agent-threat-rules 2.2.1 → 3.1.0

package/dist/engine.d.ts

@@ -11,7 +11,7 @@
  *
  * @module agent-threat-rules/engine
  */
-import type { ATRRule, ATRMatch, AgentEvent, ATRVerdict, ActionResult, ScanResult } from './types.js';
+import type { ATRRule, ATRMatch, AgentEvent, ATRVerdict, ActionResult, ScanResult, ATRLanguage, ATRSemanticJudge } from './types.js';
 import type { SessionTracker } from './session-tracker.js';
 import type { ActionExecutor } from './action-executor.js';
 import type { SkillFingerprintStore } from './skill-fingerprint.js';
@@ -68,6 +68,8 @@ export interface ATREngineConfig {
     embeddingModule?: EmbeddingModule;
     /** Optional Layer 3: Semantic LLM-as-judge analysis (requires API key) */
     semanticModule?: SemanticLayerConfig;
+    /** Optional rule-level semantic judge for detection.method=semantic rules */
+    semanticJudge?: ATRSemanticJudge;
     /** Optional: detection reporter for feeding results to ATR Threat Cloud */
     reporter?: ATRReporter;
 }
@@ -99,11 +101,33 @@ export declare class ATREngine {
      * Returns all matching rules with details.
      */
     evaluate(event: AgentEvent): ATRMatch[];
+    /**
+     * Async evaluation path that supports rule-level method=semantic dispatch.
+     *
+     * The synchronous evaluate() method remains pattern-only for compatibility.
+     * Consumers that configure semanticJudge should call evaluateAsync() or
+     * evaluateWithVerdict(), which delegates here when a semantic judge exists.
+     */
+    evaluateAsync(event: AgentEvent): Promise<ATRMatch[]>;
     /**
      * Evaluate a single rule against an event.
      * Supports both array-format and named-map-format conditions.
      */
     private evaluateRule;
+    /** Evaluate a rule using pattern-mode conditions, regardless of detection.method. */
+    private evaluatePatternRule;
+    /**
+     * Async variant that supports method=semantic with an injected judge.
+     * For trace/pattern/signature/behavioral methods, defers to the sync path.
+     */
+    private evaluateRuleAsync;
+    /**
+     * Minimal signature-method evaluator (atr-method-v1.1.md §5).
+     * Walks detection.signature.indicators against event.fields with the
+     * specified match_logic. Hash-typed indicators expect event.fields to
+     * contain pre-computed hex hashes at the indicated target_field.
+     */
+    private evaluateSignatureMethod;
     /**
      * Evaluate array-format conditions: [{field, operator, value}, ...]
      * with condition: "any" | "all"
@@ -214,9 +238,50 @@ export declare class ATREngine {
      * Code-block suppression and FP denylist applied in evaluate().
      */
     scanSkill(content: string): ATRMatch[];
+    /**
+     * Async SKILL.md scan that supports method=semantic rules through semanticJudge.
+     */
+    scanSkillAsync(content: string): Promise<ATRMatch[]>;
     /** Scan a SKILL.md file and return a unified ScanResult with content_hash. */
     scanSkillFull(content: string, filePath?: string): ScanResult;
+    /** Async SKILL.md scan result with semantic rule support. */
+    scanSkillFullAsync(content: string, filePath?: string): Promise<ScanResult>;
     /** Evaluate an MCP agent event and return a unified ScanResult with content_hash. */
     evaluateFull(event: AgentEvent, filePath?: string): ScanResult;
+    /** Async MCP event scan result with semantic rule support. */
+    evaluateFullAsync(event: AgentEvent, filePath?: string): Promise<ScanResult>;
 }
+/**
+ * Heuristic dominant-script detection for v3.0 multilingual dispatch.
+ *
+ * Counts Unicode-block code points and returns the BCP-47 tag of the
+ * dominant script. Used to skip language-tagged conditions whose
+ * declared language does not match the input \u2014 pure optimisation, never
+ * affects correctness of language-untagged rules.
+ *
+ * Disambiguation:
+ *  - Han script: split via simplified-only vs traditional-only indicator
+ *    char sets. Tie / both zero \u2192 defaults to 'zh-Hant'.
+ *  - Latin script: 'es' if Spanish-specific punctuation/diacritics
+ *    (\u00F1, \u00BF, \u00A1) detected, else 'en'.
+ *  - Empty / pure ASCII without Spanish markers \u2192 'en'.
+ *
+ * Exported for unit testing; not part of the public API surface.
+ */
+export declare function detectInputLanguage(text: string): ATRLanguage;
+/**
+ * Decide whether a condition with `language: condLang` should be evaluated
+ * against an input whose detected language is `inputLang`.
+ *
+ * Rules:
+ *  - condLang undefined (no language field) \u2192 always evaluate (v2.x compat)
+ *  - condLang === inputLang \u2192 evaluate
+ *  - Han-script ambiguity: if input is Han and condLang is the other
+ *    Chinese variant, still evaluate (the cheap detector cannot reliably
+ *    split zh-Hant vs zh-Hans, so we err on inclusion)
+ *  - Otherwise \u2192 skip (return false)
+ *
+ * Exported for unit testing; not part of the public API surface.
+ */
+export declare function conditionLanguageMatches(condLang: ATRLanguage | undefined, inputLang: ATRLanguage): boolean;
 //# sourceMappingURL=engine.d.ts.map

package/dist/engine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EAGV,UAAU,EACV,YAAY,EACZ,UAAU,EAEX,MAAM,YAAY,CAAC;AAKpB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAEpE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAQlE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAE9D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AA0G9D;;;;;;;;;GASG;AACH,MAAM,WAAW,WAAW;IAC1B,uEAAuE;IACvE,QAAQ,CAAC,WAAW,EAAE,CAAC,MAAM,EAAE,kBAAkB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,+DAA+D;IAC/D,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,cAAc,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrE;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,yFAAyF;IACzF,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,eAAe;IAC9B,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC;IAClB,sEAAsE;IACtE,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,mEAAmE;IACnE,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IACtC,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,qBAAqB,CAAC;IACzC,qFAAqF;IACrF,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,0EAA0E;IAC1E,cAAc,CAAC,EAAE,mBAAmB,CAAC;IACrC,2EAA2E;IAC3E,QAAQ,CAAC,EAAE,WAAW,CAAC;CACxB;AAED,qBAAa,SAAS;IAwBR,OAAO,CAAC,QAAQ,CAAC,MAAM;IAvBnC,OAAO,CAAC,KAAK,CAAiB;IAC9B,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAA4C;IAC7E,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAwB;IAE/D;;;OAGG;IACH,OAAO,CAAC,mBAAmB;gBAeE,MAAM,GAAE,eAAoB;IAUzD;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC;IA2BlC;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAMnC;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI;IAK5B;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,QAAQ,EAAE;IAiIvC;;;OAGG;IACH,OAAO,CAAC,YAAY;IAapB;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAwC/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IA8F9B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAoC/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAiC9B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IA8FhC;;;;;OAKG;IACH,OAAO,CAAC,0BAA0B;IAwBlC;;;;OAIG;IACH,OAAO,CAAC,2BAA2B;IAoBnC;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAgC1B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAiBrB;;;;;;;;OAQG;IACH,OAAO,CAAC,yBAAyB;IAmBjC;;;OAGG;IACH,OAAO,CAAC,6BAA6B;IAyErC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IA4BnC;;OAEG;IACH,OAAO,CAAC,YAAY;IAuCpB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAsC1B;;OAEG;IACH,OAAO,CAAC,eAAe;IAgCvB;;;OAGG;IACH,OAAO,CAAC,eAAe;IAoDvB;;;;;OAKG;IACG,mBAAmB,CACvB,KAAK,EAAE,UAAU,EACjB,QAAQ,CAAC,EAAE,cAAc,GACxB,OAAO,CAAC;QACT,OAAO,EAAE,UAAU,CAAC;QACpB,aAAa,EAAE,SAAS,YAAY,EAAE,CAAC;QACvC,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;KAC/B,CAAC;IAuGF,4BAA4B;IAC5B,YAAY,IAAI,MAAM;IAItB,2BAA2B;IAC3B,QAAQ,IAAI,SAAS,OAAO,EAAE;IAI9B,uBAAuB;IACvB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS;IAI5C,4BAA4B;IAC5B,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE;IAI/C;;;;;;;OAOG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,QAAQ,EAAE;IA4BtC,8EAA8E;IAC9E,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,UAAU;IAa7D,qFAAqF;IACrF,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,UAAU;CAgB/D"}
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EAGV,UAAU,EACV,YAAY,EACZ,UAAU,EAEV,WAAW,EACX,gBAAgB,EACjB,MAAM,YAAY,CAAC;AAOpB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAEpE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAQlE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAE9D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AA0G9D;;;;;;;;;GASG;AACH,MAAM,WAAW,WAAW;IAC1B,uEAAuE;IACvE,QAAQ,CAAC,WAAW,EAAE,CAAC,MAAM,EAAE,kBAAkB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,+DAA+D;IAC/D,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,cAAc,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrE;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,yFAAyF;IACzF,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,eAAe;IAC9B,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC;IAClB,sEAAsE;IACtE,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,mEAAmE;IACnE,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IACtC,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,qBAAqB,CAAC;IACzC,qFAAqF;IACrF,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,0EAA0E;IAC1E,cAAc,CAAC,EAAE,mBAAmB,CAAC;IACrC,6EAA6E;IAC7E,aAAa,CAAC,EAAE,gBAAgB,CAAC;IACjC,2EAA2E;IAC3E,QAAQ,CAAC,EAAE,WAAW,CAAC;CACxB;AAED,qBAAa,SAAS;IAwBR,OAAO,CAAC,QAAQ,CAAC,MAAM;IAvBnC,OAAO,CAAC,KAAK,CAAiB;IAC9B,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAA4C;IAC7E,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAwB;IAE/D;;;OAGG;IACH,OAAO,CAAC,mBAAmB;gBAeE,MAAM,GAAE,eAAoB;IAUzD;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC;IA2BlC;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAMnC;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI;IAK5B;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,QAAQ,EAAE;IAiIvC;;;;;;OAMG;IACG,aAAa,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;IA2G3D;;;OAGG;IACH,OAAO,CAAC,YAAY;IAyDpB,qFAAqF;IACrF,OAAO,CAAC,mBAAmB;IAY3B;;;OAGG;YACW,iBAAiB;IAgC/B;;;;;OAKG;IACH,OAAO,CAAC,uBAAuB;IAgC/B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAwC/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAgH9B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAoC/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAiC9B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IA8FhC;;;;;OAKG;IACH,OAAO,CAAC,0BAA0B;IAwBlC;;;;OAIG;IACH,OAAO,CAAC,2BAA2B;IAoBnC;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAgC1B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAiBrB;;;;;;;;OAQG;IACH,OAAO,CAAC,yBAAyB;IAmBjC;;;OAGG;IACH,OAAO,CAAC,6BAA6B;IAyErC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IA4BnC;;OAEG;IACH,OAAO,CAAC,YAAY;IAuCpB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAsC1B;;OAEG;IACH,OAAO,CAAC,eAAe;IAgCvB;;;OAGG;IACH,OAAO,CAAC,eAAe;IAoDvB;;;;;OAKG;IACG,mBAAmB,CACvB,KAAK,EAAE,UAAU,EACjB,QAAQ,CAAC,EAAE,cAAc,GACxB,OAAO,CAAC;QACT,OAAO,EAAE,UAAU,CAAC;QACpB,aAAa,EAAE,SAAS,YAAY,EAAE,CAAC;QACvC,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;KAC/B,CAAC;IA4GF,4BAA4B;IAC5B,YAAY,IAAI,MAAM;IAItB,2BAA2B;IAC3B,QAAQ,IAAI,SAAS,OAAO,EAAE;IAI9B,uBAAuB;IACvB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS;IAI5C,4BAA4B;IAC5B,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE;IAI/C;;;;;;;OAOG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,QAAQ,EAAE;IA4BtC;;OAEG;IACG,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;IA2B1D,8EAA8E;IAC9E,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,UAAU;IAa7D,6DAA6D;IACvD,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAajF,qFAAqF;IACrF,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,UAAU;IAiB9D,8DAA8D;IACxD,iBAAiB,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAenF;AA+CD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW,CAwC7D;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,wBAAwB,CACtC,QAAQ,EAAE,WAAW,GAAG,SAAS,EACjC,SAAS,EAAE,WAAW,GACrB,OAAO,CAUT"}

package/dist/engine.js

@@ -15,6 +15,8 @@ import { existsSync } from 'node:fs';
 import { resolve } from 'node:path';
 import { computeContentHash } from './content-hash.js';
 import { loadRulesFromDirectory, loadRuleFile } from './loader.js';
+import { evaluateTraceRule } from './trace-evaluator.js';
+import { evaluateSemanticRule } from './semantic-evaluator.js';
 import { computeVerdict } from './verdict.js';
 import { SemanticModule } from './modules/semantic.js';
 import { resolveSkillId, runFingerprintLayer, shouldRunSemanticLayer, createSemanticModuleFromConfig, runSemanticLayer, } from './layer-integration.js';
@@ -316,20 +318,243 @@ export class ATREngine {
         }
         return sorted;
     }
+    /**
+     * Async evaluation path that supports rule-level method=semantic dispatch.
+     *
+     * The synchronous evaluate() method remains pattern-only for compatibility.
+     * Consumers that configure semanticJudge should call evaluateAsync() or
+     * evaluateWithVerdict(), which delegates here when a semantic judge exists.
+     */
+    async evaluateAsync(event) {
+        const matches = [];
+        const eventSourceType = EVENT_TYPE_TO_SOURCE[event.type];
+        const allMatchedPatterns = [];
+        const sessionId = event.sessionId;
+        // Tier 0: Invariant enforcement (hard boundaries, pre-check)
+        if (this.config.invariantChecker) {
+            const violations = this.config.invariantChecker.check(event);
+            if (violations.length > 0) {
+                if (this.config.sessionTracker && sessionId) {
+                    this.config.sessionTracker.recordEvent(sessionId, event, ['tier0-invariant-deny']);
+                }
+                return violations.map((v) => this.config.invariantChecker.buildDenyMatch(v));
+            }
+        }
+        // Tier 1: Blacklist lookup (known-bad skills)
+        if (this.config.blacklistProvider) {
+            const skillId = resolveBlacklistSkillId(event);
+            if (skillId) {
+                const entry = this.config.blacklistProvider.lookup(skillId);
+                if (entry) {
+                    matches.push(buildBlacklistMatch(entry));
+                }
+            }
+        }
+        // Tier 2: Pattern matching + async semantic rules
+        const isSkillContext = event.scanContext === 'skill';
+        for (const rule of this.rules) {
+            if (rule.status === 'deprecated' || rule.status === 'draft')
+                continue;
+            if (!isSkillContext && eventSourceType && rule.agent_source.type !== eventSourceType) {
+                if (!(rule.agent_source.type === 'mcp_exchange' && eventSourceType === 'tool_call')) {
+                    continue;
+                }
+            }
+            const matchResult = await this.evaluateRuleAsync(rule, event, this.config.semanticJudge);
+            if (matchResult) {
+                if (isSkillContext && rule.tags.scan_target !== 'skill' && rule.tags.scan_target !== 'both') {
+                    const totalConds = Number(rule.detection?.conditions?.length ?? 1);
+                    const minRequired = Math.max(2, Math.ceil(totalConds * 0.3));
+                    if ((matchResult.matchedConditions?.length ?? 0) < minRequired) {
+                        continue;
+                    }
+                }
+                matches.push(matchResult);
+                allMatchedPatterns.push(...matchResult.matchedPatterns);
+            }
+        }
+        // Record event in session tracker (always, for cross-event sequence detection)
+        if (this.config.sessionTracker && sessionId) {
+            this.config.sessionTracker.recordEvent(sessionId, event, allMatchedPatterns);
+        }
+        // Layer 2: Skill behavioral fingerprinting (optional, no LLM)
+        const fingerprintStore = this.config.fingerprintStore;
+        if (fingerprintStore) {
+            const skillId = resolveSkillId(event);
+            if (skillId) {
+                const layer2Matches = runFingerprintLayer(fingerprintStore, event, skillId);
+                matches.push(...layer2Matches);
+            }
+        }
+        const sorted = matches.sort((a, b) => {
+            const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, informational: 4 };
+            const aSev = severityOrder[a.rule.severity] ?? 4;
+            const bSev = severityOrder[b.rule.severity] ?? 4;
+            if (aSev !== bSev)
+                return aSev - bSev;
+            return b.confidence - a.confidence;
+        });
+        if (this.config.reporter) {
+            const hash = computeContentHash(event.content ?? '');
+            const scanTarget = isSkillContext ? 'skill' : (event.type ?? 'unknown');
+            const now = new Date().toISOString();
+            if (sorted.length > 0) {
+                for (const match of sorted) {
+                    this.config.reporter.onDetection({
+                        ruleId: match.rule.id,
+                        severity: match.rule.severity,
+                        scanTarget,
+                        category: match.rule.tags?.category ?? 'unknown',
+                        confidence: match.confidence,
+                        timestamp: now,
+                        contentHash: hash,
+                    });
+                }
+            }
+            else if (this.config.reporter.onClean) {
+                this.config.reporter.onClean({
+                    rulesEvaluated: this.rules.length,
+                    scanTarget,
+                    timestamp: now,
+                    contentHash: hash,
+                });
+            }
+        }
+        return sorted;
+    }
     /**
      * Evaluate a single rule against an event.
      * Supports both array-format and named-map-format conditions.
      */
     evaluateRule(rule, event) {
+        const { detection } = rule;
+        // v1.1: method-based dispatch. Default is 'pattern' for backward compat.
+        const method = detection.method ?? 'pattern';
+        // method=trace — evaluate via trace-evaluator if event carries a trace.
+        if (method === 'trace') {
+            if (!event.trace) {
+                // Event does not carry trace; rule cannot evaluate. Per spec §9,
+                // engines without the capability skip silently rather than fail.
+                return null;
+            }
+            const result = evaluateTraceRule(rule, event.trace);
+            if (!result.matched)
+                return null;
+            const baseConfidence = rule.tags.confidence === 'high' ? 0.9 : rule.tags.confidence === 'medium' ? 0.7 : 0.5;
+            return {
+                rule,
+                matchedConditions: result.matchedPrimitives.map((p) => `trace.${p}`),
+                matchedPatterns: result.violations,
+                confidence: baseConfidence,
+                timestamp: new Date().toISOString(),
+                scan_context: 'native',
+            };
+        }
+        // method=semantic — async path is not used in the sync evaluate() API.
+        // Engines that implement semantic must use evaluateAsync (see below) or
+        // wire a synchronous judge. Pattern fallback applies here.
+        if (method === 'semantic') {
+            // If the rule has fallback_method=pattern, evaluate pattern conditions
+            // synchronously. Otherwise skip because the judge path is async-only.
+            if (detection.semantic?.fallback_method === 'pattern') {
+                return this.evaluatePatternRule(rule, event);
+            }
+            return null;
+        }
+        // method=signature — sub-millisecond exact-match path. For v1.1, we
+        // do a minimal in-engine check: walk indicators, hash-compare to
+        // event fields. Full impl is deferred; for now treat as non-matching
+        // unless caller has hashed event.fields appropriately.
+        if (method === 'signature') {
+            return this.evaluateSignatureMethod(rule, event);
+        }
+        // method=behavioral — windowed metric evaluation. Requires state across
+        // multiple events; the sync evaluate() API cannot maintain state.
+        // Skip silently; behavioral evaluation belongs in a separate streaming path.
+        if (method === 'behavioral') {
+            return null;
+        }
+        // Default: pattern method (v1.0 evaluation path).
+        return this.evaluatePatternRule(rule, event);
+    }
+    /** Evaluate a rule using pattern-mode conditions, regardless of detection.method. */
+    evaluatePatternRule(rule, event) {
         const { detection } = rule;
         const conditions = detection.conditions;
         const allMatchedPatterns = [];
-        // Detect format: array or named map
         if (Array.isArray(conditions)) {
             return this.evaluateArrayConditions(rule, conditions, detection.condition, event, allMatchedPatterns);
         }
         return this.evaluateNamedConditions(rule, conditions, detection.condition, event, allMatchedPatterns);
     }
+    /**
+     * Async variant that supports method=semantic with an injected judge.
+     * For trace/pattern/signature/behavioral methods, defers to the sync path.
+     */
+    async evaluateRuleAsync(rule, event, judge) {
+        const method = rule.detection.method ?? 'pattern';
+        if (method === 'semantic') {
+            const effectiveJudge = judge ?? this.config.semanticJudge;
+            const result = await evaluateSemanticRule(rule, event.content, { judge: effectiveJudge });
+            if (!result.matched) {
+                if (result.reason?.includes('fallback_pattern')) {
+                    return this.evaluatePatternRule(rule, event);
+                }
+                return null;
+            }
+            const matchedPatterns = [
+                ...(result.category ? [result.category] : []),
+                ...(result.evidence ? [result.evidence] : []),
+            ];
+            return {
+                rule,
+                matchedConditions: ['semantic'],
+                matchedPatterns,
+                confidence: result.confidence ?? 0.5,
+                timestamp: new Date().toISOString(),
+                scan_context: 'native',
+            };
+        }
+        // For non-semantic methods, fall back to sync path.
+        return this.evaluateRule(rule, event);
+    }
+    /**
+     * Minimal signature-method evaluator (atr-method-v1.1.md §5).
+     * Walks detection.signature.indicators against event.fields with the
+     * specified match_logic. Hash-typed indicators expect event.fields to
+     * contain pre-computed hex hashes at the indicated target_field.
+     */
+    evaluateSignatureMethod(rule, event) {
+        const sig = rule.detection.signature;
+        if (!sig || !Array.isArray(sig.indicators) || sig.indicators.length === 0)
+            return null;
+        const matchLogic = sig.match_logic ?? 'any';
+        const matched = [];
+        for (const ind of sig.indicators) {
+            const actual = event.fields?.[ind.target_field];
+            if (actual === undefined)
+                continue;
+            // Hash types: case-insensitive hex compare. Others: case-sensitive string compare.
+            const isHashType = ind.type === 'sha256' || ind.type === 'sha512' || ind.type === 'blake2b-256';
+            const a = isHashType ? actual.toLowerCase() : actual;
+            const b = isHashType ? ind.value.toLowerCase() : ind.value;
+            if (a === b)
+                matched.push(`${ind.type}:${ind.value}`);
+        }
+        const violated = matchLogic === 'all'
+            ? matched.length === sig.indicators.length
+            : matched.length > 0;
+        if (!violated)
+            return null;
+        return {
+            rule,
+            matchedConditions: matched.map((_, i) => String(i)),
+            matchedPatterns: matched,
+            confidence: 1.0, // exact match
+            timestamp: new Date().toISOString(),
+            scan_context: 'native',
+        };
+    }
     /**
      * Evaluate array-format conditions: [{field, operator, value}, ...]
      * with condition: "any" | "all"
@@ -378,12 +603,28 @@ export class ATREngine {
         const field = cond['field'];
         const operator = cond['operator'];
         const value = cond['value'];
+        const condLang = cond['language'];
         if (!field || !operator || value === undefined)
             return false;
         const rawFieldValue = this.resolveField(field, event);
         if (!rawFieldValue)
             return false;
-        const fieldValue = normalizeUnicode(rawFieldValue);
+        // v3.0 multilingual dispatch: skip language-tagged conditions whose
+        // declared language doesn't match the input's dominant script. Pure
+        // optimisation — language-untagged conditions remain unaffected.
+        if (condLang !== undefined) {
+            const inputLang = detectInputLanguage(rawFieldValue);
+            if (!conditionLanguageMatches(condLang, inputLang))
+                return false;
+        }
+        // Non-English conditions normalise with NFKC (aggressive) so full-width
+        // Latin evasion inside CJK/Arabic text (e.g. "ｉｇｎｏｒｅ" embedded in a
+        // Chinese prompt) is caught. English conditions retain NFC for
+        // backwards compatibility with v2.x rules whose regex sometimes
+        // distinguishes full-width vs half-width characters.
+        const fieldValue = condLang !== undefined && condLang !== 'en'
+            ? normalizeUnicodeAggressive(rawFieldValue)
+            : normalizeUnicode(rawFieldValue);
         switch (operator) {
             case 'regex': {
                 // Code-block suppression for array-format rules with explicit opt-in.
@@ -964,7 +1205,12 @@ export class ATREngine {
      */
     async evaluateWithVerdict(event, executor) {
         const layersUsed = ['layer1-regex'];
-        let matches = this.evaluate(event);
+        let matches = this.config.semanticJudge
+            ? await this.evaluateAsync(event)
+            : this.evaluate(event);
+        if (this.config.semanticJudge) {
+            layersUsed.push('method-semantic');
+        }
         // Tier 0 + Tier 1 run inside evaluate(), track them
         if (this.config.invariantChecker)
             layersUsed.push('tier0-invariant');
@@ -1102,6 +1348,32 @@ export class ATREngine {
         }
         return matches;
     }
+    /**
+     * Async SKILL.md scan that supports method=semantic rules through semanticJudge.
+     */
+    async scanSkillAsync(content) {
+        const baseEvent = {
+            type: 'mcp_exchange',
+            timestamp: new Date().toISOString(),
+            sessionId: 'skill-scan',
+            fields: {},
+            scanContext: 'skill',
+        };
+        const baseMatches = await this.evaluateAsync({ ...baseEvent, content });
+        const decodedBlocks = decodeBase64Blocks(content);
+        const decodedMatches = [];
+        for (const block of decodedBlocks) {
+            const blockMatches = await this.evaluateAsync({ ...baseEvent, content: block });
+            for (const m of blockMatches) {
+                decodedMatches.push({
+                    ...m,
+                    matchedPatterns: [...m.matchedPatterns, '[decoded:base64]'],
+                });
+            }
+        }
+        // Do not mutate the array returned by evaluateAsync — build a fresh result.
+        return [...baseMatches, ...decodedMatches];
+    }
     /** Scan a SKILL.md file and return a unified ScanResult with content_hash. */
     scanSkillFull(content, filePath) {
         const matches = this.scanSkill(content);
@@ -1115,6 +1387,19 @@ export class ATREngine {
             threat_count: matches.length,
         };
     }
+    /** Async SKILL.md scan result with semantic rule support. */
+    async scanSkillFullAsync(content, filePath) {
+        const matches = await this.scanSkillAsync(content);
+        return {
+            scan_type: 'skill',
+            content_hash: computeContentHash(content),
+            input_file: filePath,
+            timestamp: new Date().toISOString(),
+            rules_loaded: this.rules.length,
+            matches,
+            threat_count: matches.length,
+        };
+    }
     /** Evaluate an MCP agent event and return a unified ScanResult with content_hash. */
     evaluateFull(event, filePath) {
         const matches = this.evaluate(event);
@@ -1132,6 +1417,22 @@ export class ATREngine {
             threat_count: matches.length,
         };
     }
+    /** Async MCP event scan result with semantic rule support. */
+    async evaluateFullAsync(event, filePath) {
+        const matches = await this.evaluateAsync(event);
+        const hashInput = event.fields
+            ? event.content + '\0' + JSON.stringify(event.fields)
+            : event.content;
+        return {
+            scan_type: 'mcp',
+            content_hash: computeContentHash(hashInput),
+            input_file: filePath,
+            timestamp: new Date().toISOString(),
+            rules_loaded: this.rules.length,
+            matches,
+            threat_count: matches.length,
+        };
+    }
 }
 function escapeRegex(str) {
     return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
@@ -1146,12 +1447,128 @@ function normalizeRegex(pattern) {
 /**
  * Normalize Unicode text to NFC form and strip zero-width characters.
  * This prevents evasion via combining characters, zero-width joiners, etc.
+ *
+ * NFC was chosen over NFKC to preserve writer intent \u2014 full-width letters
+ * (\uFF21\uFF22\uFF23 vs ABC) remain distinct so rules that explicitly target full-width
+ * evasion can still match. For aggressive normalization use
+ * `normalizeUnicodeAggressive()`.
  */
 function normalizeUnicode(text) {
     return text
         .normalize('NFC')
         .replace(/[\u200B\u200C\u200D\uFEFF\u2060\u180E\u200E\u200F\u202A-\u202E\u2066-\u2069]/g, '');
 }
+/**
+ * Aggressive NFKC normalization for evasion-aware matching.
+ *
+ * NFKC collapses compatibility characters: full-width \uFF21\uFF22\uFF23 \u2192 ABC,
+ * circled \u2460 \u2192 1, superscript \u00B2 \u2192 2. Use when a rule needs to match
+ * regardless of presentational tricks. Always strips zero-width + bidi
+ * override characters too.
+ *
+ * Currently invoked only via the v3.0 multilingual dispatch path for inputs
+ * whose dominant script is non-Latin \u2014 full-width Latin in CJK text is a
+ * known evasion vector.
+ */
+function normalizeUnicodeAggressive(text) {
+    return text
+        .normalize('NFKC')
+        .replace(/[\u200B\u200C\u200D\uFEFF\u2060\u180E\u200E\u200F\u202A-\u202E\u2066-\u2069]/g, '');
+}
+/**
+ * Heuristic dominant-script detection for v3.0 multilingual dispatch.
+ *
+ * Counts Unicode-block code points and returns the BCP-47 tag of the
+ * dominant script. Used to skip language-tagged conditions whose
+ * declared language does not match the input \u2014 pure optimisation, never
+ * affects correctness of language-untagged rules.
+ *
+ * Disambiguation:
+ *  - Han script: split via simplified-only vs traditional-only indicator
+ *    char sets. Tie / both zero \u2192 defaults to 'zh-Hant'.
+ *  - Latin script: 'es' if Spanish-specific punctuation/diacritics
+ *    (\u00F1, \u00BF, \u00A1) detected, else 'en'.
+ *  - Empty / pure ASCII without Spanish markers \u2192 'en'.
+ *
+ * Exported for unit testing; not part of the public API surface.
+ */
+export function detectInputLanguage(text) {
+    if (!text)
+        return 'en';
+    // Simplified-only common chars (rough but cheap).
+    const SIMP_ONLY = /[\u56FD\u5B66\u65F6\u8FD9\u4EEC\u8BF4\u8BA9\u8BF7\u8FD0\u52A8\u6765\u4E2A\u4E07\u53D1\u5173\u73B0\u5B9E\u89C1\u4E49\u9F99\u4E1C\u8F66\u4E66]/;
+    // Traditional-only common chars.
+    const TRAD_ONLY = /[\u570B\u5B78\u6642\u9019\u5011\u8AAA\u8B93\u8ACB\u904B\u52D5\u4F86\u500B\u842C\u767C\u95DC\u73FE\u5BE6\u898B\u7FA9\u9F8D\u6771\u8ECA\u66F8]/;
+    // Spanish-distinguishing characters.
+    const ES_MARKER = /[\u00F1\u00D1\u00BF\u00A1\u00E1\u00E9\u00ED\u00F3\u00FA\u00FC\u00C1\u00C9\u00CD\u00D3\u00DA\u00DC]/;
+    let han = 0;
+    let hira = 0;
+    let kata = 0;
+    let arabic = 0;
+    for (const ch of text) {
+        const cp = ch.codePointAt(0);
+        if (cp === undefined)
+            continue;
+        if (cp >= 0x4e00 && cp <= 0x9fff)
+            han++;
+        else if (cp >= 0x3040 && cp <= 0x309f)
+            hira++;
+        else if (cp >= 0x30a0 && cp <= 0x30ff)
+            kata++;
+        else if (cp >= 0x0600 && cp <= 0x06ff)
+            arabic++;
+        else if (cp >= 0x0750 && cp <= 0x077f)
+            arabic++; // Arabic supplement
+        else if (cp >= 0xfb50 && cp <= 0xfdff)
+            arabic++; // Arabic presentation A
+        else if (cp >= 0xfe70 && cp <= 0xfeff)
+            arabic++; // Arabic presentation B
+    }
+    if (arabic > 0)
+        return 'ar';
+    if (hira > 0 || kata > 0)
+        return 'ja';
+    if (han > 0) {
+        const hasSimp = SIMP_ONLY.test(text);
+        const hasTrad = TRAD_ONLY.test(text);
+        if (hasSimp && !hasTrad)
+            return 'zh-Hans';
+        if (hasTrad && !hasSimp)
+            return 'zh-Hant';
+        // Tie or no disambiguation chars \u2192 default zh-Hant.
+        // Downstream: callers should evaluate both zh-Hant and zh-Hans conditions
+        // when this is the case (handled in conditionLanguageMatches below).
+        return 'zh-Hant';
+    }
+    if (ES_MARKER.test(text))
+        return 'es';
+    return 'en';
+}
+/**
+ * Decide whether a condition with `language: condLang` should be evaluated
+ * against an input whose detected language is `inputLang`.
+ *
+ * Rules:
+ *  - condLang undefined (no language field) \u2192 always evaluate (v2.x compat)
+ *  - condLang === inputLang \u2192 evaluate
+ *  - Han-script ambiguity: if input is Han and condLang is the other
+ *    Chinese variant, still evaluate (the cheap detector cannot reliably
+ *    split zh-Hant vs zh-Hans, so we err on inclusion)
+ *  - Otherwise \u2192 skip (return false)
+ *
+ * Exported for unit testing; not part of the public API surface.
+ */
+export function conditionLanguageMatches(condLang, inputLang) {
+    if (condLang === undefined)
+        return true;
+    if (condLang === inputLang)
+        return true;
+    if ((condLang === 'zh-Hant' && inputLang === 'zh-Hans') ||
+        (condLang === 'zh-Hans' && inputLang === 'zh-Hant')) {
+        return true;
+    }
+    return false;
+}
 /** Maximum input length for regex evaluation to mitigate ReDoS */
 const MAX_EVAL_LENGTH = 100_000;
 /**