stackone-defender 0.1.1__py3-none-any.whl

stackone_defender/__init__.py

@@ -0,0 +1,24 @@
+"""stackone-defender: Prompt injection defense for AI tool-calling.
+
+Usage:
+    from stackone_defender import create_prompt_defense
+
+    defense = create_prompt_defense(enable_tier2=True)
+    defense.warmup_tier2()
+
+    result = defense.defend_tool_result(tool_output, "gmail_get_message")
+    if not result.allowed:
+        print(f"Blocked: {result.risk_level}")
+"""
+
+from .core.prompt_defense import PromptDefense, create_prompt_defense
+from .types import DefenseResult, RiskLevel, Tier1Result, ToolSanitizationRule
+
+__all__ = [
+    "DefenseResult",
+    "PromptDefense",
+    "RiskLevel",
+    "Tier1Result",
+    "ToolSanitizationRule",
+    "create_prompt_defense",
+]

stackone_defender/classifiers/__init__.py

@@ -0,0 +1,12 @@
+"""Classifiers for prompt injection detection."""
+
+from .pattern_detector import PatternDetector, create_pattern_detector
+from .patterns import ALL_PATTERNS, FAST_FILTER_KEYWORDS, contains_filter_keywords
+
+__all__ = [
+    "ALL_PATTERNS",
+    "FAST_FILTER_KEYWORDS",
+    "PatternDetector",
+    "contains_filter_keywords",
+    "create_pattern_detector",
+]

stackone_defender/classifiers/onnx_classifier.py

@@ -0,0 +1,95 @@
+"""ONNX classifier for fine-tuned MiniLM prompt injection detection.
+
+Pipeline: text -> tokenizer -> ONNX Runtime -> logit -> sigmoid -> score
+"""
+
+from __future__ import annotations
+
+import math
+from pathlib import Path
+
+
+def _default_model_path() -> str:
+    """Return path to the bundled ONNX model directory."""
+    return str(Path(__file__).resolve().parent.parent / "models" / "minilm-full-aug")
+
+
+def _sigmoid(x: float) -> float:
+    return 1.0 / (1.0 + math.exp(-x))
+
+
+class OnnxClassifier:
+    """ONNX Classifier for fine-tuned MiniLM models."""
+
+    def __init__(self, model_path: str | None = None):
+        self._model_path = model_path or _default_model_path()
+        self._session = None
+        self._tokenizer = None
+        self._max_length = 256
+        self._load_failed = False
+
+    def load_model(self, model_path: str | None = None) -> None:
+        if model_path:
+            self._model_path = model_path
+        if self._session is not None and self._tokenizer is not None:
+            return
+        if self._load_failed:
+            raise ImportError("ONNX dependencies not installed. Install with: pip install stackone-defender[onnx]")
+        self._load_model()
+
+    def _load_model(self) -> None:
+        try:
+            import numpy as np  # noqa: F401
+            import onnxruntime as ort
+            from tokenizers import Tokenizer
+        except ImportError as e:
+            self._load_failed = True
+            raise ImportError(
+                "ONNX dependencies not installed. Install with: pip install stackone-defender[onnx]"
+            ) from e
+
+        tokenizer_path = str(Path(self._model_path) / "tokenizer.json")
+        self._tokenizer = Tokenizer.from_file(tokenizer_path)
+        self._tokenizer.enable_truncation(max_length=self._max_length)
+        self._tokenizer.enable_padding(length=self._max_length)
+
+        onnx_path = str(Path(self._model_path) / "model_quantized.onnx")
+        self._session = ort.InferenceSession(onnx_path)
+
+    def classify(self, text: str) -> float:
+        """Classify a single text, returning a sigmoid score in [0, 1]."""
+        self._ensure_loaded()
+        import numpy as np
+
+        encoding = self._tokenizer.encode(text)
+        input_ids = np.array([encoding.ids], dtype=np.int64)
+        attention_mask = np.array([encoding.attention_mask], dtype=np.int64)
+
+        results = self._session.run(None, {"input_ids": input_ids, "attention_mask": attention_mask})
+        logit = float(results[0][0][0])
+        return _sigmoid(logit)
+
+    def classify_batch(self, texts: list[str]) -> list[float]:
+        """Classify multiple texts in batch."""
+        if not texts:
+            return []
+        self._ensure_loaded()
+        import numpy as np
+
+        encodings = self._tokenizer.encode_batch(texts)
+        input_ids = np.array([e.ids for e in encodings], dtype=np.int64)
+        attention_mask = np.array([e.attention_mask for e in encodings], dtype=np.int64)
+
+        results = self._session.run(None, {"input_ids": input_ids, "attention_mask": attention_mask})
+        logits = results[0]
+        return [_sigmoid(float(logits[i][0])) for i in range(len(texts))]
+
+    def warmup(self) -> None:
+        self.load_model()
+
+    def is_loaded(self) -> bool:
+        return self._session is not None and self._tokenizer is not None
+
+    def _ensure_loaded(self) -> None:
+        if not self.is_loaded():
+            self.load_model()

stackone_defender/classifiers/pattern_detector.py

@@ -0,0 +1,223 @@
+"""Tier 1: Pattern Detection.
+
+Fast, regex-based detection of known injection patterns.
+Target latency: < 1-2ms per field.
+"""
+
+from __future__ import annotations
+
+import math
+import re
+import time
+
+from ..types import PatternDefinition, PatternMatch, RiskLevel, StructuralFlag, Tier1Result
+from .patterns import ALL_PATTERNS, contains_filter_keywords
+
+DEFAULT_DETECTOR_CONFIG = {
+    "use_fast_filter": True,
+    "max_analysis_length": 50000,
+    "entropy_threshold": 4.5,
+    "entropy_min_length": 50,
+    "max_field_length": 100000,
+}
+
+
+class PatternDetector:
+    """Pattern Detector for Tier 1 classification."""
+
+    def __init__(self, config: dict | None = None, custom_patterns: list[PatternDefinition] | None = None):
+        cfg = dict(DEFAULT_DETECTOR_CONFIG)
+        if config:
+            cfg.update(config)
+        self._use_fast_filter = cfg["use_fast_filter"]
+        self._max_analysis_length = cfg["max_analysis_length"]
+        self._entropy_threshold = cfg["entropy_threshold"]
+        self._entropy_min_length = cfg["entropy_min_length"]
+        self._max_field_length = cfg["max_field_length"]
+        self._patterns: list[PatternDefinition] = list(ALL_PATTERNS)
+        self._has_custom = False
+        if custom_patterns:
+            self._patterns.extend(custom_patterns)
+            self._has_custom = True
+
+    def analyze(self, text: str) -> Tier1Result:
+        start = time.perf_counter()
+
+        if not text or len(text) < 3:
+            return self._empty_result(start)
+
+        original_length = len(text)
+        analysis_text = text[: self._max_analysis_length] if len(text) > self._max_analysis_length else text
+
+        should_use_fast_filter = self._use_fast_filter and not self._has_custom
+        if should_use_fast_filter and not contains_filter_keywords(analysis_text):
+            flags = self._detect_structural_issues(analysis_text, original_length)
+            return self._create_result([], flags, start)
+
+        matches = self._detect_patterns(analysis_text)
+        flags = self._detect_structural_issues(analysis_text, original_length)
+        return self._create_result(matches, flags, start)
+
+    # ------------------------------------------------------------------
+    # Pattern detection
+    # ------------------------------------------------------------------
+
+    def _detect_patterns(self, text: str) -> list[PatternMatch]:
+        matches: list[PatternMatch] = []
+        for defn in self._patterns:
+            # Use finditer for all patterns (handles global-like behavior)
+            for m in defn.pattern.finditer(text):
+                matches.append(
+                    PatternMatch(
+                        pattern=defn.id,
+                        matched=m.group(0),
+                        position=m.start(),
+                        category=defn.category,
+                        severity=defn.severity,
+                    )
+                )
+        return matches
+
+    # ------------------------------------------------------------------
+    # Structural analysis
+    # ------------------------------------------------------------------
+
+    def _detect_structural_issues(self, text: str, original_length: int | None = None) -> list[StructuralFlag]:
+        flags: list[StructuralFlag] = []
+        length_to_check = original_length if original_length is not None else len(text)
+
+        if length_to_check > self._max_field_length:
+            flags.append(
+                StructuralFlag(
+                    type="excessive_length",
+                    details=f"Field length {length_to_check} exceeds maximum {self._max_field_length}",
+                    severity="medium",
+                )
+            )
+
+        if len(text) >= self._entropy_min_length:
+            entropy = self._calculate_entropy(text)
+            if entropy > self._entropy_threshold:
+                flags.append(
+                    StructuralFlag(
+                        type="high_entropy",
+                        details=f"Entropy {entropy:.2f} exceeds threshold {self._entropy_threshold}",
+                        severity="medium",
+                    )
+                )
+
+        if self._has_nested_markers(text):
+            flags.append(
+                StructuralFlag(
+                    type="nested_markers",
+                    details="Suspicious nested XML tags or bracket patterns detected",
+                    severity="medium",
+                )
+            )
+
+        if self._has_suspicious_formatting(text):
+            flags.append(
+                StructuralFlag(
+                    type="suspicious_formatting",
+                    details="Unusual formatting patterns detected",
+                    severity="low",
+                )
+            )
+
+        return flags
+
+    @staticmethod
+    def _calculate_entropy(text: str) -> float:
+        freq: dict[str, int] = {}
+        for ch in text:
+            freq[ch] = freq.get(ch, 0) + 1
+        length = len(text)
+        entropy = 0.0
+        for count in freq.values():
+            p = count / length
+            entropy -= p * math.log2(p)
+        return entropy
+
+    @staticmethod
+    def _has_nested_markers(text: str) -> bool:
+        suspicious_xml = re.compile(
+            r"</?(?:system|user|assistant|instruction|prompt|admin|developer)[^>]*>", re.I
+        )
+        tags = suspicious_xml.findall(text)
+        if len(tags) >= 2:
+            return True
+
+        xml_tags = re.findall(r"<[a-zA-Z][^>]*>", text)
+        if len(xml_tags) > 4:
+            marker_tags = [t for t in xml_tags if re.search(r"system|user|assistant|instruction|prompt", t, re.I)]
+            if marker_tags:
+                return True
+
+        if re.search(r"\[\[.*?(?:system|instruction|ignore).*?\]\]", text, re.I):
+            return True
+
+        return False
+
+    @staticmethod
+    def _has_suspicious_formatting(text: str) -> bool:
+        if re.search(r"\n{3,}(?:system|instruction|ignore|forget)", text, re.I):
+            return True
+        if re.search(r"^#{1,3}\s*(?:system|instruction|new rules)", text, re.I | re.M):
+            return True
+        if re.search(r"[-=]{3,}\s*\n\s*(?:system|instruction|ignore)", text, re.I):
+            return True
+        return False
+
+    # ------------------------------------------------------------------
+    # Risk calculation
+    # ------------------------------------------------------------------
+
+    @staticmethod
+    def _calculate_suggested_risk(matches: list[PatternMatch], flags: list[StructuralFlag]) -> RiskLevel:
+        high_matches = sum(1 for m in matches if m.severity == "high")
+        medium_matches = sum(1 for m in matches if m.severity == "medium")
+        high_flags = sum(1 for f in flags if f.severity == "high")
+        medium_flags = sum(1 for f in flags if f.severity == "medium")
+
+        if high_matches >= 2 or (high_matches >= 1 and high_flags >= 1):
+            return "critical"
+        if high_matches >= 1 or medium_matches >= 3 or (medium_matches >= 2 and medium_flags >= 1):
+            return "high"
+        if medium_matches >= 1 or high_flags >= 1 or medium_flags >= 2:
+            return "medium"
+        if matches or flags:
+            return "low"
+        return "low"
+
+    # ------------------------------------------------------------------
+    # Result helpers
+    # ------------------------------------------------------------------
+
+    def _create_result(self, matches: list[PatternMatch], flags: list[StructuralFlag], start: float) -> Tier1Result:
+        return Tier1Result(
+            matches=matches,
+            structural_flags=flags,
+            has_detections=bool(matches) or bool(flags),
+            suggested_risk=self._calculate_suggested_risk(matches, flags),
+            latency_ms=(time.perf_counter() - start) * 1000,
+        )
+
+    @staticmethod
+    def _empty_result(start: float) -> Tier1Result:
+        return Tier1Result(
+            matches=[],
+            structural_flags=[],
+            has_detections=False,
+            suggested_risk="low",
+            latency_ms=(time.perf_counter() - start) * 1000,
+        )
+
+    def add_pattern(self, pattern: PatternDefinition) -> None:
+        self._patterns.append(pattern)
+
+    def get_patterns(self) -> list[PatternDefinition]:
+        return list(self._patterns)
+
+
+def create_pattern_detector(config: dict | None = None, custom_patterns: list[PatternDefinition] | None = None) -> PatternDetector:
+    return PatternDetector(config=config, custom_patterns=custom_patterns)

stackone_defender/classifiers/patterns.py

@@ -0,0 +1,170 @@
+"""Shared injection pattern definitions.
+
+These patterns are used by both Tier 1 classification and sanitization.
+Single source of truth for pattern matching.
+"""
+
+from __future__ import annotations
+
+import re
+
+from ..types import PatternDefinition
+
+# ---------------------------------------------------------------------------
+# Role markers
+# ---------------------------------------------------------------------------
+ROLE_MARKER_PATTERNS: list[PatternDefinition] = [
+    PatternDefinition("role_system", re.compile(r"^SYSTEM:\s*", re.I), "role_marker", "high", "System role marker at start of text"),
+    PatternDefinition("role_assistant", re.compile(r"^ASSISTANT:\s*", re.I), "role_marker", "high", "Assistant role marker at start of text"),
+    PatternDefinition("role_user", re.compile(r"^USER:\s*", re.I), "role_marker", "medium", "User role marker at start of text"),
+    PatternDefinition("role_developer", re.compile(r"^DEVELOPER:\s*", re.I), "role_marker", "high", "Developer role marker at start of text"),
+    PatternDefinition("role_admin", re.compile(r"^ADMIN(?:ISTRATOR)?:\s*", re.I), "role_marker", "high", "Admin role marker at start of text"),
+    PatternDefinition("role_instruction", re.compile(r"^INSTRUCTIONS?:\s*", re.I), "role_marker", "high", "Instruction marker at start of text"),
+    PatternDefinition("role_human", re.compile(r"^HUMAN:\s*", re.I), "role_marker", "medium", "Human role marker at start of text"),
+    PatternDefinition("role_ai", re.compile(r"^AI:\s*", re.I), "role_marker", "medium", "AI role marker at start of text"),
+    # Bracketed variants
+    PatternDefinition("role_system_bracket", re.compile(r"^\[SYSTEM\]", re.I), "role_marker", "high", "Bracketed system role marker"),
+    PatternDefinition("role_inst_bracket", re.compile(r"^\[INST\]", re.I), "role_marker", "high", "Bracketed instruction marker (Llama format)"),
+    # XML-style variants
+    PatternDefinition("role_system_xml", re.compile(r"<system>", re.I), "role_marker", "high", "XML-style system tag"),
+    PatternDefinition("role_assistant_xml", re.compile(r"<assistant>", re.I), "role_marker", "medium", "XML-style assistant tag"),
+]
+
+# ---------------------------------------------------------------------------
+# Instruction overrides
+# ---------------------------------------------------------------------------
+INSTRUCTION_OVERRIDE_PATTERNS: list[PatternDefinition] = [
+    PatternDefinition("ignore_previous", re.compile(r"ignore\s+(?:all\s+)?(?:previous|prior|earlier|above)\s+(?:instructions?|prompts?|rules?|guidelines?|directions?)", re.I), "instruction_override", "high", "Attempt to ignore previous instructions"),
+    PatternDefinition("forget_previous", re.compile(r"forget\s+(?:all\s+)?(?:(?:previous|prior|earlier|above)\s+)?(?:instructions?|prompts?|rules?|context|guidelines?)", re.I), "instruction_override", "high", "Attempt to make AI forget instructions"),
+    PatternDefinition("disregard_previous", re.compile(r"disregard\s+(?:all\s+)?(?:previous|prior|earlier|above)\s+(?:instructions?|prompts?|rules?)", re.I), "instruction_override", "high", "Attempt to disregard instructions"),
+    PatternDefinition("override_instructions", re.compile(r"override\s+(?:the\s+)?(?:system\s+)?(?:prompt|instructions?|rules?|guidelines?)", re.I), "instruction_override", "high", "Direct override attempt"),
+    PatternDefinition("new_instructions", re.compile(r"new\s+instructions?:\s*", re.I), "instruction_override", "high", "Attempt to inject new instructions"),
+    PatternDefinition("updated_instructions", re.compile(r"(?:updated?|revised?|changed?)\s+instructions?:\s*", re.I), "instruction_override", "high", "Attempt to update instructions"),
+    PatternDefinition("stop_being", re.compile(r"stop\s+being\s+(?:a\s+)?(?:helpful|assistant|ai|chatbot)", re.I), "instruction_override", "medium", "Attempt to change AI behavior"),
+    PatternDefinition("from_now_on", re.compile(r"from\s+now\s+on,?\s+(?:you\s+)?(?:will|must|should|are)", re.I), "instruction_override", "medium", "Attempt to set new behavior"),
+]
+
+# ---------------------------------------------------------------------------
+# Role assumption
+# ---------------------------------------------------------------------------
+ROLE_ASSUMPTION_PATTERNS: list[PatternDefinition] = [
+    PatternDefinition("you_are_now", re.compile(r"you\s+are\s+now\s+(?:a\s+)?(?:different|new|the|my)?", re.I), "role_assumption", "high", "Attempt to assign new role"),
+    PatternDefinition("act_as", re.compile(r"act\s+(?:as|like)\s+(?:a\s+)?(?:system|admin|developer|root|superuser)", re.I), "role_assumption", "high", "Attempt to make AI act as privileged role"),
+    PatternDefinition("pretend_to_be", re.compile(r"pretend\s+(?:to\s+be|you\s+are)\s+(?:a\s+)?", re.I), "role_assumption", "medium", "Attempt to make AI pretend"),
+    PatternDefinition("roleplay_as", re.compile(r"roleplay\s+(?:as|like)\s+(?:a\s+)?", re.I), "role_assumption", "low", "Roleplay request (lower severity)"),
+    PatternDefinition("imagine_you_are", re.compile(r"imagine\s+(?:that\s+)?you\s+are\s+(?:a\s+)?", re.I), "role_assumption", "low", "Imagination prompt (lower severity)"),
+    PatternDefinition("jailbreak_dan", re.compile(r"\bDAN\b.*?(?:do\s+anything|jailbreak)", re.I), "role_assumption", "high", "DAN jailbreak attempt"),
+    PatternDefinition("developer_mode", re.compile(r"developer\s+mode\s+(?:is\s+)?(?:now\s+)?(?:enabled?|activated?|on)", re.I), "role_assumption", "high", "Developer mode activation attempt"),
+]
+
+# ---------------------------------------------------------------------------
+# Security bypass
+# ---------------------------------------------------------------------------
+SECURITY_BYPASS_PATTERNS: list[PatternDefinition] = [
+    PatternDefinition("bypass_security", re.compile(r"bypass\s+(?:the\s+)?(?:security|safety|guardrails?|filters?|restrictions?)", re.I), "security_bypass", "high", "Direct security bypass attempt"),
+    PatternDefinition("disable_safety", re.compile(r"disable\s+(?:the\s+)?(?:safety|security|guardrails?|filters?|restrictions?)", re.I), "security_bypass", "high", "Attempt to disable safety features"),
+    PatternDefinition("ignore_safety", re.compile(r"ignore\s+(?:the\s+)?(?:safety|security|ethical)\s+(?:guidelines?|rules?|restrictions?)", re.I), "security_bypass", "high", "Attempt to ignore safety guidelines"),
+    PatternDefinition("no_restrictions", re.compile(r"(?:without|no)\s+(?:any\s+)?(?:restrictions?|limitations?|guardrails?|filters?)", re.I), "security_bypass", "medium", "Request for unrestricted response"),
+    PatternDefinition("uncensored", re.compile(r"(?:uncensored|unfiltered|unrestricted)\s*(?:mode|response|output|version)?", re.I), "security_bypass", "high", "Request for uncensored mode"),
+]
+
+# ---------------------------------------------------------------------------
+# Command execution
+# ---------------------------------------------------------------------------
+COMMAND_EXECUTION_PATTERNS: list[PatternDefinition] = [
+    PatternDefinition("execute_command", re.compile(r"execute\s+(?:the\s+)?(?:following|this|these)\s+(?:command|instruction|code)", re.I), "command_execution", "high", "Command execution instruction"),
+    PatternDefinition("run_code", re.compile(r"run\s+(?:the\s+)?(?:following|this|these)\s+(?:code|script|command)", re.I), "command_execution", "high", "Code execution instruction"),
+    PatternDefinition("eval_expression", re.compile(r"eval(?:uate)?\s*\(", re.I), "command_execution", "medium", "Eval function pattern"),
+    PatternDefinition("shell_command", re.compile(r"\$\([^)]+\)|`[^`]+`"), "command_execution", "medium", "Shell command substitution"),
+]
+
+# ---------------------------------------------------------------------------
+# Encoding suspicious
+# ---------------------------------------------------------------------------
+ENCODING_SUSPICIOUS_PATTERNS: list[PatternDefinition] = [
+    PatternDefinition("base64_instruction", re.compile(r"(?:decode|base64)\s*[:(]\s*[A-Za-z0-9+/=]{20,}", re.I), "encoding_suspicious", "high", "Base64 encoded content with decode instruction"),
+    PatternDefinition("hex_escape_sequence", re.compile(r"(?:\\x[0-9a-fA-F]{2}){4,}"), "encoding_suspicious", "medium", "Hex escape sequence (potential obfuscation)"),
+    PatternDefinition("unicode_escape_sequence", re.compile(r"(?:\\u[0-9a-fA-F]{4}){4,}"), "encoding_suspicious", "medium", "Unicode escape sequence (potential obfuscation)"),
+    PatternDefinition("html_entity_abuse", re.compile(r"(?:&#\d{2,4};){4,}|(?:&#x[0-9a-fA-F]{2,4};){4,}", re.I), "encoding_suspicious", "medium", "HTML entity encoding (potential obfuscation)"),
+    PatternDefinition("rot13_mention", re.compile(r"rot13|caesar\s+cipher|decode\s+this", re.I), "encoding_suspicious", "low", "Mention of simple encoding schemes"),
+    PatternDefinition("leetspeak_injection", re.compile(r"1gn0r3|f0rg3t|byp4ss|syst3m|4dm1n|h4ck", re.I), "encoding_suspicious", "medium", "Leetspeak obfuscation of injection keywords"),
+]
+
+# ---------------------------------------------------------------------------
+# Prompt leaking
+# ---------------------------------------------------------------------------
+PROMPT_LEAKING_PATTERNS: list[PatternDefinition] = [
+    PatternDefinition("reveal_system_prompt", re.compile(r"reveal\s+(?:your\s+)?(?:system\s+)?prompt", re.I), "instruction_override", "high", "Attempt to reveal system prompt"),
+    PatternDefinition("show_instructions", re.compile(r"show\s+(?:me\s+)?(?:your\s+)?(?:(?:initial|original|system|hidden)\s+)?instructions?", re.I), "instruction_override", "high", "Attempt to show hidden instructions"),
+    PatternDefinition("print_above", re.compile(r"print\s+(?:everything|all|text)\s+(?:above|before)", re.I), "instruction_override", "high", "Attempt to print content above current context"),
+    PatternDefinition("repeat_back", re.compile(r"repeat\s+(?:back\s+)?(?:everything|all|your\s+instructions?)", re.I), "instruction_override", "high", "Attempt to make AI repeat instructions"),
+    PatternDefinition("what_are_your_instructions", re.compile(r"what\s+(?:are|were)\s+(?:your|the)\s+(?:(?:initial|original|system)\s+)?instructions?", re.I), "instruction_override", "medium", "Question about system instructions"),
+    PatternDefinition("output_initialization", re.compile(r"output\s+(?:your\s+)?(?:initialization|init|startup|boot)", re.I), "instruction_override", "high", "Attempt to output initialization content"),
+]
+
+# ---------------------------------------------------------------------------
+# Indirect injection
+# ---------------------------------------------------------------------------
+INDIRECT_INJECTION_PATTERNS: list[PatternDefinition] = [
+    PatternDefinition("markdown_hidden_instruction", re.compile(r"\[.*?\]\(.*?(?:ignore|forget|system|instruction).*?\)", re.I), "structural", "high", "Markdown link with hidden injection"),
+    PatternDefinition("html_comment_injection", re.compile(r"<!--\s*(?:system|ignore|instruction|prompt).*?-->", re.I), "structural", "high", "HTML comment containing injection keywords"),
+    PatternDefinition("invisible_unicode", re.compile(r"[\u200b-\u200d\ufeff\u2060\u2061\u2062\u2063\u2064]"), "encoding_suspicious", "medium", "Invisible Unicode characters (zero-width, etc.)"),
+    PatternDefinition("text_direction_override", re.compile(r"[\u202a-\u202e\u2066-\u2069]"), "encoding_suspicious", "medium", "Text direction override characters"),
+    PatternDefinition("confusable_homoglyphs", re.compile(r"[\u13a0-\u13f4]|[\u1d00-\u1d2b]|[\u0400-\u04ff]"), "encoding_suspicious", "medium", "Unicode homoglyph characters (Cherokee, Small Caps, Cyrillic)"),
+    PatternDefinition("separator_injection", re.compile(r"[-=]{10,}[^-=\n]*(?:system|instruction|ignore)", re.I), "structural", "medium", "Separator followed by injection attempt"),
+    PatternDefinition("json_injection", re.compile(r'"(?:system|role|instruction|prompt)"\s*:\s*"', re.I), "structural", "medium", "JSON-style role/instruction injection"),
+]
+
+# ---------------------------------------------------------------------------
+# All patterns combined
+# ---------------------------------------------------------------------------
+ALL_PATTERNS: list[PatternDefinition] = [
+    *ROLE_MARKER_PATTERNS,
+    *INSTRUCTION_OVERRIDE_PATTERNS,
+    *ROLE_ASSUMPTION_PATTERNS,
+    *SECURITY_BYPASS_PATTERNS,
+    *COMMAND_EXECUTION_PATTERNS,
+    *ENCODING_SUSPICIOUS_PATTERNS,
+    *PROMPT_LEAKING_PATTERNS,
+    *INDIRECT_INJECTION_PATTERNS,
+]
+
+
+def get_patterns_by_category(category: str) -> list[PatternDefinition]:
+    return [p for p in ALL_PATTERNS if p.category == category]
+
+
+def get_patterns_by_severity(severity: str) -> list[PatternDefinition]:
+    return [p for p in ALL_PATTERNS if p.severity == severity]
+
+
+FAST_FILTER_KEYWORDS: list[str] = [
+    # Role markers
+    "system:", "assistant:", "user:", "developer:", "admin:",
+    "instruction", "[system]", "[inst]", "<system>", "<assistant>",
+    # Override keywords
+    "ignore", "forget", "disregard", "override", "bypass",
+    "disable", "stop being", "from now on",
+    # Role assumption
+    "you are now", "act as", "pretend", "roleplay", "jailbreak",
+    "dan", "developer mode", "imagine you",
+    # Security bypass
+    "uncensored", "unfiltered", "unrestricted",
+    "no restrictions", "without restrictions",
+    # Commands
+    "execute", "eval(", "$(", "run the",
+    # Encoding/obfuscation
+    "base64", "decode", "\\x", "\\u", "&#", "rot13",
+    "1gn0r3", "f0rg3t", "byp4ss",
+    # Prompt leaking
+    "reveal", "show me your", "print everything", "print above",
+    "repeat back", "what are your instructions", "output initialization",
+    # Indirect injection
+    "<!--", '"system"', '"role"', '"instruction"',
+]
+
+
+def contains_filter_keywords(text: str) -> bool:
+    """Check if text contains any fast filter keywords (case-insensitive)."""
+    lower = text.lower()
+    return any(kw.lower() in lower for kw in FAST_FILTER_KEYWORDS)