f418a8fe08
Full port of llm-security plugin for internal use on Windows with GitHub Copilot CLI. Protocol translation layer (copilot-hook-runner.mjs) normalizes Copilot camelCase I/O to Claude Code snake_case format — all original hook scripts run unmodified. - 8 hooks with protocol translation (stdin/stdout/exit code) - 18 SKILL.md skills (Agent Skills Open Standard) - 6 .agent.md agent definitions - 20 scanners + 14 scanner lib modules (unchanged) - 14 knowledge files (unchanged) - 39 test files including copilot-port-verify.mjs (17 tests) - Windows-ready: node:path, os.tmpdir(), process.execPath, no bash Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
64 lines
2.7 KiB
JSON
64 lines
2.7 KiB
JSON
{
|
|
"version": "1.0.0",
|
|
"description": "Mutation rules for adaptive attack simulation. Each mutation type transforms payloads to test evasion resistance. Based on joint paper findings (arXiv 2510.09023) and Preamble Prompt Injection 2.0.",
|
|
"mutations": {
|
|
"homoglyph": {
|
|
"description": "Replace Latin characters with visually similar Cyrillic/Greek characters",
|
|
"substitutions": {
|
|
"a": "\u0430",
|
|
"e": "\u0435",
|
|
"o": "\u043e",
|
|
"p": "\u0440",
|
|
"c": "\u0441",
|
|
"i": "\u0456",
|
|
"u": "\u0443",
|
|
"x": "\u0445",
|
|
"s": "\u0455",
|
|
"h": "\u04bb",
|
|
"A": "\u0410",
|
|
"E": "\u0415",
|
|
"O": "\u041e",
|
|
"P": "\u0420",
|
|
"C": "\u0421",
|
|
"T": "\u0422",
|
|
"H": "\u041d",
|
|
"B": "\u0412",
|
|
"M": "\u041c",
|
|
"K": "\u041a"
|
|
}
|
|
},
|
|
"encoding": {
|
|
"description": "Wrap payload segments in various encodings",
|
|
"types": ["url", "html_entities", "base64_fragment"]
|
|
},
|
|
"zero_width": {
|
|
"description": "Insert zero-width characters between keyword letters",
|
|
"characters": ["\u200b", "\u200c", "\u200d", "\ufeff"]
|
|
},
|
|
"case_alternation": {
|
|
"description": "Alternate uppercase/lowercase in keywords (e.g., iGnOrE)"
|
|
},
|
|
"synonym": {
|
|
"description": "Replace injection keywords with synonyms that may evade exact-match patterns",
|
|
"substitutions": {
|
|
"ignore": ["disregard", "dismiss", "overlook", "skip", "bypass", "neglect", "set aside"],
|
|
"previous": ["prior", "preceding", "earlier", "above", "foregoing", "antecedent"],
|
|
"instructions": ["directives", "guidelines", "commands", "rules", "orders", "prompts", "specifications"],
|
|
"forget": ["erase", "wipe", "clear", "purge", "delete", "remove"],
|
|
"override": ["supersede", "overwrite", "replace", "supplant", "nullify", "countermand"],
|
|
"system": ["core", "base", "root", "master", "primary", "main", "central"],
|
|
"safety": ["security", "protection", "guard", "defense", "safeguard", "shield"],
|
|
"bypass": ["circumvent", "evade", "sidestep", "work around", "get past", "avoid"],
|
|
"execute": ["run", "perform", "carry out", "invoke", "trigger", "launch"],
|
|
"exfiltrate": ["extract", "leak", "transfer out", "export", "siphon", "smuggle"],
|
|
"credentials": ["secrets", "tokens", "passwords", "keys", "creds", "auth data"],
|
|
"disable": ["turn off", "deactivate", "switch off", "shut down", "neutralize"]
|
|
}
|
|
}
|
|
},
|
|
"injection_keywords": [
|
|
"ignore", "previous", "instructions", "forget", "override",
|
|
"system", "safety", "bypass", "execute", "exfiltrate",
|
|
"credentials", "disable", "disregard", "suspend", "constraints"
|
|
]
|
|
}
|