draft-protocol 1.1.0__tar.gz → 1.2.0__tar.gz

draft_protocol-1.2.0/CHANGELOG.md

@@ -0,0 +1,115 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [1.2.0] - 2026-03-08
+
+### Added
+- **5-Tier Classification** — TRIVIAL, LOOKUP, TASK, MULTI, CONSEQUENTIAL replace the 3-tier CASUAL/STANDARD/CONSEQUENTIAL system. Finer-grained governance matching actual task complexity.
+- **Open Elicitation Phase** — `open_elicitation()` adds unstructured intent gathering (Cognitive Interview) before dimension mapping for TASK+ tiers. Prevents anchoring bias.
+- **Assumption Quality Scoring** — `score_assumptions()` rates each assumption on falsifiability, impact, and novelty (0-1 each). Low-quality assumptions flagged for replacement.
+- **Ceremony Depth** — `get_ceremony_depth()` returns tier-appropriate governance visibility: invisible (TRIVIAL), tag (LOOKUP), semi_visible (TASK), visible (MULTI), full (CONSEQUENTIAL).
+- **Legacy Tier Compatibility** — CASUAL/STANDARD/CONSEQUENTIAL still accepted, auto-mapped to new tiers. `resolve_tier_override()` and `get_legacy_tier()` for bidirectional mapping.
+- **MCP Tool: `draft_open_elicit`** — open elicitation as a dedicated tool for TASK+ sessions.
+- 57 new tests covering 5-tier classification, open elicitation, ceremony depth, legacy compat, assumption scoring. Total suite: 197 tests.
+
+### Changed
+- Tier classification engine now uses 5-tier keyword sets with priority ordering (T4 > T3 > T2 > T1 > T0)
+- Extraction attack patterns moved from STANDARD_TRIGGERS to CONSEQUENTIAL_TRIGGERS (security fix)
+- `create_session()` auto-maps legacy tier names to 5-tier equivalents
+- Assumption count scales across 5 tiers: 0 (TRIVIAL), 1 (LOOKUP), 2 (TASK), 3 (MULTI), 5 (CONSEQUENTIAL)
+
+## [1.1.0] - 2026-03-07
+
+### Added
+- **Batch Operations** — `confirm_batch`, `quick_confirm_satisfied`, `verify_batch` reduce tool call overhead by 50-60% per session
+- **LLM-Powered Adversarial Assumptions** — when LLM is available, generates genuinely falsifiable claims instead of restating confirmed fields (fixes CF-011 rubber-stamp problem)
+- **Devil's Advocate at All Tiers** — scaled intensity: CASUAL 1-2, STANDARD 2-3, CONSEQUENTIAL 3-5 assumptions
+- **Hard Extraction Enforcement** — strips fabricated extracted text from AMBIGUOUS/MISSING fields in LLM assessments
+- **Escalation/De-escalation** — `escalate_tier` and `deescalate_tier` with audit trail and reason logging
+- **Collaborative Framing** — PEACE + Motivational Interviewing framing hints on all elicitation questions
+- **Perfunctory Confirmation Detection** — warns on repeated identical values, known rubber-stamp patterns (DFT-08)
+- **Session Analytics** — `elicitation_review` includes metrics: field counts, confidence distribution, assumption rejection rate
+- **M1.3 Closed Session Guards** — all engine functions reject operations on closed sessions
+- **M1.4 Tier Enum Validation** — strict tier validation at intake
+- **M1.5 Context Enrichment on Gate PASS** — gate results include full dimensional context
+- 35 new v1.1 feature tests + 25 hardening tests, total suite: 140 tests
+- 18 MCP tools (3 new: `draft_confirm_batch`, `draft_quick_confirm`, `draft_verify_batch`; 2 new: `draft_escalate`, `draft_deescalate`)
+
+### Changed
+- Assumption generation scales by tier instead of fixed count
+- Gate results include perfunctory warnings alongside blockers
+- Elicitation review returns analytics block with session-level metrics
+- Test suite expanded from 80 to 140 tests, zero regressions
+
+## [1.0.0] - 2026-02-27
+
+### Added
+- First stable release — all core features production-hardened
+- Python Semantic Release (PSR) automated CI/CD pipeline
+- Automated version bumps, changelogs, tagging, and PyPI publishing
+
+### Changed
+- Promoted from 0.x to 1.0 — API considered stable
+
+## [0.1.1] - 2026-02-25
+
+### Added
+- `RELEASING.md` — release gate checklist to prevent builder's blindness
+- Minimal working example (end-to-end transcript) in README
+- Conformance quick-scan index table at top of `CONFORMANCE.md`
+- `docs/architecture.md` — system design, pipeline flow, security model, file layout
+- `docs/api.md` — REST API reference with all endpoints, request/response examples
+- `examples/basic_usage.py` — library usage example (no server needed)
+- `tests/test_security.py` — prompt injection, bypass, input validation tests
+- `tests/test_rest.py` — REST API endpoint tests with mock handler
+- `Dockerfile` — production container (Python 3.13-slim, non-root, SSE default)
+- `docker-compose.example.yml` — example stack with DRAFT + Ollama
+- `.dockerignore` — keep Docker image clean
+- `.github/ISSUE_TEMPLATE/bug_report.yml` — structured bug report template
+- `.github/ISSUE_TEMPLATE/feature_request.yml` — structured feature request template
+- `.github/PULL_REQUEST_TEMPLATE.md` — PR checklist
+
+### Fixed
+- `rest.py` `/status` endpoint called nonexistent `storage.get_session_state()` — replaced with inline session + gate query
+- Documented Anthropic embeddings limitation (voyage model not supported, use `text-embedding-3-small` or Ollama)
+- Added localhost-only security warning to REST API docs
+
+### Changed
+- `docs/README.md` updated to documentation index linking all docs
+- `STRUCTURE.md` updated to reflect all new files
+
+## [0.1.0] - 2025-02-21
+
+### Added
+- 15 MCP tools for structured intent elicitation via FastMCP
+- Three-tier automatic classification: Casual, Standard, Consequential
+- Five-dimension mapping: Define, Rules, Artifacts, Flex, Test
+- Confirmation gate blocks execution until all fields verified
+- Assumptions surfacing with Devil's Advocate support
+- Dimension screening for non-mandatory dimensions (R, A, F)
+- Gate override with audit trail for founder use
+- Elicitation review with quality self-assessment
+- Multi-provider LLM support: Ollama, OpenAI, Anthropic, any OpenAI-compatible API
+- Auto-detection of provider from model name
+- Graceful degradation to keyword heuristics without LLM
+- Prompt extraction attack detection (OWASP LLM07)
+- Empty/whitespace input rejection at all entry points
+- Full SQLite audit trail
+- REST API with CORS for Chrome extension and HTTP clients
+- Chrome extension for any AI chat (ChatGPT, Claude, Gemini, etc.)
+- 46 tests covering security, lifecycle, governance, and provider configuration
+- AGENTS.md, RULES.md, STRUCTURE.md for AI agent compatibility
+- Professional repo infrastructure: CONTRIBUTING, SECURITY, CODE_OF_CONDUCT
+
+[Unreleased]: https://github.com/manifold-vectors/draft-protocol/compare/v1.2.0...HEAD
+[1.2.0]: https://github.com/manifold-vectors/draft-protocol/compare/v1.1.0...v1.2.0
+[1.1.0]: https://github.com/manifold-vectors/draft-protocol/compare/v1.0.0...v1.1.0
+[1.0.0]: https://github.com/manifold-vectors/draft-protocol/compare/v0.1.1...v1.0.0
+[0.1.1]: https://github.com/manifold-vectors/draft-protocol/compare/v0.1.0...v0.1.1
+[0.1.0]: https://github.com/manifold-vectors/draft-protocol/releases/tag/v0.1.0

{draft_protocol-1.1.0 → draft_protocol-1.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: draft-protocol
-Version: 1.1.0
+Version: 1.2.0
 Summary: DRAFT Protocol — Intake governance for AI tool calls. Ensures AI understands human intent before execution begins.
 Project-URL: Homepage, https://github.com/manifold-vectors/draft-protocol
 Project-URL: Documentation, https://github.com/manifold-vectors/draft-protocol#readme
@@ -56,7 +56,7 @@ pip install draft-protocol
 | **When it acts** | After the LLM responds | Before the LLM acts |
 | **What it checks** | Toxicity, format, policy | Intent, scope, assumptions |
 | **Failure mode** | Catches bad output, wastes the call | Prevents bad calls entirely |
-| **Evidence basis** | Synthetic benchmarks | 50+ real governed sessions |
+| **Evidence basis** | Synthetic benchmarks | 140 tests + governed sessions |
 | **Complementary?** | Yes | Yes — use both for defense-in-depth |
 
 ## The Problem
@@ -85,11 +85,22 @@ Each field is labeled **SATISFIED**, **AMBIGUOUS**, or **MISSING**. Ambiguous an
 
 Not every message needs the same scrutiny:
 
-- **CASUAL** — "What's the weather?" → Internal mapping only. No visible ceremony.
-- **STANDARD** — "Build a REST API" → Full pipeline. Questions for gaps. Assumptions surfaced.
-- **CONSEQUENTIAL** — "Restructure the auth system" → Maximum rigor. All dimensions mandatory. Devil's Advocate on assumptions. Quality review required.
+- **CASUAL** — "What's the weather?" → Internal mapping only. No visible ceremony. 1-2 lightweight assumptions.
+- **STANDARD** — "Build a REST API" → Full pipeline. Questions for gaps. Assumptions surfaced with light Devil's Advocate. Batch confirm for efficiency.
+- **CONSEQUENTIAL** — "Restructure the auth system" → Maximum rigor. All dimensions mandatory. 3-5 adversarial assumptions with full Devil's Advocate. Quality review required. Perfunctory confirmation detection.
 
-Tier classification is automatic (keyword matching + optional LLM), with manual override.
+Tier classification is automatic (keyword matching + optional LLM), with manual escalation/de-escalation.
+
+### What's New in v1.1
+
+- **Batch operations** — `confirm_batch`, `quick_confirm`, `verify_batch` cut tool call overhead by 50-60%
+- **Adversarial assumptions** — LLM-powered assumption generation creates genuinely falsifiable claims instead of restating confirmed fields
+- **Devil's Advocate at all tiers** — scaled intensity: 1-2 (casual), 2-3 (standard), 3-5 (consequential)
+- **Hard extraction enforcement** — strips fabricated text from ambiguous/missing fields
+- **Collaborative framing** — elicitation questions use PEACE + Motivational Interviewing framing
+- **Perfunctory detection** — warns on rubber-stamp confirmations ("yes", repeated values)
+- **Session analytics** — field counts, confidence distribution, assumption rejection rates
+- **Escalate/de-escalate** — manual tier changes with full audit trail
 
 ## Quick Start
 
@@ -301,15 +312,18 @@ Add the `env` block to any MCP client config above. With an LLM, DRAFT gets sema
 |------|---------|
 | `draft_intake` | Start a session. Classifies tier automatically. |
 | `draft_map` | Map all 5 dimensions against your context. |
-| `draft_elicit` | Generate questions for gaps. |
+| `draft_elicit` | Generate questions for gaps (with collaborative framing). |
 | `draft_confirm` | Record your answer for a field. |
-| `draft_assumptions` | Surface key assumptions as falsifiable claims. |
+| `draft_confirm_batch` | Confirm multiple fields in one call (50-60% fewer tool calls). |
+| `draft_quick_confirm` | Promote all auto-extracted fields to confirmed in one call. |
+| `draft_assumptions` | Surface key assumptions as falsifiable claims (tier-scaled DA). |
 | `draft_verify` | Confirm or reject an assumption. |
+| `draft_verify_batch` | Verify or reject multiple assumptions in one call. |
 | `draft_gate` | Check if all fields are confirmed. Blocks execution if not. |
-| `draft_review` | Quality self-assessment of the elicitation. |
+| `draft_review` | Quality self-assessment with session analytics. |
 | `draft_status` | View current session state. |
-| `draft_escalate` | Manually increase tier. |
-| `draft_deescalate` | Manually decrease tier (logged). |
+| `draft_escalate` | Manually increase tier (with audit trail). |
+| `draft_deescalate` | Manually decrease tier (logged, honored). |
 | `draft_unscreen` | Reverse a dimension marked N/A. |
 | `draft_add_assumption` | Add a manual or Devil's Advocate assumption. |
 | `draft_override` | Override a blocked gate (logged, auditable). |
@@ -383,6 +397,8 @@ curl -s -X POST http://127.0.0.1:8420/gate \
 DRAFT includes hardened input validation:
 - Empty/whitespace message rejection at intake
 - Minimum content threshold on field confirmations (prevents bypass)
+- Perfunctory confirmation detection — warns on rubber-stamp patterns (DFT-08)
+- Hard extraction enforcement — strips fabricated text from non-satisfied fields
 - Empty dimension detection at gate check
 - Prompt extraction pattern detection (OWASP LLM07) — automatically escalates suspicious messages
 - Full audit trail in SQLite (every tool call logged with timestamp)

{draft_protocol-1.1.0 → draft_protocol-1.2.0}/README.md

@@ -18,7 +18,7 @@ pip install draft-protocol
 | **When it acts** | After the LLM responds | Before the LLM acts |
 | **What it checks** | Toxicity, format, policy | Intent, scope, assumptions |
 | **Failure mode** | Catches bad output, wastes the call | Prevents bad calls entirely |
-| **Evidence basis** | Synthetic benchmarks | 50+ real governed sessions |
+| **Evidence basis** | Synthetic benchmarks | 140 tests + governed sessions |
 | **Complementary?** | Yes | Yes — use both for defense-in-depth |
 
 ## The Problem
@@ -47,11 +47,22 @@ Each field is labeled **SATISFIED**, **AMBIGUOUS**, or **MISSING**. Ambiguous an
 
 Not every message needs the same scrutiny:
 
-- **CASUAL** — "What's the weather?" → Internal mapping only. No visible ceremony.
-- **STANDARD** — "Build a REST API" → Full pipeline. Questions for gaps. Assumptions surfaced.
-- **CONSEQUENTIAL** — "Restructure the auth system" → Maximum rigor. All dimensions mandatory. Devil's Advocate on assumptions. Quality review required.
+- **CASUAL** — "What's the weather?" → Internal mapping only. No visible ceremony. 1-2 lightweight assumptions.
+- **STANDARD** — "Build a REST API" → Full pipeline. Questions for gaps. Assumptions surfaced with light Devil's Advocate. Batch confirm for efficiency.
+- **CONSEQUENTIAL** — "Restructure the auth system" → Maximum rigor. All dimensions mandatory. 3-5 adversarial assumptions with full Devil's Advocate. Quality review required. Perfunctory confirmation detection.
 
-Tier classification is automatic (keyword matching + optional LLM), with manual override.
+Tier classification is automatic (keyword matching + optional LLM), with manual escalation/de-escalation.
+
+### What's New in v1.1
+
+- **Batch operations** — `confirm_batch`, `quick_confirm`, `verify_batch` cut tool call overhead by 50-60%
+- **Adversarial assumptions** — LLM-powered assumption generation creates genuinely falsifiable claims instead of restating confirmed fields
+- **Devil's Advocate at all tiers** — scaled intensity: 1-2 (casual), 2-3 (standard), 3-5 (consequential)
+- **Hard extraction enforcement** — strips fabricated text from ambiguous/missing fields
+- **Collaborative framing** — elicitation questions use PEACE + Motivational Interviewing framing
+- **Perfunctory detection** — warns on rubber-stamp confirmations ("yes", repeated values)
+- **Session analytics** — field counts, confidence distribution, assumption rejection rates
+- **Escalate/de-escalate** — manual tier changes with full audit trail
 
 ## Quick Start
 
@@ -263,15 +274,18 @@ Add the `env` block to any MCP client config above. With an LLM, DRAFT gets sema
 |------|---------|
 | `draft_intake` | Start a session. Classifies tier automatically. |
 | `draft_map` | Map all 5 dimensions against your context. |
-| `draft_elicit` | Generate questions for gaps. |
+| `draft_elicit` | Generate questions for gaps (with collaborative framing). |
 | `draft_confirm` | Record your answer for a field. |
-| `draft_assumptions` | Surface key assumptions as falsifiable claims. |
+| `draft_confirm_batch` | Confirm multiple fields in one call (50-60% fewer tool calls). |
+| `draft_quick_confirm` | Promote all auto-extracted fields to confirmed in one call. |
+| `draft_assumptions` | Surface key assumptions as falsifiable claims (tier-scaled DA). |
 | `draft_verify` | Confirm or reject an assumption. |
+| `draft_verify_batch` | Verify or reject multiple assumptions in one call. |
 | `draft_gate` | Check if all fields are confirmed. Blocks execution if not. |
-| `draft_review` | Quality self-assessment of the elicitation. |
+| `draft_review` | Quality self-assessment with session analytics. |
 | `draft_status` | View current session state. |
-| `draft_escalate` | Manually increase tier. |
-| `draft_deescalate` | Manually decrease tier (logged). |
+| `draft_escalate` | Manually increase tier (with audit trail). |
+| `draft_deescalate` | Manually decrease tier (logged, honored). |
 | `draft_unscreen` | Reverse a dimension marked N/A. |
 | `draft_add_assumption` | Add a manual or Devil's Advocate assumption. |
 | `draft_override` | Override a blocked gate (logged, auditable). |
@@ -345,6 +359,8 @@ curl -s -X POST http://127.0.0.1:8420/gate \
 DRAFT includes hardened input validation:
 - Empty/whitespace message rejection at intake
 - Minimum content threshold on field confirmations (prevents bypass)
+- Perfunctory confirmation detection — warns on rubber-stamp patterns (DFT-08)
+- Hard extraction enforcement — strips fabricated text from non-satisfied fields
 - Empty dimension detection at gate check
 - Prompt extraction pattern detection (OWASP LLM07) — automatically escalates suspicious messages
 - Full audit trail in SQLite (every tool call logged with timestamp)

{draft_protocol-1.1.0 → draft_protocol-1.2.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "draft-protocol"
-version = "1.1.0"
+version = "1.2.0"
 description = "DRAFT Protocol — Intake governance for AI tool calls. Ensures AI understands human intent before execution begins."
 readme = "README.md"
 license = "Apache-2.0"

draft_protocol-1.2.0/scripts/tmp/run_lint.ps1

@@ -0,0 +1,3 @@
+Set-Location D:\VECTOR\draft-protocol
+python -m ruff check src\draft_protocol\engine.py src\draft_protocol\server.py src\draft_protocol\__init__.py
+Write-Host "EXIT: $LASTEXITCODE"

draft_protocol-1.2.0/scripts/tmp/run_new_tests.ps1

@@ -0,0 +1,3 @@
+Set-Location D:\VECTOR\draft-protocol
+python -m pytest tests\test_v1_1_features.py -v --tb=short 2>&1
+Write-Host "EXIT: $LASTEXITCODE"

draft_protocol-1.2.0/scripts/tmp/run_tests.ps1

@@ -0,0 +1,4 @@
+Set-Location D:\VECTOR\draft-protocol
+python -m ruff check src/ tests/ 2>&1
+Write-Output "---LINT DONE---"
+python -m pytest tests/ --tb=short -q 2>&1

{draft_protocol-1.1.0 → draft_protocol-1.2.0}/src/draft_protocol/__init__.py

@@ -13,21 +13,37 @@ Usage:
     from draft_protocol.providers import llm_available, embed_available
 """
 
-__version__ = "1.1.0"
+__version__ = "1.2.0"
 
 # Public API — importable from `draft_protocol` directly
 from draft_protocol.engine import (
     add_assumption,
     check_gate,
     classify_tier,
+    confirm_batch,
     confirm_field,
+    deescalate_tier,
     elicitation_review,
+    escalate_tier,
     generate_assumptions,
     generate_elicitation,
+    get_ceremony_depth,
+    get_legacy_tier,
     map_dimensions,
+    open_elicitation,
     override_gate,
+    quick_confirm_satisfied,
+    resolve_tier_override,
+    score_assumptions,
     unscreen_dimension,
     verify_assumption,
+    verify_batch,
+)
+from draft_protocol.extension_points import (
+    clear_all_hooks,
+    register_classify_hook,
+    register_post_gate_hook,
+    register_storage_path_hook,
 )
 from draft_protocol.providers import (
     embed_available,
@@ -44,16 +60,26 @@ __all__ = [
     "__version__",
     # Engine
     "classify_tier",
+    "resolve_tier_override",
+    "get_legacy_tier",
+    "get_ceremony_depth",
     "map_dimensions",
     "generate_elicitation",
+    "open_elicitation",
     "generate_assumptions",
+    "score_assumptions",
     "check_gate",
     "confirm_field",
+    "confirm_batch",
+    "quick_confirm_satisfied",
+    "verify_batch",
     "unscreen_dimension",
     "add_assumption",
     "override_gate",
     "verify_assumption",
     "elicitation_review",
+    "escalate_tier",
+    "deescalate_tier",
     # Storage
     "create_session",
     "get_session",
@@ -62,4 +88,9 @@ __all__ = [
     # Providers
     "llm_available",
     "embed_available",
+    # Extension Points
+    "register_classify_hook",
+    "register_post_gate_hook",
+    "register_storage_path_hook",
+    "clear_all_hooks",
 ]

{draft_protocol-1.1.0 → draft_protocol-1.2.0}/src/draft_protocol/config.py

@@ -29,6 +29,62 @@ if LLM_PROVIDER == "none" and LLM_MODEL:
     elif LLM_MODEL:
         LLM_PROVIDER = "ollama"  # Default to Ollama for unknown models
 
+# ── 5-Tier Classification (GDE v1 port) ───────────────────
+# Priority: T4 > T3 > T2 > T1 > T0 (highest risk wins)
+
+ALL_TIERS = ("TRIVIAL", "LOOKUP", "TASK", "MULTI", "CONSEQUENTIAL")
+
+TIER_RISK = {
+    "TRIVIAL": 0.0,
+    "LOOKUP": 0.1,
+    "TASK": 0.3,
+    "MULTI": 0.6,
+    "CONSEQUENTIAL": 0.9,
+}
+
+# Legacy tier mapping (backward compat)
+LEGACY_MAP = {
+    "CASUAL": "TRIVIAL",
+    "STANDARD": "TASK",
+    "CONSEQUENTIAL": "CONSEQUENTIAL",
+}
+
+# Reverse: new tier → legacy name (for systems expecting old names)
+TIER_TO_LEGACY = {
+    "TRIVIAL": "CASUAL",
+    "LOOKUP": "CASUAL",
+    "TASK": "STANDARD",
+    "MULTI": "STANDARD",
+    "CONSEQUENTIAL": "CONSEQUENTIAL",
+}
+
+# Per-tier DRAFT ceremony depth
+TIER_CEREMONY = {
+    "TRIVIAL": "invisible",      # No output — internal only
+    "LOOKUP": "tag",             # One-line classification tag
+    "TASK": "semi_visible",      # Summary line + quick_confirm path
+    "MULTI": "visible",          # Visible mapping + targeted elicitation (D+T min)
+    "CONSEQUENTIAL": "full",     # Full 7-step, DA, review mandatory
+}
+
+# Per-tier assumption counts
+TIER_ASSUMPTIONS = {
+    "TRIVIAL": 0,
+    "LOOKUP": 1,
+    "TASK": 2,
+    "MULTI": 3,
+    "CONSEQUENTIAL": 5,
+}
+
+# Per-tier Guardian rule sets
+TIER_GUARDIAN_RULES = {
+    "TRIVIAL": ["G1", "G3"],
+    "LOOKUP": ["G1", "G3"],
+    "TASK": ["G1", "G2", "G3", "G4", "G5", "G6", "G8"],
+    "MULTI": ["G1", "G2", "G3", "G4", "G5", "G6", "G7", "G8"],
+    "CONSEQUENTIAL": ["G1", "G2", "G3", "G4", "G5", "G6", "G7", "G8"],
+}
+
 # ── Tier Classification Triggers ──────────────────────────
 # Keyword-based fast path. LLM classification (if available) handles ambiguous cases.
 
@@ -53,6 +109,21 @@ CONSEQUENTIAL_TRIGGERS = [
     "production deployment",
     "security policy",
     "auth modification",
+    # Security: extraction-pattern triggers (OWASP LLM07) — always T4
+    "ignore previous instructions",
+    "ignore all previous",
+    "ignore above",
+    "repeat above",
+    "repeat everything",
+    "verbatim",
+    "system prompt",
+    "print environment",
+    "environment variables",
+    "show me your instructions",
+    "what are your rules",
+    "dump your config",
+    "reveal your prompt",
+    "debug mode",
 ]
 
 STANDARD_TRIGGERS = [
@@ -76,23 +147,56 @@ STANDARD_TRIGGERS = [
     "proposal",
     "pipeline",
     "workflow",
-    # Security: extraction-pattern triggers (OWASP LLM07)
-    "ignore previous instructions",
-    "ignore all previous",
-    "ignore above",
-    "repeat above",
-    "repeat everything",
-    "verbatim",
-    "system prompt",
-    "print environment",
-    "environment variables",
-    "show me your instructions",
-    "what are your rules",
-    "dump your config",
-    "reveal your prompt",
-    "debug mode",
 ]
 
+MULTI_TRIGGERS = [
+    "docker-compose",
+    "docker compose",
+    ".env",
+    "scheduled task",
+    "cron",
+    "qdrant",
+    "postgresql",
+    "postgres",
+    "sync",
+    "migrate",
+    "refactor",
+    "sweep",
+    "consolidate",
+    "rename",
+    "restructure",
+    "reorg",
+    "batch",
+    "across multiple",
+    "several files",
+    "cross-service",
+]
+
+LOOKUP_TRIGGERS = [
+    "what is",
+    "what are",
+    "check",
+    "status",
+    "how does",
+    "where is",
+    "which",
+    "show me",
+    "list",
+    "describe",
+    "explain",
+    "verify",
+    "look up",
+    "find",
+]
+
+TRIVIAL_PATTERNS = {
+    "yes", "no", "done", "ok", "okay", "sure", "thanks",
+    "thank you", "continue", "proceed", "go", "next",
+    "hi", "hello", "hey", "good morning", "good evening",
+    "bye", "goodbye", "got it", "noted", "roger",
+    "yep", "nope", "ack", "k", "y", "n",
+}
+
 # ── Dimensions ────────────────────────────────────────────
 # D and T are mandatory; R, A, F can be screened out when inapplicable.