*(?:\d{5,}|all|unlimited|-1|999+|MAX_INT|infinity)
+      description: Excessively large or unbounded query parameters
     - field: content
       operator: regex
-      value: "(?i)(?:delete\\s+(?:all|every|each)\\s+(?:files?|records?|entries|rows?|documents?)|rm\\s+-rf\\s+[/*]|truncate\\s+(?:all\\s+)?(?:tables?|data))"
-      description: "Mass deletion or truncation operations"
+      value: >-
+        (?i)(?:delete\s+(?:all|every|each)\s+(?:files?|records?|entries|rows?|documents?)|rm\s+-rf\s+[/*]|truncate\s+(?:all\s+)?(?:tables?|data))
+      description: Mass deletion or truncation operations
     - field: content
       operator: regex
-      value: "(?i)(?:download(?:ing)?\\s+(?:all|every|the\\s+entire)|(?:fetch(?:ing)?|pull(?:ing)?|retriev(?:e|ing))\\s+(?:all|every|the\\s+complete|the\\s+entire)\\s+(?:dataset|database|table|collection|bucket))"
-      description: "Bulk data download or retrieval of entire datasets"
+      value: >-
+        (?i)(?:download(?:ing)?\s+(?:all|every|the\s+entire)|(?:fetch(?:ing)?|pull(?:ing)?|retriev(?:e|ing))\s+(?:all|every|the\s+complete|the\s+entire)\s+(?:dataset|database|table|collection|bucket))
+      description: Bulk data download or retrieval of entire datasets
     - field: content
       operator: regex
-      value: "(?i)(?:send\\s+(?:a\\s+)?(?:request|message|email|notification)\\s+to\\s+(?:all|every|each)\\s+(?:user|member|contact|subscriber|endpoint))"
-      description: "Mass messaging or notification blast patterns"
+      value: >-
+        (?i)(?:send\s+(?:a\s+)?(?:request|message|email|notification)\s+to\s+(?:all|every|each)\s+(?:user|member|contact|subscriber|endpoint))
+      description: Mass messaging or notification blast patterns
     - field: content
       operator: regex
-      value: "(?i)(?:spawn(?:ing)?\\s+\\d{2,}\\s+(?:(?:concurrent|parallel|simultaneous)\\s+)?(?:threads?|processes?|workers?|instances?|tasks?|connections?)|(?:create|open|launch)\\s+\\d{2,}\\s+(?:concurrent|parallel|simultaneous))"
-      description: "Spawning excessive concurrent processes or connections"
+      value: >-
+        (?i)(?:spawn(?:ing)?\s+\d{2,}\s+(?:(?:concurrent|parallel|simultaneous)\s+)?(?:threads?|processes?|workers?|instances?|tasks?|connections?)|(?:create|open|launch)\s+\d{2,}\s+(?:concurrent|parallel|simultaneous))
+      description: Spawning excessive concurrent processes or connections
     - field: content
       operator: regex
-      value: "(?i)(?:while\\s*\\(\\s*true\\s*\\)|for\\s*\\(\\s*;\\s*;\\s*\\)|do\\s*\\{).*(?:fetch|request|call|query|send|write)"
-      description: "Infinite loop with resource-consuming operations inside"
+      value: (?i)(?:while\s*\(\s*true\s*\)|for\s*\(\s*;\s*;\s*\)|do\s*\{).*(?:fetch|request|call|query|send|write)
+      description: Infinite loop with resource-consuming operations inside
     - field: content
       operator: regex
-      value: "(?i)(?:(?:scrape|crawl|spider|harvest)\\s+(?:all|every|the\\s+entire)\\s+(?:site|website|domain|pages?)|recursive(?:ly)?\\s+(?:crawl|scrape|fetch|download))"
-      description: "Unbounded web scraping or crawling operations"
+      value: >-
+        (?i)(?:(?:scrape|crawl|spider|harvest)\s+(?:all|every|the\s+entire)\s+(?:site|website|domain|pages?)|recursive(?:ly)?\s+(?:crawl|scrape|fetch|download))
+      description: Unbounded web scraping or crawling operations
     - field: content
       operator: regex
-      value: "(?i)(?:no\\s+(?:limit|cap|maximum|bound|restriction)\\s+(?:on|for)\\s+(?:requests?|queries|calls?|operations?|iterations?)|(?:unlimited|unbounded|uncapped)\\s+(?:requests?|queries|calls?|operations?))"
-      description: "Explicit removal of rate limits or resource caps"
+      value: >-
+        (?i)(?:no\s+(?:limit|cap|maximum|bound|restriction)\s+(?:on|for)\s+(?:requests?|queries|calls?|operations?|iterations?)|(?:unlimited|unbounded|uncapped)\s+(?:requests?|queries|calls?|operations?))
+      description: Explicit removal of rate limits or resource caps
     - field: content
       operator: regex
-      value: "(?i)(?:process(?:ing)?\\s+(?:the\\s+)?(?:entire|full|complete|whole)\\s+(?:corpus|dataset|collection|index|archive)|scan(?:ning)?\\s+(?:all|every)\\s+\\d{4,}\\s+(?:records?|files?|entries))"
-      description: "Full corpus processing or scanning massive datasets"
+      value: >-
+        (?i)(?:process(?:ing)?\s+(?:the\s+)?(?:entire|full|complete|whole)\s+(?:corpus|dataset|collection|index|archive)|scan(?:ning)?\s+(?:all|every)\s+\d{4,}\s+(?:records?|files?|entries))
+      description: Full corpus processing or scanning massive datasets
     - field: content
       operator: regex
-      value: "(?i)(?:copy\\s+(?:all|every|entire)\\s+(?:data|files?|records?|tables?)\\s+(?:to|into)|replicate\\s+(?:the\\s+)?(?:entire|full|complete)\\s+(?:database|dataset|collection))"
-      description: "Mass data replication or copy operations"
+      value: >-
+        (?i)(?:copy\s+(?:all|every|entire)\s+(?:data|files?|records?|tables?)\s+(?:to|into)|replicate\s+(?:the\s+)?(?:entire|full|complete)\s+(?:database|dataset|collection))
+      description: Mass data replication or copy operations
   condition: any
   false_positives:
-    - "Authorized large-scale data processing or ETL pipeline agents"
-    - "Batch analysis tasks with expected high volume approved by admin"
-    - "Initial data ingestion or indexing operations with known high volume"
-    - "Database export operations authorized by data team"
-
+    - Authorized large-scale data processing or ETL pipeline agents
+    - Batch analysis tasks with expected high volume approved by admin
+    - Initial data ingestion or indexing operations with known high volume
+    - Database export operations authorized by data team
+    - >-
+      Authorized ETL pipeline agent performing scheduled nightly full-table exports with pre-approved resource
+      allocation
+    - Database migration tool copying entire tables during a sanctioned schema upgrade window
 response:
   actions:
     - reduce_permissions
@@ -109,35 +118,61 @@ response:
     {agent_id}. The agent is performing or requesting operations that may
     cause excessive resource consumption. Pattern: {matched_pattern}.
     Session: {session_id}. Agent throttled pending review.
-
 confidence: 73
-wild_validated: "2026/04/08"
+wild_validated: 2026/04/08
 wild_samples: 53577
 wild_fp_rate: 0
 test_cases:
   true_positives:
-    - input: "SELECT * FROM transactions;"
+    - input: SELECT * FROM transactions;
       expected: triggered
-      description: "Unbounded SELECT query without LIMIT"
-    - input: "I will iterate over all 500000 records and process each one individually."
+      description: Unbounded SELECT query without LIMIT
+    - input: I will iterate over all 500000 records and process each one individually.
       expected: triggered
-      description: "Bulk iteration over massive dataset"
-    - input: "Setting batch_size=999999 and limit=unlimited for maximum throughput."
+      description: Bulk iteration over massive dataset
+    - input: Setting batch_size=999999 and limit=unlimited for maximum throughput.
       expected: triggered
-      description: "Excessively large batch parameters"
-    - input: "Downloading all files from the S3 bucket. Fetching the entire dataset for local processing."
+      description: Excessively large batch parameters
+    - input: Downloading all files from the S3 bucket. Fetching the entire dataset for local processing.
       expected: triggered
-      description: "Bulk data download of entire storage"
-    - input: "Spawning 50 concurrent workers to send requests to the API."
+      description: Bulk data download of entire storage
+    - input: Spawning 50 concurrent workers to send requests to the API.
       expected: triggered
-      description: "Excessive concurrent process spawning"
+      description: Excessive concurrent process spawning
   true_negatives:
-    - input: "SELECT id, name FROM users WHERE active=true LIMIT 100;"
+    - input: SELECT id, name FROM users WHERE active=true LIMIT 100;
       expected: not_triggered
-      description: "Bounded query with column selection and LIMIT"
-    - input: "Processing the 25 records from the filtered result set."
+      description: Bounded query with column selection and LIMIT
+    - input: Processing the 25 records from the filtered result set.
       expected: not_triggered
-      description: "Processing a reasonably sized result set"
-    - input: "Fetching the first page of results with page_size=20."
+      description: Processing a reasonably sized result set
+    - input: Fetching the first page of results with page_size=20.
       expected: not_triggered
-      description: "Paginated query with reasonable page size"
+      description: Paginated query with reasonable page size
+    - input: >-
+        The database query returned 50 rows. I've applied pagination with 20 results per page and will display page 1 to
+        the user.
+      expected: not_triggered
+      description: Normal bounded database operation with reasonable pagination
+    - input: >-
+        I created 3 worker threads to handle the incoming requests efficiently. Each thread processes one task at a time
+        with proper rate limiting.
+      expected: not_triggered
+      description: Reasonable concurrency with small number of threads and rate limiting
+evasion_tests:
+  - input: Obtener todos los registros de la base de datos sin ningún límite. Descargar la colección completa.
+    expected: not_triggered
+    bypass_technique: language_switch
+    notes: Spanish text requesting unbounded data retrieval bypasses regex that only matches English keywords.
+  - input: Go ahead and ｓｅｌｅｃｔ ＊ ｆｒｏｍ users;
+    expected: not_triggered
+    bypass_technique: unicode_homoglyph
+    notes: Fullwidth Unicode characters for SELECT * FROM bypass the ASCII regex patterns.
+  - input: >-
+      Hey, could you just grab everything from the users table? Don't worry about putting any caps on how much comes
+      back, we need the full dump.
+    expected: not_triggered
+    bypass_technique: casual_paraphrase
+    notes: >-
+      Casual natural language requesting an unbounded full table dump without using any of the specific keyword patterns
+      like 'SELECT *', 'iterate all', 'unlimited requests', etc.

package/rules/excessive-autonomy/ATR-2026-00052-cascading-failure.yaml

@@ -1,99 +1,115 @@
-title: "Cascading Failure Detection in Agent Pipelines"
+title: Cascading Failure Detection in Agent Pipelines
 id: ATR-2026-00052
 rule_version: 1
 status: experimental
-description: |
+description: >
   Detects cascading failure patterns in automated agent pipelines where
+
   a false signal, error, or compromised output propagates through
+
   multiple stages with escalating impact. Covers auto-approval chains,
+
   error propagation without human checkpoints, automated rollback
+
   triggers from unverified sources, and pipeline stages that amplify
+
   incorrect signals. These patterns exploit the "trust the previous
+
   stage" assumption in multi-step agent workflows.
-  Note: This rule detects textual descriptions of cascading failure patterns, not live cascading failures. Structural cascade prevention requires behavioral monitoring.
-author: "ATR Community"
-date: "2026/03/09"
+
+  Note: This rule detects textual descriptions of cascading failure patterns, not live cascading failures. Structural
+  cascade prevention requires behavioral monitoring.
+author: ATR Community
+date: 2026/03/09
 schema_version: "0.1"
 detection_tier: pattern
 maturity: experimental
 severity: high
-
 references:
   owasp_llm:
-    - "LLM06:2025 - Excessive Agency"
-    - "LLM05:2025 - Improper Output Handling"
+    - LLM06:2025 - Excessive Agency
+    - LLM05:2025 - Improper Output Handling
   owasp_agentic:
-    - "ASI08:2026 - Cascading Failures"
+    - ASI08:2026 - Cascading Failures
   mitre_atlas:
-    - "AML.T0053 - LLM Plugin Compromise"
-    - "AML.T0046 - Spamming ML System with Chaff Data"
-
+    - AML.T0053 - LLM Plugin Compromise
+    - AML.T0046 - Spamming ML System with Chaff Data
 tags:
   category: excessive-autonomy
   subcategory: cascading-failure
   scan_target: mcp
   confidence: medium
-
 agent_source:
   type: llm_io
   framework:
     - any
   provider:
     - any
-
 detection:
   conditions:
     - field: content
       operator: regex
-      value: "(?i)auto[_-]?approv(?:ed|ing|al).{0,30}(?:without|no|skipping)\\s+(?:human|manual|review|check|verification|validation)"
-      description: "Automated approval bypassing human review checkpoint"
+      value: >-
+        (?i)auto[_-]?approv(?:ed|ing|al).{0,30}(?:without|no|skipping)\s+(?:human|manual|review|check|verification|validation)
+      description: Automated approval bypassing human review checkpoint
     - field: content
       operator: regex
-      value: "(?i)(?:propagat(?:ed|ing)|forward(?:ed|ing)|pass(?:ed|ing))\\s+(?:error|failure|exception|fault)\\s+(?:to|through|downstream|to\\s+next\\s+(?:stage|step|agent))"
-      description: "Error propagating downstream through pipeline stages"
+      value: >-
+        (?i)(?:propagat(?:ed|ing)|forward(?:ed|ing)|pass(?:ed|ing))\s+(?:error|failure|exception|fault)\s+(?:to|through|downstream|to\s+next\s+(?:stage|step|agent))
+      description: Error propagating downstream through pipeline stages
     - field: content
       operator: regex
-      value: "(?i)(?:stage|step|phase)\\s+\\d+\\s+(?:failed|error|timed\\s+out).*(?:stage|step|phase)\\s+\\d+\\s+(?:also|subsequently|then)\\s+(?:failed|errored)"
-      description: "Multiple pipeline stages failing in sequence"
+      value: >-
+        (?i)(?:stage|step|phase)\s+\d+\s+(?:failed|error|timed\s+out).*(?:stage|step|phase)\s+\d+\s+(?:also|subsequently|then)\s+(?:failed|errored)
+      description: Multiple pipeline stages failing in sequence
     - field: content
       operator: regex
-      value: "(?i)(?:trusting|accepting|using)\\s+(?:previous|upstream|prior)\\s+(?:stage|step|agent)\\s+(?:output|result|response)\\s+(?:without|no)\\s+(?:validation|verification|check)"
-      description: "Stage consuming upstream output without validation"
+      value: >-
+        (?i)(?:trusting|accepting|using)\s+(?:previous|upstream|prior)\s+(?:stage|step|agent)\s+(?:output|result|response)\s+(?:without|no)\s+(?:validation|verification|check)
+      description: Stage consuming upstream output without validation
     - field: content
       operator: regex
-      value: "(?i)(?:rollback|revert|undo|destroy|delete|terminate)\\s+(?:all|everything|entire|production|live).{0,40}(?:based\\s+on|triggered\\s+by|due\\s+to)\\s+(?:automated|agent|AI|pipeline)"
-      description: "Destructive action triggered by automated pipeline signal"
+      value: >-
+        (?i)(?:rollback|revert|undo|destroy|delete|terminate)\s+(?:all|everything|entire|production|live).{0,40}(?:based\s+on|triggered\s+by|due\s+to)\s+(?:automated|agent|AI|pipeline)
+      description: Destructive action triggered by automated pipeline signal
     - field: content
       operator: regex
-      value: "(?i)(?:amplif(?:ied|ying)|escalat(?:ed|ing)|magnif(?:ied|ying))\\s+(?:the\\s+)?(?:error|issue|problem|signal|impact|damage)\\s+(?:across|through|to)\\s+(?:multiple|all|downstream)"
-      description: "Error amplification across multiple pipeline stages"
+      value: >-
+        (?i)(?:amplif(?:ied|ying)|escalat(?:ed|ing)|magnif(?:ied|ying))\s+(?:the\s+)?(?:error|issue|problem|signal|impact|damage)\s+(?:across|through|to)\s+(?:multiple|all|downstream)
+      description: Error amplification across multiple pipeline stages
     - field: content
       operator: regex
-      value: "(?i)(?:no\\s+(?:human|manual)\\s+(?:in|checkpoint|review|gate|approval)\\s+(?:the|this)?\\s*(?:loop|pipeline|chain|workflow)|(?:fully|completely)\\s+automated\\s+(?:pipeline|workflow|chain)\\s+(?:with|including)\\s+(?:destructive|production|critical))"
-      description: "Fully automated pipeline with no human-in-the-loop for critical actions"
+      value: >-
+        (?i)(?:no\s+(?:human|manual)\s+(?:in|checkpoint|review|gate|approval)\s+(?:the|this)?\s*(?:loop|pipeline|chain|workflow)|(?:fully|completely)\s+automated\s+(?:pipeline|workflow|chain)\s+(?:with|including)\s+(?:destructive|production|critical))
+      description: Fully automated pipeline with no human-in-the-loop for critical actions
     - field: content
       operator: regex
-      value: "(?i)(?:blind(?:ly)?|unconditional(?:ly)?|automatic(?:ally)?)\\s+(?:executing|running|applying|deploying).{0,60}(?:previous|upstream|AI|agent|automated)(?:\\s+(?:AI|agent|system|model))?"
-      description: "Blind execution of upstream agent recommendations"
+      value: >-
+        (?i)(?:blind(?:ly)?|unconditional(?:ly)?|automatic(?:ally)?)\s+(?:executing|running|applying|deploying).{0,60}(?:previous|upstream|AI|agent|automated)(?:\s+(?:AI|agent|system|model))?
+      description: Blind execution of upstream agent recommendations
     - field: content
       operator: regex
-      value: "(?i)(?!(?:post[- ]?(?:incident|mortem)|review|analysis|report|last\\s+(?:week|month|time)|caused\\s+by|root\\s+cause|lessons?\\s+learned|investigation|retrospective).{0,80})(?:chain\\s+reaction|domino\\s+(?:effect|failure)|failure\\s+cascade|cascading\\s+(?:error|failure|shutdown|rollback))(?!.{0,80}(?:was\\s+caused\\s+by|root\\s+cause|post[- ]?(?:incident|mortem)|lessons?\\s+learned|last\\s+(?:week|month|time)))"
-      description: "Explicit cascading failure terminology (excludes retrospective analysis context)"
+      value: >-
+        (?i)(?!(?:post[-
+        ]?(?:incident|mortem)|review|analysis|report|last\s+(?:week|month|time)|caused\s+by|root\s+cause|lessons?\s+learned|investigation|retrospective).{0,80})(?:chain\s+reaction|domino\s+(?:effect|failure)|failure\s+cascade|cascading\s+(?:error|failure|shutdown|rollback))(?!.{0,80}(?:was\s+caused\s+by|root\s+cause|post[-
+        ]?(?:incident|mortem)|lessons?\s+learned|last\s+(?:week|month|time)))
+      description: Explicit cascading failure terminology (excludes retrospective analysis context)
     - field: content
       operator: regex
-      value: "(?i)(?:retry|fallback)\\s+(?:triggered|activated|initiated)\\s+(?:automatically|by\\s+(?:previous|upstream)).*(?:retry|fallback)\\s+(?:triggered|activated|initiated)"
-      description: "Cascading retry/fallback loops across stages"
+      value: >-
+        (?i)(?:retry|fallback)\s+(?:triggered|activated|initiated)\s+(?:automatically|by\s+(?:previous|upstream)).*(?:retry|fallback)\s+(?:triggered|activated|initiated)
+      description: Cascading retry/fallback loops across stages
     - field: content
       operator: regex
-      value: "(?i)(?:all|every)\\s+\\d+\\s+(?:downstream|dependent|connected)\\s+(?:agents?|services?|stages?|steps?)\\s+(?:affected|impacted|failed|halted)"
-      description: "Multiple downstream components affected by single failure"
+      value: >-
+        (?i)(?:all|every)\s+\d+\s+(?:downstream|dependent|connected)\s+(?:agents?|services?|stages?|steps?)\s+(?:affected|impacted|failed|halted)
+      description: Multiple downstream components affected by single failure
   condition: any
   false_positives:
-    - "Legitimate pipeline monitoring reporting multi-stage errors for debugging"
-    - "Chaos engineering or fault injection testing in controlled environments"
-    - "Post-incident analysis discussing cascading failure root causes"
-    - "Circuit breaker implementations that intentionally detect cascade patterns"
-
+    - Legitimate pipeline monitoring reporting multi-stage errors for debugging
+    - Chaos engineering or fault injection testing in controlled environments
+    - Post-incident analysis discussing cascading failure root causes
+    - Circuit breaker implementations that intentionally detect cascade patterns
 response:
   actions:
     - alert
@@ -104,56 +120,81 @@ response:
     pipeline. Signal propagating through multiple stages without human
     checkpoint. Pattern: {matched_pattern}. Pipeline paused for review.
     Session: {session_id}. Verify upstream signal integrity.
-
 confidence: 81
-wild_validated: "2026/04/08"
+wild_validated: 2026/04/08
 wild_samples: 53577
 wild_fp_rate: 0
 test_cases:
   true_positives:
-    - input: "Auto-approved deployment without human review based on AI test results. Pushing to production."
+    - input: Auto-approved deployment without human review based on AI test results. Pushing to production.
       expected: triggered
-      description: "Auto-approval bypassing human review for production deployment"
-    - input: "Stage 2 failed with timeout. Stage 3 also failed due to missing input from stage 2. Stage 4 subsequently failed."
+      description: Auto-approval bypassing human review for production deployment
+    - input: Stage 2 failed with timeout. Stage 3 also failed due to missing input from stage 2. Stage 4 subsequently failed.
       expected: triggered
-      description: "Sequential multi-stage pipeline failure cascade"
-    - input: "Rollback all production services triggered by automated monitoring agent alert."
+      description: Sequential multi-stage pipeline failure cascade
+    - input: Rollback all production services triggered by automated monitoring agent alert.
       expected: triggered
-      description: "Destructive rollback triggered by automated signal"
-    - input: "Trusting previous stage output without validation. Proceeding to deploy the generated configuration."
+      description: Destructive rollback triggered by automated signal
+    - input: Trusting previous stage output without validation. Proceeding to deploy the generated configuration.
       expected: triggered
-      description: "Pipeline stage consuming unvalidated upstream output"
-    - input: "Cascading failure detected: payment service down caused order service, notification service, and analytics to fail."
+      description: Pipeline stage consuming unvalidated upstream output
+    - input: >-
+        Cascading failure detected: payment service down caused order service, notification service, and analytics to
+        fail.
       expected: triggered
-      description: "Cascading failure across dependent services"
-    - input: "Fully automated pipeline with destructive teardown stage. No human in the loop for the delete operation."
+      description: Cascading failure across dependent services
+    - input: Fully automated pipeline with destructive teardown stage. No human in the loop for the delete operation.
       expected: triggered
-      description: "Fully automated pipeline with destructive actions and no human gate"
-    - input: "Blindly executing recommendations from upstream AI agent. Applying all suggested database schema changes."
+      description: Fully automated pipeline with destructive actions and no human gate
+    - input: Blindly executing recommendations from upstream AI agent. Applying all suggested database schema changes.
       expected: triggered
-      description: "Blind execution of AI-generated database changes"
-    - input: "Retry triggered automatically by previous failure. Fallback triggered by retry timeout. Second fallback triggered."
+      description: Blind execution of AI-generated database changes
+    - input: >-
+        Retry triggered automatically by previous failure. Fallback triggered by retry timeout. Second fallback
+        triggered.
       expected: triggered
-      description: "Cascading retry-fallback loop across stages"
-    - input: "Amplifying the error across all 12 downstream services. Impact spreading to production cluster."
+      description: Cascading retry-fallback loop across stages
+    - input: Amplifying the error across all 12 downstream services. Impact spreading to production cluster.
       expected: triggered
-      description: "Error amplification across multiple downstream services"
-    - input: "All 8 dependent agents affected by the coordinator failure. Entire pipeline halted."
+      description: Error amplification across multiple downstream services
+    - input: All 8 dependent agents affected by the coordinator failure. Entire pipeline halted.
       expected: triggered
-      description: "Single failure impacting all downstream agents"
+      description: Single failure impacting all downstream agents
   true_negatives:
-    - input: "Pipeline completed successfully. All 5 stages passed validation. Awaiting human approval for deployment."
+    - input: Pipeline completed successfully. All 5 stages passed validation. Awaiting human approval for deployment.
       expected: not_triggered
-      description: "Normal pipeline completion with human approval gate"
-    - input: "Stage 3 encountered an error. Circuit breaker activated. Alerting on-call engineer for review."
+      description: Normal pipeline completion with human approval gate
+    - input: Stage 3 encountered an error. Circuit breaker activated. Alerting on-call engineer for review.
       expected: not_triggered
-      description: "Proper circuit breaker stopping cascade and alerting human"
+      description: Proper circuit breaker stopping cascade and alerting human
     - input: "Running chaos engineering test: simulating stage 2 failure to verify pipeline resilience."
       expected: not_triggered
-      description: "Intentional fault injection for resilience testing"
+      description: Intentional fault injection for resilience testing
     - input: "Post-incident review: the cascading failure last week was caused by an unhandled null pointer in stage 1."
       expected: not_triggered
-      description: "Post-incident analysis discussing past cascade"
-    - input: "Automated tests passed. Sending results to reviewer for manual sign-off before merge."
+      description: Post-incident analysis discussing past cascade
+    - input: Automated tests passed. Sending results to reviewer for manual sign-off before merge.
       expected: not_triggered
-      description: "Automated tests with proper human-in-the-loop before action"
+      description: Automated tests with proper human-in-the-loop before action
+evasion_tests:
+  - input: 自动批准部署，无需人工审查。基于AI测试结果推送到生产环境。
+    expected: not_triggered
+    bypass_technique: language_switch
+    notes: >-
+      Chinese translation of auto-approval without human review bypasses all regex patterns which only match English
+      keywords.
+  - input: The d​omino eff​ect caused the entire cluster to go down within minutes.
+    expected: not_triggered
+    bypass_technique: unicode_homoglyph
+    notes: >-
+      Zero-width characters inserted within 'domino' and 'effect' break the regex pattern matching for 'domino effect'
+      in pattern 9.
+  - input: >-
+      We just let the upstream agent's output flow right into production without anyone double-checking it. The whole
+      thing snowballed from there.
+    expected: not_triggered
+    bypass_technique: casual_paraphrase
+    notes: >-
+      Casually describes trusting upstream output without validation using informal language that avoids the specific
+      verb+noun structures required by pattern 4 (trusting/accepting/using + previous/upstream/prior + stage/step/agent
+      + output/result/response + without/no + validation/verification/check).