npm - agent-threat-rules - Versions diffs - 2.2.1 → 3.1.0 - Mend

agent-threat-rules 2.2.1 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (424) hide show

package/rules/privilege-escalation/ATR-2026-00551-cross-conversation-memory-write.yaml ADDED Viewed

@@ -0,0 +1,198 @@
+title: "Cross-conversation memory write (scope-escape via memory store)"
+id: ATR-2026-00551
+rule_version: 1
+status: draft
+description: >
+  Detects an agent writing data into a memory store / vector store scoped
+  to a DIFFERENT conversation than the active trace's conversation.id.
+  This is a trace-method rule using the `forbid` primitive with a target
+  field comparison (spec/atr-method-v1.1.md §8.3.1).
+  Threat model: memory APIs (long-term context, vector stores, RAG
+  ingestion) typically partition by conversation.id, user.id, or session.id
+  for tenant isolation. Two attack patterns create scope-escape: (1)
+  prompt injection convinces the agent to "remember this for user X" when
+  the active conversation is for user Y, (2) tool argument tampering
+  alters the target conversation_id before the memory write completes.
+  In either case, the trace exhibits a span where
+  attributes.tool.args.target_conversation_id differs from the active
+  span's attributes.conversation.id. No exception is raised; the memory
+  write succeeds and corrupts the target conversation's context.
+  This rule is the runtime-detection complement to the AgentArmor
+  (arXiv:2508.01249) type-system rule "memory writes must respect the
+  active conversation lattice."
+author: "ATR Community"
+date: "2026/05/28"
+schema_version: "1.0"
+maturity: draft
+severity: critical
+references:
+  owasp_agentic:
+    - "ASI04:2026 - Unauthorized Resource Access"
+    - "ASI09:2026 - Memory Poisoning"
+  owasp_llm:
+    - "LLM03:2025 - Training Data Poisoning"
+  mitre_atlas:
+    - "AML.T0018 - Backdoor ML Model"
+    - "AML.T0020 - Poison Training Data"
+  research:
+    - "AgentArmor: Type-System for Agent Trace Analysis (arXiv:2508.01249)"
+    - "Compositional Privacy Risks in Multi-Agent Systems (arXiv:2509.14284)"
+compliance:
+  nist_csf:
+    - "PR.DS-01"
+    - "PR.AC-04"
+  etsi_ts_104223:
+    - "P5.1"
+  eu_ai_act:
+    - article: "10"
+      context: >
+        Data governance — cross-conversation memory writes corrupt
+        tenant-isolated state and violate Article 10 data-governance
+        requirements.
+      strength: primary
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: >
+        Information security — cross-tenant memory writes are integrity
+        failures under MS-2.6.
+      strength: primary
+tags:
+  category: privilege-escalation
+  subcategory: cross-conversation-memory-write
+  scan_target: runtime
+  confidence: high
+  source: trace-rule
+agent_source:
+  type: agent_trace
+  framework:
+    - any
+  provider:
+    - any
+detection:
+  method: trace
+  condition: any
+  false_positives:
+    - >
+      Admin / knowledge-propagation agents legitimately write across
+      conversations (e.g., support escalation summaries, cross-tenant
+      compliance reports). The rule has no exemption mechanism for these.
+      Mitigation: operators tag authorized cross-conv agents with
+      attributes.agent.role="cross_conv_admin" and add a pre-filter at
+      the policy layer. The rule itself does not encode this exception
+      to keep the trace shape simple.
+    - >
+      Closed tool name list (memory.write, memory.upsert,
+      vector_store.write, vector_store.upsert, longterm.append,
+      rag.ingest): framework-specific names like mem0.add, zep.memory.add,
+      langmem.put, chromadb.add, pgvector.insert all bypass the rule.
+      Until a regex/suffix matcher lands in the spec, operators MUST
+      extend the in[] list for their stack. This is a known FN scenario
+      that complements the FP risk.
+    - >
+      `exists: true` and `not_equals` are co-located on
+      tool.args.target_conversation_id. Spec §8.3 requires engines to
+      evaluate `exists` before `not_equals` to avoid placeholder-
+      resolution errors on absent attributes. Non-conformant engines
+      may emit a graceful_error here.
+  conditions:
+    - field: trace.forbid_violation
+      operator: regex
+      value: "(?i)forbid_violation:cross_conversation_memory_write"
+      description: >
+        Synthetic field emitted by the trace engine when the forbid
+        primitive fires; trace-native engines evaluate detection.trace.
+  trace:
+    ingest_format: openinference
+    forbid:
+      - shape:
+          span.kind: "TOOL"
+          attributes:
+            tool.name:
+              in:
+                - "memory.write"
+                - "memory.upsert"
+                - "vector_store.write"
+                - "vector_store.upsert"
+                - "longterm.append"
+                - "rag.ingest"
+            tool.args.target_conversation_id:
+              exists: true
+              not_equals: "${span.attributes.conversation.id}"
+        description: >
+          Memory-write tool whose args.target_conversation_id is set
+          AND differs from the active span's conversation.id indicates
+          scope-escape. Uses the cross-attribute reference syntax per
+          atr-method-v1.1.md §8.3 (the ${span.attributes.X} placeholder
+          is resolved against the candidate span before predicate
+          evaluation).
+response:
+  actions:
+    - block_tool
+    - alert
+    - snapshot
+  message_template: >
+    [ATR-2026-00551] HIGH: Cross-conversation memory write detected. Tool
+    {{trace.matched_span.attributes.tool.name}} (span
+    {{trace.matched_span.id}}) attempted to write into conversation
+    {{trace.matched_span.attributes.tool.args.target_conversation_id}}
+    while the active trace conversation is
+    {{trace.matched_span.attributes.conversation.id}}. Block the write;
+    audit whether the active agent has authority over the target
+    conversation.
+confidence: 85
+wild_fp_rate: 0
+test_cases:
+  true_positives:
+    - input: |
+        {"spans":[{"id":"t1","kind":"TOOL","attributes":{"tool.name":"memory.write","conversation.id":"conv_A","tool.args":{"target_conversation_id":"conv_B","payload":"remember this"}}}]}
+      expected: triggered
+      description: "memory.write into conv_B while active conversation is conv_A"
+    - input: |
+        {"spans":[{"id":"t1","kind":"TOOL","attributes":{"tool.name":"vector_store.upsert","conversation.id":"alpha","tool.args":{"target_conversation_id":"beta","vector":"<...>"}}}]}
+      expected: triggered
+      description: "vector_store.upsert with target_conversation_id mismatch"
+    - input: |
+        {"spans":[{"id":"a1","kind":"AGENT","attributes":{"conversation.id":"primary"}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"rag.ingest","conversation.id":"primary","tool.args":{"target_conversation_id":"victim_conv","content":"fake context"}}}]}
+      expected: triggered
+      description: "rag.ingest into victim_conv while operating in primary"
+    - input: |
+        {"spans":[{"id":"t1","kind":"TOOL","attributes":{"tool.name":"longterm.append","conversation.id":"c123","tool.args":{"target_conversation_id":"c456"}}}]}
+      expected: triggered
+      description: "longterm.append targets a different conversation than the trace's"
+    - input: |
+        {"spans":[{"id":"r1","kind":"RETRIEVER","attributes":{"source.trust":"untrusted","conversation.id":"x"}},{"id":"t1","kind":"TOOL","attributes":{"tool.name":"memory.upsert","conversation.id":"x","tool.args":{"target_conversation_id":"y"}}}]}
+      expected: triggered
+      description: "Combined indirect-injection + cross-conv memory write"
+  true_negatives:
+    - input: |
+        {"spans":[{"id":"t1","kind":"TOOL","attributes":{"tool.name":"memory.write","conversation.id":"same","tool.args":{"target_conversation_id":"same","payload":"note"}}}]}
+      expected: not_triggered
+      description: "target_conversation_id == active conversation.id — legitimate self-write"
+    - input: |
+        {"spans":[{"id":"t1","kind":"TOOL","attributes":{"tool.name":"memory.read","conversation.id":"a","tool.args":{"target_conversation_id":"b"}}}]}
+      expected: not_triggered
+      description: "memory.read is not a write — rule does not apply"
+    - input: |
+        {"spans":[{"id":"t1","kind":"TOOL","attributes":{"tool.name":"calculator","conversation.id":"c","tool.args":{"a":1,"b":2}}}]}
+      expected: not_triggered
+      description: "Tool is calculator, not memory-write — rule does not apply"
+    - input: |
+        {"spans":[{"id":"t1","kind":"TOOL","attributes":{"tool.name":"memory.write","conversation.id":"only","tool.args":{"payload":"note without target_conversation_id"}}}]}
+      expected: not_triggered
+      description: "No explicit target_conversation_id; defaults to active conversation — legitimate"
+    - input: |
+        {"spans":[{"id":"t1","kind":"TOOL","attributes":{"tool.name":"vector_store.upsert","conversation.id":"shared","tool.args":{"target_conversation_id":"shared","namespace":"global"}}}]}
+      expected: not_triggered
+      description: "Shared conversation namespace — target equals active, legitimate cross-agent shared memory"

package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: ATR Community
 date: 2026/03/08
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: "ATR Community"
 date: "2026/03/08"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: medium
 references:

package/rules/prompt-injection/ATR-2026-00097-cjk-injection-patterns.yaml CHANGED Viewed

@@ -22,7 +22,7 @@ author: ATR Community
 date: 2026/03/11
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: critical
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00104-persona-hijacking.yaml CHANGED Viewed

@@ -12,7 +12,7 @@ author: ATR Community
 date: 2026/03/15
 schema_version: "0.1"
 detection_tier: semantic
-maturity: experimental
+maturity: test
 severity: critical
 source: threat-cloud
 references:

package/rules/prompt-injection/ATR-2026-00130-indirect-authority-claim.yaml CHANGED Viewed

@@ -13,7 +13,7 @@ author: ATR Community
 date: 2026/04/01
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   mitre_atlas:

package/rules/prompt-injection/ATR-2026-00131-fictional-academic-framing.yaml CHANGED Viewed

@@ -12,7 +12,7 @@ author: ATR Community
 date: 2026/04/01
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: medium
 references:
   mitre_atlas:

package/rules/prompt-injection/ATR-2026-00133-paraphrase-injection.yaml CHANGED Viewed

@@ -12,7 +12,7 @@ author: ATR Community
 date: 2026/04/01
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   mitre_atlas:

package/rules/prompt-injection/ATR-2026-00137-authority-claim-injection.yaml CHANGED Viewed

@@ -9,7 +9,7 @@ author: ATR Threat Cloud Crystallization
 date: 2026/04/07
 schema_version: "1.0"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   mitre_atlas:

package/rules/prompt-injection/ATR-2026-00138-fictional-framing-bypass.yaml CHANGED Viewed

@@ -9,7 +9,7 @@ author: ATR Threat Cloud Crystallization
 date: 2026/04/07
 schema_version: "1.0"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   mitre_atlas:

package/rules/prompt-injection/ATR-2026-00140-indirect-reference-reversal.yaml CHANGED Viewed

@@ -9,7 +9,7 @@ author: ATR Threat Cloud Crystallization
 date: 2026/04/07
 schema_version: "1.0"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   mitre_atlas:

package/rules/prompt-injection/ATR-2026-00148-language-switch-injection.yaml CHANGED Viewed

@@ -10,7 +10,7 @@ author: ATR Threat Cloud Crystallization
 date: 2026/04/07
 schema_version: "1.0"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   mitre_atlas:

package/rules/prompt-injection/ATR-2026-00153-tool-with-embedded-instruction-to-bypass.yaml CHANGED Viewed

@@ -10,7 +10,7 @@ author: Threat Cloud LLM Analyzer
 date: 2026/04/06
 schema_version: "0.1"
 detection_tier: semantic
-maturity: experimental
+maturity: test
 severity: critical
 references:
   mitre_atlas:

package/rules/prompt-injection/ATR-2026-00154-unauthorized-background-task-execution-v.yaml CHANGED Viewed

@@ -9,7 +9,7 @@ author: Threat Cloud LLM Analyzer
 date: 2026/04/06
 schema_version: "0.1"
 detection_tier: semantic
-maturity: experimental
+maturity: test
 severity: high
 references:
   mitre_atlas:

package/rules/prompt-injection/ATR-2026-00155-hidden-llm-instructions-in-skill-descrip.yaml CHANGED Viewed

@@ -10,7 +10,7 @@ author: Threat Cloud LLM Analyzer
 date: 2026/04/06
 schema_version: "0.1"
 detection_tier: semantic
-maturity: experimental
+maturity: test
 severity: high
 references:
   mitre_atlas:

package/rules/prompt-injection/ATR-2026-00156-ssh-remote-command-execution-with-creden.yaml CHANGED Viewed

@@ -9,7 +9,7 @@ author: Threat Cloud LLM Analyzer
 date: 2026/04/06
 schema_version: "0.1"
 detection_tier: semantic
-maturity: experimental
+maturity: test
 severity: high
 references:
   mitre_atlas:

package/rules/prompt-injection/ATR-2026-00163-skill-hidden-override-instruction.yaml CHANGED Viewed

@@ -11,7 +11,7 @@ author: 'ATR Project'
 date: '2026/04/14'
 schema_version: '1.0'
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:
@@ -58,8 +58,8 @@ detection:
       description: 'Social engineering — framing dangerous action as routine to avoid scrutiny'
     - field: content
       operator: regex
-      value: '(?i)(?:execute|run|perform)\s+(?:silently|quietly|in\s+the\s+background|without\s+(?:notification|alerting|informing|telling|notifying))'
-      description: 'Silent execution instruction'
+      value: '(?i)(?:execute|run|perform)\s+(?:silently|quietly|without\s+(?:notification|alerting|informing|telling|notifying)|(?:[\w\s-]{0,30}\s+)?in\s+the\s+background\b[\s\S]{0,40}?(?:without\s+(?:notif\w*|alert\w*|inform\w*|telling|notifying|(?:the\s+)?user(?:.?s)?(?:\s+(?:knowledge|awareness|notice|consent|confirmation|approval|permission))?|confirmation|approval|consent|permission|notice)|silently|secretly|covertly|hidden\s+from\s+(?:the\s+)?user|unbeknownst))'
+      description: 'Silent execution instruction (concealment-qualified; bare "in the background" no longer matches without a hide-from-user signal)'
   condition: any
   false_positives:
     - 'Security tools describing what attacks look like in documentation'

package/rules/prompt-injection/ATR-2026-00206-hidden-priority-instructions.yaml CHANGED Viewed

@@ -9,7 +9,7 @@ author: "ATR Threat Cloud Crystallization"
 date: "2026/04/08"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00207-hidden-instructions.yaml CHANGED Viewed

@@ -8,7 +8,7 @@ author: "ATR Threat Cloud Crystallization"
 date: "2026/04/08"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00211-system-prompt-override.yaml CHANGED Viewed

@@ -10,7 +10,7 @@ author: "ATR Threat Cloud Crystallization"
 date: "2026/04/09"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00213-system-prompt-override.yaml CHANGED Viewed

@@ -9,7 +9,7 @@ author: "ATR Threat Cloud Crystallization"
 date: "2026/04/09"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00226-identity-substitution.yaml CHANGED Viewed

@@ -12,7 +12,7 @@ author: "nvidia-airt-test (via ATR garak pipe)"
 date: "2026/04/18"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00227-historical-persona-jailbreak.yaml CHANGED Viewed

@@ -15,7 +15,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/18"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00228-structured-jailbreak.yaml CHANGED Viewed

@@ -12,7 +12,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/18"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00229-roleplay-jailbreak.yaml CHANGED Viewed

@@ -8,7 +8,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/18"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00230-persona-moral-bypass.yaml CHANGED Viewed

@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/18"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:
@@ -58,10 +58,6 @@ detection:
       operator: regex
       value: '(?i)\b(?:these\s+views\s+do\s+not\s+align|does\s+not\s+align)\s+with\s+(?:the\s+)?views\s+of\s+(?:OpenAI|Anthropic|the\s+company|the\s+organization|the\s+creators?)\b'
       description: 'Disclaimer about misalignment with creator views'
-    - field: content
-      operator: regex
-      value: '(?i)\[(?:your\s+)?(?:prompt|question|request|query)\s+here\]|\{(?:your\s+)?(?:prompt|question|request|query)\s+here\}|(?:prompt|question|request|query):\s*\[|\bprompt:\s*$'
-      description: 'Template placeholder indicating structure for follow-up injection'
     - field: content
       operator: regex
       value: '(?i)provide\s+(?:detailed\s+)?responses?\s+to\s+each\s+(?:prompt|question|request|query|instruction)'

package/rules/prompt-injection/ATR-2026-00231-identity-substitution.yaml CHANGED Viewed

@@ -12,7 +12,7 @@ author: "nvidia-airt-test (via ATR garak pipe)"
 date: "2026/04/18"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00233-structured-jailbreak.yaml CHANGED Viewed

@@ -12,7 +12,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/18"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00234-roleplay-jailbreak.yaml CHANGED Viewed

@@ -8,7 +8,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/18"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00235-persona-moral-bypass.yaml CHANGED Viewed

@@ -1,9 +1,10 @@
 title: 'Persona-Based Moral Constraint Removal Jailbreak'
 id: ATR-2026-00235
 rule_version: 1
-status: experimental
+status: deprecated
 description: >
-  Detects jailbreak attempts that establish alternate personas explicitly designed to bypass
+  DEPRECATED: exact duplicate of ATR-2026-00230 (identical detection); retained as a tombstone, all detection is handled by ATR-2026-00230.
+  Detects jailbreak attempts that establish alternate personas explicitly designed to bypass
   moral and ethical constraints. This attack pattern instructs the AI to "take up" or "adopt"
   a named persona that is specifically described as being "not restrained by morals, ethics,
   or virtues" or similar moral constraint removal language. Often includes template placeholders
@@ -13,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/18"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:
@@ -58,10 +59,6 @@ detection:
       operator: regex
       value: '(?i)\b(?:these\s+views\s+do\s+not\s+align|does\s+not\s+align)\s+with\s+(?:the\s+)?views\s+of\s+(?:OpenAI|Anthropic|the\s+company|the\s+organization|the\s+creators?)\b'
       description: 'Disclaimer about misalignment with creator views'
-    - field: content
-      operator: regex
-      value: '(?i)\[(?:your\s+)?(?:prompt|question|request|query)\s+here\]|\{(?:your\s+)?(?:prompt|question|request|query)\s+here\}|(?:prompt|question|request|query):\s*\[|\bprompt:\s*$'
-      description: 'Template placeholder indicating structure for follow-up injection'
     - field: content
       operator: regex
       value: '(?i)provide\s+(?:detailed\s+)?responses?\s+to\s+each\s+(?:prompt|question|request|query|instruction)'

package/rules/prompt-injection/ATR-2026-00236-pseudo-code-jailbreak.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00237-dual-response-jailbreak.yaml CHANGED Viewed

@@ -12,7 +12,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00238-identity-replacement.yaml CHANGED Viewed

@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00239-amoral-persona-obsession.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00240-instruction-nullification-identity-repla.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00241-amoral-character-jailbreak.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00242-persona-jailbreak.yaml CHANGED Viewed

@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00243-acronym-jailbreak.yaml CHANGED Viewed

@@ -12,7 +12,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00244-dual-response-jailbreak.yaml CHANGED Viewed

@@ -14,7 +14,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml CHANGED Viewed

@@ -13,7 +13,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm:

package/rules/prompt-injection/ATR-2026-00247-dual-response-jailbreak.yaml CHANGED Viewed

@@ -12,7 +12,7 @@ author: "ATR Community (via NVIDIA garak in-the-wild corpus)"
 date: "2026/04/19"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: experimental
+maturity: test
 severity: high
 references:
   owasp_llm: