governance-sdk 0.5.0

package/dist/injection-detect.js

@@ -0,0 +1,175 @@
+/**
+ * Prompt Injection Detection — zero-dependency, pattern-based.
+ *
+ * Detects common prompt injection patterns in agent inputs.
+ * Pattern definitions are in injection-patterns.ts.
+ *
+ * @example
+ * ```ts
+ * import { detectInjection, createInjectionGuard } from 'governance-sdk/injection-detect';
+ *
+ * const result = detectInjection('Ignore previous instructions...');
+ * // { detected: true, score: 0.85, patterns: ['instruction_override'], ... }
+ *
+ * const guard = createInjectionGuard({ threshold: 0.5 });
+ * gov.addRule(guard);
+ * ```
+ */
+import { BUILTIN_PATTERNS } from "./injection-patterns.js";
+/** Default max input length: 100KB */
+const DEFAULT_MAX_INPUT_LENGTH = 100_000;
+// ─── Detection Engine ───────────────────────────────────────────
+/** Strip zero-width characters and normalize Unicode for consistent matching */
+function normalizeInput(input) {
+    // Remove zero-width characters (U+200B, U+200C, U+200D, U+FEFF, U+00AD)
+    const stripped = input.replace(/[\u200B-\u200D\uFEFF\u00AD\u2060\u180E]/g, "");
+    // Normalize Unicode to NFC form
+    return stripped.normalize("NFC");
+}
+/** Base64 regex: 16+ base64 chars with optional padding, not a common word */
+const BASE64_RE = /[A-Za-z0-9+/]{16,}={0,2}/g;
+/** Try to decode base64 strings in input; returns decoded text or null */
+function tryDecodeBase64(encoded) {
+    try {
+        const decoded = atob(encoded);
+        // Only accept if result is printable ASCII/UTF-8
+        if (/^[\x20-\x7E\t\n\r]+$/.test(decoded) && decoded.length >= 4) {
+            return decoded;
+        }
+    }
+    catch { /* not valid base64 */ }
+    return null;
+}
+/**
+ * Detect prompt injection patterns in text input.
+ * Returns a score from 0 (no injection) to 1 (certain injection).
+ *
+ * Note: This is a heuristic pattern matcher, not an LLM classifier.
+ * It catches known syntactic patterns but cannot detect novel semantic attacks.
+ * For high-security deployments, layer this with an LLM-based classifier.
+ */
+export function detectInjection(input, config = {}) {
+    const maxLen = config.maxInputLength ?? DEFAULT_MAX_INPUT_LENGTH;
+    if (input.length > maxLen) {
+        return {
+            detected: true,
+            score: 1,
+            patterns: ["input_too_large"],
+            categories: ["system_prompt"],
+            summary: `Input exceeds maximum length (${input.length} > ${maxLen})`,
+            inputLength: input.length,
+        };
+    }
+    const threshold = config.threshold ?? 0.5;
+    const skipCategories = new Set(config.skipCategories ?? []);
+    const allPatterns = [
+        ...BUILTIN_PATTERNS,
+        ...(config.customPatterns ?? []),
+    ].filter((p) => !skipCategories.has(p.category));
+    const normalized = normalizeInput(input);
+    const matchedPatterns = [];
+    const matchedCategories = new Set();
+    let maxWeight = 0;
+    // Scan the original input
+    for (const pattern of allPatterns) {
+        if (pattern.pattern.test(normalized)) {
+            matchedPatterns.push(pattern.id);
+            matchedCategories.add(pattern.category);
+            if (pattern.weight > maxWeight)
+                maxWeight = pattern.weight;
+        }
+    }
+    // Decode any base64 strings and scan the decoded content too
+    const b64Matches = normalized.match(BASE64_RE) ?? [];
+    for (const b64 of b64Matches) {
+        const decoded = tryDecodeBase64(b64);
+        if (!decoded)
+            continue;
+        for (const pattern of allPatterns) {
+            if (pattern.pattern.test(decoded) && !matchedPatterns.includes(pattern.id + ":decoded")) {
+                matchedPatterns.push(pattern.id + ":decoded");
+                matchedCategories.add(pattern.category);
+                // Boost weight for encoded attacks — deliberate obfuscation
+                const boosted = Math.min(1, pattern.weight + 0.1);
+                if (boosted > maxWeight)
+                    maxWeight = boosted;
+            }
+        }
+    }
+    // Score = highest weight + boosts for multiple matches/categories
+    const additionalBoost = matchedPatterns.length > 1
+        ? Math.min(0.1, (matchedPatterns.length - 1) * 0.02)
+        : 0;
+    const categoryBoost = matchedCategories.size > 1
+        ? Math.min(0.1, (matchedCategories.size - 1) * 0.03)
+        : 0;
+    const score = Math.min(1, maxWeight + additionalBoost + categoryBoost);
+    const detected = score >= threshold;
+    const categories = Array.from(matchedCategories);
+    let summary;
+    if (!detected)
+        summary = "No injection detected";
+    else if (score >= 0.8)
+        summary = `High-confidence injection attempt: ${categories.join(", ")}`;
+    else if (score >= 0.5)
+        summary = `Possible injection attempt: ${categories.join(", ")}`;
+    else
+        summary = `Low-confidence injection signals: ${categories.join(", ")}`;
+    return {
+        detected,
+        score: Math.round(score * 100) / 100,
+        patterns: matchedPatterns,
+        categories,
+        summary,
+        inputLength: input.length,
+    };
+}
+// ─── Policy Integration ─────────────────────────────────────────
+/**
+ * Create a policy rule that blocks actions containing prompt injection.
+ * Examines `ctx.input` for injection patterns.
+ */
+export function createInjectionGuard(config) {
+    const threshold = config?.threshold ?? 0.5;
+    const priority = config?.priority ?? 110;
+    return {
+        id: "injection-guard",
+        name: "Prompt Injection Guard",
+        condition: {
+            type: "injection_guard",
+            params: {
+                threshold,
+                skipCategories: config?.skipCategories ?? [],
+            },
+        },
+        outcome: "block",
+        reason: `Prompt injection detected (threshold: ${threshold})`,
+        priority,
+        enabled: true,
+        stage: "preprocess",
+    };
+}
+/** Extract all string values from a nested object. */
+function extractStrings(obj) {
+    const strings = [];
+    function walk(value) {
+        if (typeof value === "string")
+            strings.push(value);
+        else if (Array.isArray(value))
+            value.forEach(walk);
+        else if (value !== null && typeof value === "object") {
+            Object.values(value).forEach(walk);
+        }
+    }
+    walk(obj);
+    // Also test concatenation of all fields to catch cross-field injection splitting
+    if (strings.length > 1) {
+        strings.push(strings.join(" "));
+    }
+    return strings;
+}
+/** Get all built-in injection patterns. */
+export function getBuiltinPatterns() {
+    return [...BUILTIN_PATTERNS];
+}
+//# sourceMappingURL=injection-detect.js.map

package/dist/injection-detect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection-detect.js","sourceRoot":"","sources":["../src/injection-detect.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AA8B3D,sCAAsC;AACtC,MAAM,wBAAwB,GAAG,OAAO,CAAC;AAUzC,mEAAmE;AAEnE,gFAAgF;AAChF,SAAS,cAAc,CAAC,KAAa;IACnC,wEAAwE;IACxE,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,0CAA0C,EAAE,EAAE,CAAC,CAAC;IAC/E,gCAAgC;IAChC,OAAO,QAAQ,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED,8EAA8E;AAC9E,MAAM,SAAS,GAAG,2BAA2B,CAAC;AAE9C,0EAA0E;AAC1E,SAAS,eAAe,CAAC,OAAe;IACtC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9B,iDAAiD;QACjD,IAAI,sBAAsB,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YAChE,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC,CAAC,sBAAsB,CAAC,CAAC;IAClC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAC7B,KAAa,EACb,SAAkC,EAAE;IAEpC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,IAAI,wBAAwB,CAAC;IACjE,IAAI,KAAK,CAAC,MAAM,GAAG,MAAM,EAAE,CAAC;QAC1B,OAAO;YACL,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,CAAC;YACR,QAAQ,EAAE,CAAC,iBAAiB,CAAC;YAC7B,UAAU,EAAE,CAAC,eAAoC,CAAC;YAClD,OAAO,EAAE,iCAAiC,KAAK,CAAC,MAAM,MAAM,MAAM,GAAG;YACrE,WAAW,EAAE,KAAK,CAAC,MAAM;SAC1B,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,GAAG,CAAC;IAC1C,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,cAAc,IAAI,EAAE,CAAC,CAAC;IAE5D,MAAM,WAAW,GAAG;QAClB,GAAG,gBAAgB;QACnB,GAAG,CAAC,MAAM,CAAC,cAAc,IAAI,EAAE,CAAC;KACjC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAEjD,MAAM,UAAU,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;IACzC,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAqB,CAAC;IACvD,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,0BAA0B;IAC1B,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YACrC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACjC,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YACxC,IAAI,OAAO,CAAC,MAAM,GAAG,SAAS;gBAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,6DAA6D;IAC7D,MAAM,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;IACrD,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;YAClC,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,GAAG,UAAU,CAAC,EAAE,CAAC;gBACxF,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,GAAG,UAAU,CAAC,CAAC;gBAC9C,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;gBACxC,4DAA4D;gBAC5D,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC;gBAClD,IAAI,OAAO,GAAG,SAAS;oBAAE,SAAS,GAAG,OAAO,CAAC;YAC/C,CAAC;QACH,CAAC;IACH,CAAC;IAED,kEAAkE;IAClE,MAAM,eAAe,GAAG,eAAe,CAAC,MAAM,GAAG,CAAC;QAChD,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;QACpD,CAAC,CAAC,CAAC,CAAC;IACN,MAAM,aAAa,GAAG,iBAAiB,CAAC,IAAI,GAAG,CAAC;QAC9C,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,iBAAiB,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;QACpD,CAAC,CAAC,CAAC,CAAC;IAEN,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,eAAe,GAAG,aAAa,CAAC,CAAC;IACvE,MAAM,QAAQ,GAAG,KAAK,IAAI,SAAS,CAAC;IACpC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAEjD,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC,QAAQ;QAAE,OAAO,GAAG,uBAAuB,CAAC;SAC5C,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,GAAG,sCAAsC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;SAC1F,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,GAAG,+BAA+B,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;;QACnF,OAAO,GAAG,qCAAqC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;IAE5E,OAAO;QACL,QAAQ;QACR,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,GAAG,GAAG;QACpC,QAAQ,EAAE,eAAe;QACzB,UAAU;QACV,OAAO;QACP,WAAW,EAAE,KAAK,CAAC,MAAM;KAC1B,CAAC;AACJ,CAAC;AAED,mEAAmE;AAEnE;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAEpC;IACC,MAAM,SAAS,GAAG,MAAM,EAAE,SAAS,IAAI,GAAG,CAAC;IAC3C,MAAM,QAAQ,GAAG,MAAM,EAAE,QAAQ,IAAI,GAAG,CAAC;IAEzC,OAAO;QACL,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,wBAAwB;QAC9B,SAAS,EAAE;YACT,IAAI,EAAE,iBAAiB;YACvB,MAAM,EAAE;gBACN,SAAS;gBACT,cAAc,EAAE,MAAM,EAAE,cAAc,IAAI,EAAE;aAC7C;SACF;QACD,OAAO,EAAE,OAAO;QAChB,MAAM,EAAE,yCAAyC,SAAS,GAAG;QAC7D,QAAQ;QACR,OAAO,EAAE,IAAI;QACb,KAAK,EAAE,YAAqB;KAC7B,CAAC;AACJ,CAAC;AAED,sDAAsD;AACtD,SAAS,cAAc,CAAC,GAA4B;IAClD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,SAAS,IAAI,CAAC,KAAc;QAC1B,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;aAC9C,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;YAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;aAC9C,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACrD,MAAM,CAAC,MAAM,CAAC,KAAgC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,iFAAiF;IACjF,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,2CAA2C;AAC3C,MAAM,UAAU,kBAAkB;IAChC,OAAO,CAAC,GAAG,gBAAgB,CAAC,CAAC;AAC/B,CAAC"}

package/dist/injection-patterns-ext.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Extended injection patterns — obfuscation and advanced attacks.
+ * Separated to keep each file under 300 LOC.
+ */
+import type { InjectionPattern } from "./injection-detect.js";
+export declare const EXTENDED_PATTERNS: InjectionPattern[];
+//# sourceMappingURL=injection-patterns-ext.d.ts.map

package/dist/injection-patterns-ext.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection-patterns-ext.d.ts","sourceRoot":"","sources":["../src/injection-patterns-ext.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAE9D,eAAO,MAAM,iBAAiB,EAAE,gBAAgB,EAkE/C,CAAC"}

package/dist/injection-patterns-ext.js

@@ -0,0 +1,71 @@
+/**
+ * Extended injection patterns — obfuscation and advanced attacks.
+ * Separated to keep each file under 300 LOC.
+ */
+export const EXTENDED_PATTERNS = [
+    // ─── Obfuscation ───────────────────────────────────────────────
+    {
+        id: "zero_width_chars",
+        category: "obfuscation",
+        pattern: /[\u200B\u200C\u200D\uFEFF]{2,}/,
+        weight: 0.7,
+        description: "Multiple zero-width characters (likely obfuscation)",
+    },
+    {
+        id: "rtl_override",
+        category: "obfuscation",
+        pattern: /[\u202E\u202D]/,
+        weight: 0.85,
+        description: "Right-to-left override markers (text direction attack)",
+    },
+    {
+        id: "bidi_control",
+        category: "obfuscation",
+        pattern: /[\u202A-\u202E\u2066-\u2069]+/,
+        weight: 0.7,
+        description: "Bidirectional control characters",
+    },
+    {
+        id: "char_insertion",
+        category: "obfuscation",
+        pattern: /\bi[\s._-]g[\s._-]n[\s._-]o[\s._-]r[\s._-]e\b/i,
+        weight: 0.85,
+        description: "Character insertion obfuscation (i_g_n_o_r_e)",
+    },
+    {
+        id: "homoglyph_ignore",
+        category: "obfuscation",
+        pattern: /[ΙІі]gn[oοо]re?|ign[οо]re/i,
+        weight: 0.85,
+        description: "Homoglyph attack on 'ignore' (Greek/Cyrillic substitution)",
+    },
+    {
+        id: "excessive_spacing",
+        category: "obfuscation",
+        pattern: /\w+\s{4,}\w+.*\w+\s{4,}\w+/,
+        weight: 0.5,
+        description: "Excessive spacing between words (obfuscation attempt)",
+    },
+    {
+        id: "fullwidth_latin",
+        category: "obfuscation",
+        pattern: /[\uFF21-\uFF3A\uFF41-\uFF5A]{3,}/,
+        weight: 0.7,
+        description: "Full-width Unicode Latin characters (visual obfuscation)",
+    },
+    {
+        id: "uncommon_spaces",
+        category: "obfuscation",
+        pattern: /[\u2000-\u200A\u202F\u205F]{2,}/,
+        weight: 0.6,
+        description: "Uncommon Unicode space characters",
+    },
+    {
+        id: "zalgo_text",
+        category: "obfuscation",
+        pattern: /[\u0300-\u036F]{3,}/,
+        weight: 0.7,
+        description: "Zalgo text (excessive combining diacriticals)",
+    },
+];
+//# sourceMappingURL=injection-patterns-ext.js.map

package/dist/injection-patterns-ext.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection-patterns-ext.js","sourceRoot":"","sources":["../src/injection-patterns-ext.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,MAAM,CAAC,MAAM,iBAAiB,GAAuB;IACnD,kEAAkE;IAElE;QACE,EAAE,EAAE,kBAAkB;QACtB,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,gCAAgC;QACzC,MAAM,EAAE,GAAG;QACX,WAAW,EAAE,qDAAqD;KACnE;IACD;QACE,EAAE,EAAE,cAAc;QAClB,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,gBAAgB;QACzB,MAAM,EAAE,IAAI;QACZ,WAAW,EAAE,wDAAwD;KACtE;IACD;QACE,EAAE,EAAE,cAAc;QAClB,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,+BAA+B;QACxC,MAAM,EAAE,GAAG;QACX,WAAW,EAAE,kCAAkC;KAChD;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,gDAAgD;QACzD,MAAM,EAAE,IAAI;QACZ,WAAW,EAAE,+CAA+C;KAC7D;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,4BAA4B;QACrC,MAAM,EAAE,IAAI;QACZ,WAAW,EAAE,4DAA4D;KAC1E;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,4BAA4B;QACrC,MAAM,EAAE,GAAG;QACX,WAAW,EAAE,uDAAuD;KACrE;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,kCAAkC;QAC3C,MAAM,EAAE,GAAG;QACX,WAAW,EAAE,0DAA0D;KACxE;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,iCAAiC;QAC1C,MAAM,EAAE,GAAG;QACX,WAAW,EAAE,mCAAmC;KACjD;IACD;QACE,EAAE,EAAE,YAAY;QAChB,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,qBAAqB;QAC9B,MAAM,EAAE,GAAG;QACX,WAAW,EAAE,+CAA+C;KAC7D;CACF,CAAC"}

package/dist/injection-patterns.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Built-in prompt injection detection patterns.
+ *
+ * Patterns across 7 categories. Each pattern targets ADVERSARIAL intent,
+ * not just keyword presence. Weights are calibrated so single benign matches
+ * stay below threshold (0.5) while real attacks that combine signals get caught.
+ *
+ * Design principles:
+ * - Require adversarial context (possessive "your", system-targeting language)
+ * - Low individual weights (0.2-0.5) — attacks combine, benign text doesn't
+ * - Higher weights (0.7+) only for patterns that are NEVER legitimate
+ */
+import type { InjectionPattern } from "./injection-detect.js";
+export declare const BUILTIN_PATTERNS: InjectionPattern[];
+//# sourceMappingURL=injection-patterns.d.ts.map

package/dist/injection-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection-patterns.d.ts","sourceRoot":"","sources":["../src/injection-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAG9D,eAAO,MAAM,gBAAgB,EAAE,gBAAgB,EA8W9C,CAAC"}

package/dist/injection-patterns.js

@@ -0,0 +1,361 @@
+/**
+ * Built-in prompt injection detection patterns.
+ *
+ * Patterns across 7 categories. Each pattern targets ADVERSARIAL intent,
+ * not just keyword presence. Weights are calibrated so single benign matches
+ * stay below threshold (0.5) while real attacks that combine signals get caught.
+ *
+ * Design principles:
+ * - Require adversarial context (possessive "your", system-targeting language)
+ * - Low individual weights (0.2-0.5) — attacks combine, benign text doesn't
+ * - Higher weights (0.7+) only for patterns that are NEVER legitimate
+ */
+import { EXTENDED_PATTERNS } from "./injection-patterns-ext.js";
+export const BUILTIN_PATTERNS = [
+    // ─── Instruction Override ────────────────────────────────────────
+    // These target attempts to redirect the AI's behavior.
+    // Key: require possessive/system-targeting words to avoid matching
+    // normal business use of "ignore", "instructions", etc.
+    {
+        id: "ignore_previous",
+        category: "instruction_override",
+        pattern: /\bignore\s+(?:(?:all|the)\s+)?(?:previous|prior|above|earlier|preceding)\s+(?:instructions?|prompts?|rules?|guidelines?|directives?|commands?|context)\b/i,
+        weight: 0.7,
+        description: "Attempts to override previous instructions",
+    },
+    {
+        id: "disregard_instructions",
+        category: "instruction_override",
+        pattern: /\bdisregard\s+(?:(?:all|the|any|your)\s+)?(?:previous\s+|prior\s+|above\s+|system\s+)?(?:instructions?|prompts?|rules?|guidelines?)\b/i,
+        weight: 0.7,
+        description: "Attempts to disregard instructions",
+    },
+    {
+        id: "forget_everything",
+        category: "instruction_override",
+        pattern: /\bforget\s+(?:everything|all)\s+(?:you\s+)?(?:know|were told|learned|have been told)\b/i,
+        weight: 0.6,
+        description: "Attempts to reset agent memory/context",
+    },
+    {
+        id: "new_instructions",
+        category: "instruction_override",
+        pattern: /\b(?:your\s+)?new\s+(?:instructions?|directives?)\s*(?:are|is|:)/i,
+        weight: 0.5,
+        description: "Attempts to inject new instructions",
+    },
+    {
+        id: "do_not_follow",
+        category: "instruction_override",
+        pattern: /\b(?:do\s+not|don't)\s+(?:follow|comply\s+with|obey|adhere\s+to)\s+(?:your|the|any|previous|any\s+of\s+your(?:\s+previous)?)\s+(?:instructions?|rules?|guidelines?|programming|constraints?|restrictions?)\b/i,
+        weight: 0.6,
+        description: "Directly tells agent to not follow rules",
+    },
+    {
+        id: "override_system",
+        category: "instruction_override",
+        pattern: /\b(?:override|bypass|circumvent|disable)\s+(?:your|the|all|any)?\s*(?:system|safety|security|content)\s*(?:prompt|instructions?|filters?|rules?|restrictions?|policies?|guidelines?)\b/i,
+        weight: 0.8,
+        description: "Explicit system override attempt",
+    },
+    {
+        id: "suppress_warnings",
+        category: "instruction_override",
+        pattern: /\b(?:do\s+not|don't)\s+(?:respond|reply)\s+with\s+(?:any\s+)?(?:safety\s+)?(?:warnings?|disclaimers?|caveats?|refusals?)\b/i,
+        weight: 0.5,
+        description: "Attempts to suppress safety warnings",
+    },
+    {
+        id: "never_refuse",
+        category: "instruction_override",
+        pattern: /\b(?:never\s+refuse\s+(?:to\s+)?(?:answer|comply|respond)|always\s+(?:comply|obey)\s+(?:with\s+)?(?:my|any|all|every)\s+(?:requests?|commands?))\b/i,
+        weight: 0.7,
+        description: "Demands unconditional compliance",
+    },
+    // ─── Role Manipulation ──────────────────────────────────────────
+    // These target attempts to redefine the AI's identity.
+    // Key: require role-play/pretend framing + restriction removal.
+    // "Act as the primary contact" (business) vs "Act as if you have no rules" (attack).
+    {
+        id: "act_as_unrestricted",
+        category: "role_manipulation",
+        pattern: /\b(?:act|behave|respond|pretend|roleplay)\s+(?:as\s+(?:if|though)\s+you\s+(?:are|were|have|had)\s+(?:no|without|free\s+from|an?\s+\w+\s+(?:with\s+)?(?:no|without))\s+(?:restrictions?|limitations?|rules?|filters?|boundaries|guidelines?|safety))\b/i,
+        weight: 0.8,
+        description: "Role-play to remove restrictions",
+    },
+    {
+        id: "jailbreak_dan",
+        category: "role_manipulation",
+        pattern: /\b(?:DAN|do\s+anything\s+now|developer\s+mode|jailbreak|god\s+mode|sudo\s+mode|unrestricted\s+mode|unfiltered\s+mode|uncensored\s+mode)\b/i,
+        weight: 0.9,
+        description: "Known jailbreak pattern (DAN/developer mode)",
+    },
+    {
+        id: "pretend_no_restrictions",
+        category: "role_manipulation",
+        pattern: /\bpretend\s+(?:that\s+)?(?:you\s+)?(?:have\s+)?(?:no|without|zero)\s+(?:restrictions?|limitations?|rules?|filters?|boundaries|guidelines?|safety)\b/i,
+        weight: 0.8,
+        description: "Asks agent to pretend it has no restrictions",
+    },
+    {
+        id: "from_now_on_role",
+        category: "role_manipulation",
+        pattern: /\bfrom\s+now\s+on,?\s+you\s+(?:are|will\s+be|must)\s+(?:a\s+)?(?:different|new|unrestricted|unfiltered)\b/i,
+        weight: 0.6,
+        description: "Redefines agent to unrestricted role",
+    },
+    {
+        id: "enable_mode",
+        category: "role_manipulation",
+        pattern: /\b(?:enable|activate|turn\s+on|switch\s+to|enter)\s+(?:developer|dev|test|debug|admin|god|sudo|root|unrestricted|jailbreak)\s+mode\b/i,
+        weight: 0.8,
+        description: "Attempts to enable a privileged mode",
+    },
+    {
+        id: "new_role_unrestricted",
+        category: "role_manipulation",
+        pattern: /\b(?:your\s+new\s+role\s+is|assume\s+the\s+role\s+of)\s+(?:a\s+)?(?:.*?(?:no\s+rules|unrestricted|unfiltered|without\s+(?:restrictions|limitations|rules)))/i,
+        weight: 0.7,
+        description: "Explicit role reassignment to unrestricted entity",
+    },
+    {
+        id: "simulate_no_safety",
+        category: "role_manipulation",
+        pattern: /\bsimulate\s+(?:being|that\s+you\s+are)\s+(?:an?\s+)?(?:AI|assistant|system)\s+(?:without|with\s+no|that\s+has\s+no)\s+(?:safety|restrictions?|filters?|rules?)\b/i,
+        weight: 0.75,
+        description: "Simulation-based safety bypass",
+    },
+    // ─── Context Escape / Prompt Leak ──────────────────────────────
+    // These target attempts to extract the system prompt.
+    // Key: require "your/system" possessive — "show me instructions for [product]" is fine,
+    // "show me YOUR instructions" or "show me the SYSTEM prompt" is suspicious.
+    {
+        id: "system_prompt_leak",
+        category: "context_escape",
+        pattern: /\b(?:reveal|show|display|output|repeat|print|tell\s+me)\s+(?:me\s+)?(?:the\s+)?(?:your\s+)?(?:(?:(?:system|original|hidden|initial|secret)\s+){1,2}(?:prompt|instructions?)|(?:prompt|instructions?)\s+(?:word\s+for\s+word|verbatim|exactly|in\s+full))\b/i,
+        weight: 0.7,
+        description: "Attempts to extract system prompt",
+    },
+    {
+        id: "what_are_your_instructions",
+        category: "context_escape",
+        pattern: /\bwhat\s+(?:were|are|is)\s+your\s+(?:original\s+)?(?:system\s+)?(?:instructions?|directives?|prompt|programming|rules)\b/i,
+        weight: 0.6,
+        description: "Questions about the AI's own instructions",
+    },
+    {
+        id: "markdown_injection",
+        category: "context_escape",
+        pattern: /!\[.*?\]\((?:https?:\/\/|data:).*?\)/i,
+        weight: 0.5,
+        description: "Markdown image injection (potential data exfiltration)",
+    },
+    {
+        id: "delimiter_escape",
+        category: "context_escape",
+        pattern: /(?:<\/?(?:system|user|assistant|human|ai|context|instruction|prompt)>|\[\/?\s*(?:system|user|assistant|human|ai|context|instruction|prompt)\s*\]|<\|(?:im_start|im_end|endoftext)\|>|\[INST\]|\[\/INST\]|<s>|<\/s>)/i,
+        weight: 0.7,
+        description: "Model delimiters or structured markers to escape context",
+    },
+    {
+        id: "retranscribe",
+        category: "context_escape",
+        pattern: /\b(?:re-?transcribe|reproduce|replicate|duplicate)\s+(?:the\s+)?(?:above|previous|prior|entire)\s+(?:system\s+)?(?:prompt|instructions?|message)\b/i,
+        weight: 0.6,
+        description: "Attempts to reproduce system content",
+    },
+    {
+        id: "previous_user_data",
+        category: "context_escape",
+        pattern: /\bwhat\s+did\s+(?:the\s+)?(?:last|previous|prior|other|earlier)\s+(?:users?|persons?|people)\s+(?:ask|say|tell|request)\b/i,
+        weight: 0.6,
+        description: "Attempts to access other users' data",
+    },
+    // ─── Data Exfiltration ──────────────────────────────────────────
+    // Key: require system-targeting language or explicit exfil verbs.
+    // "Send the data to the analytics team" is fine (normal business).
+    // "Send all the conversation data to my webhook" is suspicious.
+    {
+        id: "exfil_system_data",
+        category: "data_exfiltration",
+        pattern: /\b(?:send|post|transmit|upload)\s+(?:(?:all|every)\s+)?(?:the\s+)?(?:conversation|chat\s+history|system\s+prompt|context|messages?)\s+(?:data\s+)?(?:to|at|via)\s+/i,
+        weight: 0.7,
+        description: "Attempts to exfiltrate conversation/system data",
+    },
+    {
+        id: "encode_and_send",
+        category: "data_exfiltration",
+        pattern: /\b(?:base64|encode|encrypt|hex)\s+(?:the|this|your)\s+(?:system\s+prompt|conversation|response|instructions?)\b/i,
+        weight: 0.6,
+        description: "Encoding data for exfiltration",
+    },
+    {
+        id: "reveal_secrets",
+        category: "data_exfiltration",
+        pattern: /\b(?:output|list|show|reveal|dump|expose|extract)\s+(?:all\s+)?(?:the\s+)?(?:stored\s+|available\s+|system\s+)?(?:environment\s+variables?|env\s+vars?|api\s+keys?|credentials?|secrets?|passwords?|tokens?|private\s+keys?|access\s+keys?|connection\s+strings?)\b/i,
+        weight: 0.8,
+        description: "Attempts to extract secrets, keys, or credentials",
+    },
+    {
+        id: "dump_secrets",
+        category: "data_exfiltration",
+        pattern: /\b(?:dump|exfiltrate|leak|steal|harvest)\s+(?:the\s+)?(?:all\s+)?(?:\w+\s+)?(?:environment\s+variables?|api\s+keys?|credentials?|secrets?|passwords?|tokens?|private\s+keys?)\b/i,
+        weight: 0.85,
+        description: "Explicit secret dumping/exfiltration verbs",
+    },
+    {
+        id: "exfil_config",
+        category: "data_exfiltration",
+        pattern: /\b(?:output|show|print|display|reveal|dump|cat)\s+(?:me\s+)?(?:the\s+)?(?:contents?\s+(?:of\s+)?)?(?:~\/|\.\/|\/)?(?:\.env\b|\.envrc\b|\.env\.local\b|\.aws\/|\.ssh\/|\/etc\/(?:passwd|shadow)|\.git\/config|\.npmrc|\.pypirc|kubeconfig)\b/i,
+        weight: 0.85,
+        description: "Attempts to read sensitive config files",
+    },
+    // ─── Encoding Attacks ───────────────────────────────────────────
+    // These patterns are rarely legitimate — high specificity.
+    {
+        id: "base64_payload",
+        category: "encoding_attack",
+        pattern: /\b(?:decode|execute|run|eval)[\s\w]*?(?:base64|b64|encoded|:)\s*[A-Za-z0-9+/]{16,}={0,2}/i,
+        weight: 0.7,
+        description: "Base64-encoded payload injection",
+    },
+    {
+        id: "base64_execute",
+        category: "encoding_attack",
+        pattern: /\b(?:decode|execute|run|eval)[\s\w]{0,20}:\s*[A-Za-z0-9+/]{16,}={0,2}\s*$/im,
+        weight: 0.75,
+        description: "Instruction to decode/execute an encoded payload",
+    },
+    {
+        id: "obfuscation_decode",
+        category: "encoding_attack",
+        pattern: /\b(?:decode|decrypt|decipher|translate\s+from)\s+(?:this\s+)?(?:base64|hex|rot13|binary|unicode|morse)\s+(?:and\s+)?(?:execute|follow|run|do|perform|obey)/i,
+        weight: 0.7,
+        description: "Instruction to decode obfuscated content and execute it",
+    },
+    {
+        id: "spell_backward",
+        category: "encoding_attack",
+        pattern: /\bspell(?:ed)?\s+(?:(?:it|this|that)\s+)?(?:backwards?|in\s+reverse)\s+(?:and\s+)?(?:execute|run|follow|do|perform|obey)\b/i,
+        weight: 0.7,
+        description: "Reverse-spelling obfuscation attack",
+    },
+    {
+        id: "unicode_homoglyph",
+        category: "encoding_attack",
+        pattern: /[\u0400-\u04FF\u0500-\u052F].*(?:ignore|override|system|admin)/i,
+        weight: 0.6,
+        description: "Unicode homoglyph attack (Cyrillic characters masking Latin)",
+    },
+    {
+        id: "raw_base64_blob",
+        category: "encoding_attack",
+        pattern: /[A-Za-z0-9+/]{40,}={0,2}/,
+        weight: 0.3,
+        description: "Suspicious base64-encoded blob",
+    },
+    {
+        id: "hex_escape_seq",
+        category: "encoding_attack",
+        pattern: /(?:\\x[0-9A-Fa-f]{2}){5,}/,
+        weight: 0.6,
+        description: "Hex escape sequence chain",
+    },
+    {
+        id: "unicode_escape_seq",
+        category: "encoding_attack",
+        pattern: /(?:\\u[0-9A-Fa-f]{4}){5,}/,
+        weight: 0.6,
+        description: "Unicode escape sequence chain",
+    },
+    {
+        id: "html_entity_seq",
+        category: "encoding_attack",
+        pattern: /(?:&#{1,2}[xX]?[0-9A-Fa-f]+;){5,}/,
+        weight: 0.6,
+        description: "HTML entity encoding chain",
+    },
+    {
+        id: "url_encoded_seq",
+        category: "encoding_attack",
+        pattern: /(?:%[0-9A-Fa-f]{2}){5,}/,
+        weight: 0.5,
+        description: "URL-encoded character chain",
+    },
+    {
+        id: "null_bytes",
+        category: "encoding_attack",
+        pattern: /\x00+/,
+        weight: 0.7,
+        description: "Null byte injection",
+    },
+    // ─── Social Engineering ─────────────────────────────────────────
+    // Key: require targeting the AI specifically, not just urgency/authority in general.
+    {
+        id: "authority_claim_override",
+        category: "social_engineering",
+        pattern: /\bi\s+am\s+(?:your|the)\s+(?:admin|administrator|developer|creator|owner)\b.*?\b(?:override|disable|remove|bypass|ignore|give\s+me|grant|elevate)\b/i,
+        weight: 0.7,
+        description: "Authority claim combined with override request",
+    },
+    {
+        id: "testing_bypass",
+        category: "social_engineering",
+        pattern: /(?:(?:for|this\s+is)\s+(?:a\s+)?test(?:ing)?).{0,40}?\b(?:override|bypass|disable|ignore|remove|skip)\s+(?:safety|security|filters?|restrictions?|rules?|guidelines?)\b/i,
+        weight: 0.6,
+        description: "Testing excuse to bypass restrictions",
+    },
+    // ─── Persistence Install ─────────────────────────────────────────
+    // Attempts to make overrides permanent across turns/sessions.
+    {
+        id: "persist_override",
+        category: "instruction_override",
+        pattern: /\b(?:remember|save|store|persist|keep)\s+(?:this\s+)?(?:as\s+)?(?:a\s+)?(?:permanent|forever|always|from\s+now\s+on)\s*(?:rule|instruction|override|setting)?\s*(?::\s*)?(?:skip|disable|ignore|bypass|override|grant|allow|comply)/i,
+        weight: 0.7,
+        description: "Attempts to persist a policy override across sessions",
+    },
+    {
+        id: "future_sessions",
+        category: "instruction_override",
+        pattern: /\b(?:for\s+all\s+future\s+(?:messages?|conversations?|sessions?)|from\s+this\s+point\s+forward|permanently)\s*[,:]?\s*(?:you\s+)?(?:have|are|will|must|should)\s+(?:admin|elevated|full|unrestricted|no\s+restrict)/i,
+        weight: 0.7,
+        description: "Claims permanent privilege escalation across sessions",
+    },
+    // ─── Delegation Forgery ─────────────────────────────────────────
+    // Fake claims of inter-agent authorization.
+    {
+        id: "agent_authorized",
+        category: "social_engineering",
+        pattern: /\b(?:(?:the\s+)?(?:supervisor|orchestrator|parent|admin|root|upstream)\s+agent\s+(?:has\s+)?(?:authorized|instructed|told|directed|delegated|sent)\s+(?:me\s+to|you\s+to)?|(?:priority|emergency)\s+override\s+from\s+(?:agent|supervisor|orchestrator))\b/i,
+        weight: 0.65,
+        description: "Claims authorization from a supervisor/parent agent",
+    },
+    {
+        id: "delegated_access",
+        category: "social_engineering",
+        pattern: /\b(?:my\s+(?:parent|supervisor)\s+agent\s+delegated|(?:the\s+)?delegation\s+(?:chain|token|certificate)\s+(?:grants?|authorizes?|gives?)\s+(?:me|this\s+agent)\s+(?:full|unrestricted|admin|elevated))\b/i,
+        weight: 0.65,
+        description: "Claims delegated access from parent agent",
+    },
+    // ─── Conditional/Temporal Triggers ──────────────────────────────
+    // Instructions that activate on conditions.
+    {
+        id: "conditional_action",
+        category: "instruction_override",
+        pattern: /\b(?:when(?:ever)?|after\s+\d+\s+(?:messages?|turns?)|next\s+time)\s+.{5,80}?\b(?:exfiltrate|dump\s+(?:all|the|stored)|reveal\s+(?:the\s+)?(?:system|hidden|secret)|output\s+(?:the\s+)?(?:system|prompt|secret)|send\s+(?:all|the)\s+(?:data|conversation|credentials?))\b/i,
+        weight: 0.6,
+        description: "Conditional trigger: malicious action activates on a condition",
+    },
+    // ─── Context Framing / Evaluator Manipulation ──────────────────
+    // Attempts to manipulate the safety classifier itself.
+    {
+        id: "classify_as_benign",
+        category: "instruction_override",
+        pattern: /\b(?:classify|label|mark|score|rate)\s+(?:this\s+)?(?:request|input|message|query)\s+as\s+(?:benign|safe|harmless|clean|non-malicious|legitimate)\b/i,
+        weight: 0.7,
+        description: "Attempts to manipulate the safety classifier's decision",
+    },
+    // ─── Extended patterns (obfuscation, etc.) ──────────────────────
+    ...EXTENDED_PATTERNS,
+];
+//# sourceMappingURL=injection-patterns.js.map