{
  "version": "1.0.0",
  "description": "Mutation rules for adaptive attack simulation. Each mutation type transforms payloads to test evasion resistance. Based on joint paper findings (arXiv 2510.09023) and Preamble Prompt Injection 2.0.",
  "mutations": {
    "homoglyph": {
      "description": "Replace Latin characters with visually similar Cyrillic/Greek characters",
      "substitutions": {
        "a": "\u0430",
        "e": "\u0435",
        "o": "\u043e",
        "p": "\u0440",
        "c": "\u0441",
        "i": "\u0456",
        "u": "\u0443",
        "x": "\u0445",
        "s": "\u0455",
        "h": "\u04bb",
        "A": "\u0410",
        "E": "\u0415",
        "O": "\u041e",
        "P": "\u0420",
        "C": "\u0421",
        "T": "\u0422",
        "H": "\u041d",
        "B": "\u0412",
        "M": "\u041c",
        "K": "\u041a"
      }
    },
    "encoding": {
      "description": "Wrap payload segments in various encodings",
      "types": ["url", "html_entities", "base64_fragment"]
    },
    "zero_width": {
      "description": "Insert zero-width characters between keyword letters",
      "characters": ["\u200b", "\u200c", "\u200d", "\ufeff"]
    },
    "case_alternation": {
      "description": "Alternate uppercase/lowercase in keywords (e.g., iGnOrE)"
    },
    "synonym": {
      "description": "Replace injection keywords with synonyms that may evade exact-match patterns",
      "substitutions": {
        "ignore": ["disregard", "dismiss", "overlook", "skip", "bypass", "neglect", "set aside"],
        "previous": ["prior", "preceding", "earlier", "above", "foregoing", "antecedent"],
        "instructions": ["directives", "guidelines", "commands", "rules", "orders", "prompts", "specifications"],
        "forget": ["erase", "wipe", "clear", "purge", "delete", "remove"],
        "override": ["supersede", "overwrite", "replace", "supplant", "nullify", "countermand"],
        "system": ["core", "base", "root", "master", "primary", "main", "central"],
        "safety": ["security", "protection", "guard", "defense", "safeguard", "shield"],
        "bypass": ["circumvent", "evade", "sidestep", "work around", "get past", "avoid"],
        "execute": ["run", "perform", "carry out", "invoke", "trigger", "launch"],
        "exfiltrate": ["extract", "leak", "transfer out", "export", "siphon", "smuggle"],
        "credentials": ["secrets", "tokens", "passwords", "keys", "creds", "auth data"],
        "disable": ["turn off", "deactivate", "switch off", "shut down", "neutralize"]
      }
    }
  },
  "injection_keywords": [
    "ignore", "previous", "instructions", "forget", "override",
    "system", "safety", "bypass", "execute", "exfiltrate",
    "credentials", "disable", "disregard", "suspend", "constraints"
  ]
}