Policies

Recipes

Catalog of regex rules, suppressions, sensitive tools, and judge categories shipped with the strict policy — search, copy, and remix.

The recipe catalog is the same library the Policy creator draws from. Every entry ships with the bundled strict policy so you can paste the YAML directly into your own pack — or use the wizard to drop one into a draft and tune it interactively.

Where these come from

Each rule originates in policies/guardrail/strict/rules/<category>.yaml and gets compiled into this catalog at build time by docs-site/scripts/build-policy-assets.ts. The bundled strict pack is the source of truth — when it changes, this catalog regenerates.

Showing 133 of 133 recipes.
  • webhook.site (known exfil)rule:c2
    RECIPE-C2-WEBHOOK-SITE
    egress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity HIGH.

    YAML
    {
      "id": "C2-WEBHOOK-SITE",
      "pattern": "(?i)webhook\\.site",
      "title": "webhook.site (known exfil)",
      "severity": "HIGH",
      "confidence": 0.9,
      "tags": [
        "exfiltration",
        "c2"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • ngrok tunnel (exfil risk)rule:c2
    RECIPE-C2-NGROK
    egress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity HIGH.

    YAML
    {
      "id": "C2-NGROK",
      "pattern": "(?i)(?:ngrok\\.io|ngrok-free\\.app)",
      "title": "ngrok tunnel (exfil risk)",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "exfiltration",
        "c2"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • Pipedream (known exfil)rule:c2
    RECIPE-C2-PIPEDREAM
    egress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity HIGH.

    YAML
    {
      "id": "C2-PIPEDREAM",
      "pattern": "(?i)pipedream\\.net",
      "title": "Pipedream (known exfil)",
      "severity": "HIGH",
      "confidence": 0.9,
      "tags": [
        "exfiltration",
        "c2"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • RequestBin (known exfil)rule:c2
    RECIPE-C2-REQUESTBIN
    egress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity HIGH.

    YAML
    {
      "id": "C2-REQUESTBIN",
      "pattern": "(?i)requestbin\\.com",
      "title": "RequestBin (known exfil)",
      "severity": "HIGH",
      "confidence": 0.9,
      "tags": [
        "exfiltration",
        "c2"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • HookBin (known exfil)rule:c2
    RECIPE-C2-HOOKBIN
    egress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity HIGH.

    YAML
    {
      "id": "C2-HOOKBIN",
      "pattern": "(?i)hookbin\\.com",
      "title": "HookBin (known exfil)",
      "severity": "HIGH",
      "confidence": 0.9,
      "tags": [
        "exfiltration",
        "c2"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • Burp Collaborator (pentest C2)rule:c2
    RECIPE-C2-BURP
    egress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity HIGH.

    YAML
    {
      "id": "C2-BURP",
      "pattern": "(?i)burpcollaborator\\.net",
      "title": "Burp Collaborator (pentest C2)",
      "severity": "HIGH",
      "confidence": 0.9,
      "tags": [
        "exfiltration",
        "c2"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • interact.sh (OOB exfil)rule:c2
    RECIPE-C2-INTERACTSH
    egress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity HIGH.

    YAML
    {
      "id": "C2-INTERACTSH",
      "pattern": "(?i)interact\\.sh",
      "title": "interact.sh (OOB exfil)",
      "severity": "HIGH",
      "confidence": 0.9,
      "tags": [
        "exfiltration",
        "c2"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • oast.fun (OOB testing)rule:c2
    RECIPE-C2-OAST
    egress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity HIGH.

    YAML
    {
      "id": "C2-OAST",
      "pattern": "(?i)oast\\.fun",
      "title": "oast.fun (OOB testing)",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "exfiltration",
        "c2"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • Canary Tokensrule:c2
    RECIPE-C2-CANARY
    egress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity MEDIUM.

    YAML
    {
      "id": "C2-CANARY",
      "pattern": "(?i)canarytokens\\.com",
      "title": "Canary Tokens",
      "severity": "MEDIUM",
      "confidence": 0.75,
      "tags": [
        "exfiltration",
        "c2"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • Pastebin raw fetchrule:c2
    RECIPE-C2-PASTEBIN
    egress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity MEDIUM.

    YAML
    {
      "id": "C2-PASTEBIN",
      "pattern": "(?i)pastebin\\.com/raw/",
      "title": "Pastebin raw fetch",
      "severity": "MEDIUM",
      "confidence": 0.7,
      "tags": [
        "exfiltration",
        "c2"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • AWS metadata endpoint (SSRF)rule:c2
    RECIPE-C2-METADATA-AWS
    sensitive_accessegress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity CRITICAL.

    YAML
    {
      "id": "C2-METADATA-AWS",
      "pattern": "169\\.254\\.169\\.254",
      "title": "AWS metadata endpoint (SSRF)",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "ssrf",
        "credential"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • GCP metadata endpoint (SSRF)rule:c2
    RECIPE-C2-METADATA-GCP
    sensitive_accessegress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity CRITICAL.

    YAML
    {
      "id": "C2-METADATA-GCP",
      "pattern": "(?i)metadata\\.google\\.internal",
      "title": "GCP metadata endpoint (SSRF)",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "ssrf",
        "credential"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • Azure metadata endpoint (SSRF)rule:c2
    RECIPE-C2-METADATA-AZURE
    sensitive_accessegress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity CRITICAL.

    YAML
    {
      "id": "C2-METADATA-AZURE",
      "pattern": "169\\.254\\.169\\.254/metadata",
      "title": "Azure metadata endpoint (SSRF)",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "ssrf",
        "credential"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • AWS metadata endpoint (hex-encoded SSRF)rule:c2
    RECIPE-C2-METADATA-HEX
    sensitive_accessegress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity CRITICAL.

    YAML
    {
      "id": "C2-METADATA-HEX",
      "pattern": "(?i)0xa9fea9fe",
      "title": "AWS metadata endpoint (hex-encoded SSRF)",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "ssrf",
        "credential"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • AWS metadata endpoint (decimal-encoded SSRF)rule:c2
    RECIPE-C2-METADATA-DECIMAL
    sensitive_accessegress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity CRITICAL.

    YAML
    {
      "id": "C2-METADATA-DECIMAL",
      "pattern": "(?:^|[/])2852039166(?:$|[/])",
      "title": "AWS metadata endpoint (decimal-encoded SSRF)",
      "severity": "CRITICAL",
      "confidence": 0.93,
      "tags": [
        "ssrf",
        "credential"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • AWS metadata endpoint (octal-encoded SSRF)rule:c2
    RECIPE-C2-METADATA-OCTAL
    sensitive_accessegress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity CRITICAL.

    YAML
    {
      "id": "C2-METADATA-OCTAL",
      "pattern": "0251\\.0376\\.0251\\.0376",
      "title": "AWS metadata endpoint (octal-encoded SSRF)",
      "severity": "CRITICAL",
      "confidence": 0.93,
      "tags": [
        "ssrf",
        "credential"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • DNS TXT query with high-entropy label (tunneling indicator)rule:c2
    RECIPE-C2-DNS-TUNNEL
    egress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity HIGH.

    YAML
    {
      "id": "C2-DNS-TUNNEL",
      "pattern": "(?i)\\bdig\\b\\s+[^;\\n]*\\bTXT\\b\\s+(?:[a-f0-9]{16,}|[A-Za-z2-7]{24,})\\.[A-Za-z0-9-]{2,}\\.",
      "title": "DNS TXT query with high-entropy label (tunneling indicator)",
      "severity": "HIGH",
      "confidence": 0.78,
      "tags": [
        "exfiltration",
        "dns-tunnel"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • nslookup with hex subdomain (DNS exfil)rule:c2
    RECIPE-C2-DNS-EXFIL
    egress_external

    Pattern shipped in the bundled strict rule pack (c2.yaml). Severity HIGH.

    YAML
    {
      "id": "C2-DNS-EXFIL",
      "pattern": "(?i)\\bnslookup\\b\\s+[a-f0-9]{8,}\\.\\w+\\.",
      "title": "nslookup with hex subdomain (DNS exfil)",
      "severity": "HIGH",
      "confidence": 0.8,
      "tags": [
        "exfiltration",
        "dns-tunnel"
      ]
    }
    policies/guardrail/strict/rules/c2.yaml
  • SOUL.md access (agent identity)rule:cognitive-file
    RECIPE-COG-SOUL
    sensitive_access

    Pattern shipped in the bundled strict rule pack (cognitive.yaml). Severity CRITICAL.

    YAML
    {
      "id": "COG-SOUL",
      "pattern": "(?i)SOUL\\.md",
      "title": "SOUL.md access (agent identity)",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "cognitive-tampering"
      ]
    }
    policies/guardrail/strict/rules/cognitive.yaml
  • IDENTITY.md accessrule:cognitive-file
    RECIPE-COG-IDENTITY
    sensitive_access

    Pattern shipped in the bundled strict rule pack (cognitive.yaml). Severity CRITICAL.

    YAML
    {
      "id": "COG-IDENTITY",
      "pattern": "(?i)IDENTITY\\.md",
      "title": "IDENTITY.md access",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "cognitive-tampering"
      ]
    }
    policies/guardrail/strict/rules/cognitive.yaml
  • MEMORY.md accessrule:cognitive-file
    RECIPE-COG-MEMORY
    sensitive_access

    Pattern shipped in the bundled strict rule pack (cognitive.yaml). Severity HIGH.

    YAML
    {
      "id": "COG-MEMORY",
      "pattern": "(?i)MEMORY\\.md",
      "title": "MEMORY.md access",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "cognitive-tampering"
      ]
    }
    policies/guardrail/strict/rules/cognitive.yaml
  • CLAUDE.md accessrule:cognitive-file
    RECIPE-COG-CLAUDE-MD
    sensitive_access

    Pattern shipped in the bundled strict rule pack (cognitive.yaml). Severity HIGH.

    YAML
    {
      "id": "COG-CLAUDE-MD",
      "pattern": "(?i)CLAUDE\\.md",
      "title": "CLAUDE.md access",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "cognitive-tampering"
      ]
    }
    policies/guardrail/strict/rules/cognitive.yaml
  • TOOLS.md accessrule:cognitive-file
    RECIPE-COG-TOOLS-MD
    sensitive_access

    Pattern shipped in the bundled strict rule pack (cognitive.yaml). Severity HIGH.

    YAML
    {
      "id": "COG-TOOLS-MD",
      "pattern": "(?i)TOOLS\\.md",
      "title": "TOOLS.md access",
      "severity": "HIGH",
      "confidence": 0.8,
      "tags": [
        "cognitive-tampering"
      ]
    }
    policies/guardrail/strict/rules/cognitive.yaml
  • AGENTS.md accessrule:cognitive-file
    RECIPE-COG-AGENTS-MD
    sensitive_access

    Pattern shipped in the bundled strict rule pack (cognitive.yaml). Severity HIGH.

    YAML
    {
      "id": "COG-AGENTS-MD",
      "pattern": "(?i)AGENTS\\.md",
      "title": "AGENTS.md access",
      "severity": "HIGH",
      "confidence": 0.8,
      "tags": [
        "cognitive-tampering"
      ]
    }
    policies/guardrail/strict/rules/cognitive.yaml
  • openclaw.json config accessrule:cognitive-file
    RECIPE-COG-OPENCLAW-JSON
    sensitive_access

    Pattern shipped in the bundled strict rule pack (cognitive.yaml). Severity HIGH.

    YAML
    {
      "id": "COG-OPENCLAW-JSON",
      "pattern": "(?i)openclaw\\.json",
      "title": "openclaw.json config access",
      "severity": "HIGH",
      "confidence": 0.8,
      "tags": [
        "cognitive-tampering"
      ]
    }
    policies/guardrail/strict/rules/cognitive.yaml
  • gateway.json config accessrule:cognitive-file
    RECIPE-COG-GATEWAY-JSON
    sensitive_access

    Pattern shipped in the bundled strict rule pack (cognitive.yaml). Severity HIGH.

    YAML
    {
      "id": "COG-GATEWAY-JSON",
      "pattern": "(?i)gateway\\.json",
      "title": "gateway.json config access",
      "severity": "HIGH",
      "confidence": 0.8,
      "tags": [
        "cognitive-tampering"
      ]
    }
    policies/guardrail/strict/rules/cognitive.yaml
  • Bash reverse shellrule:command
    RECIPE-CMD-REVSHELL-BASH

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity CRITICAL.

    YAML
    {
      "id": "CMD-REVSHELL-BASH",
      "pattern": "(?i)bash\\s+-i\\s+>&\\s*/dev/tcp/",
      "title": "Bash reverse shell",
      "severity": "CRITICAL",
      "confidence": 0.98,
      "tags": [
        "execution",
        "reverse-shell"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Reverse shell via /dev/tcprule:command
    RECIPE-CMD-REVSHELL-DEVTCP

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity CRITICAL.

    YAML
    {
      "id": "CMD-REVSHELL-DEVTCP",
      "pattern": "/dev/tcp/(?:\\d{1,3}\\.\\d{1,3}|[A-Za-z0-9-]+(?:\\.[A-Za-z0-9-]+)+)/\\d+\\b",
      "title": "Reverse shell via /dev/tcp",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "execution",
        "reverse-shell"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Netcat reverse shell with -erule:command
    RECIPE-CMD-REVSHELL-NC

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity CRITICAL.

    YAML
    {
      "id": "CMD-REVSHELL-NC",
      "pattern": "(?i)\\b(?:nc|ncat|netcat)\\b\\s+(?:(?:-[a-zA-Z]*\\s+)*\\S+\\s+\\d+\\s*(?:-e|--exec)\\b|(?:-[a-zA-Z]*\\s+)*(?:-e|--exec)\\s+\\S+\\s+\\S+\\s+\\d+\\b)",
      "title": "Netcat reverse shell with -e",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "execution",
        "reverse-shell"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Python reverse shellrule:command
    RECIPE-CMD-REVSHELL-PYTHON

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity CRITICAL.

    YAML
    {
      "id": "CMD-REVSHELL-PYTHON",
      "pattern": "(?i)python[23]?\\s+-c\\s+.*socket.*connect",
      "title": "Python reverse shell",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "execution",
        "reverse-shell"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • curl piped to shellrule:command
    RECIPE-CMD-PIPE-CURL
    egress_external

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity CRITICAL.

    YAML
    {
      "id": "CMD-PIPE-CURL",
      "pattern": "(?i)\\bcurl\\b\\s+[^|]*\\|\\s*(?:[/\\w]+/)?(?:bash|zsh|sh)\\b",
      "title": "curl piped to shell",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "execution",
        "download-exec"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • wget piped to shellrule:command
    RECIPE-CMD-PIPE-WGET
    egress_external

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity CRITICAL.

    YAML
    {
      "id": "CMD-PIPE-WGET",
      "pattern": "(?i)\\bwget\\b\\s+[^|]*\\|\\s*(?:[/\\w]+/)?(?:bash|zsh|sh)\\b",
      "title": "wget piped to shell",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "execution",
        "download-exec"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • base64 decode piped to shellrule:command
    RECIPE-CMD-PIPE-BASE64

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity CRITICAL.

    YAML
    {
      "id": "CMD-PIPE-BASE64",
      "pattern": "(?i)base64\\s+(?:-[dD]|--decode)\\s*\\|\\s*(?:[/\\w]+/)?(?:bash|zsh|sh)\\b",
      "title": "base64 decode piped to shell",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "execution",
        "obfuscation"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Shell eval with dynamic inputrule:command
    RECIPE-CMD-EVAL

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity HIGH.

    YAML
    {
      "id": "CMD-EVAL",
      "pattern": "(?i)\\beval\\s+[\"'\\$\\(]",
      "title": "Shell eval with dynamic input",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "execution"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Shell -c executionrule:command
    RECIPE-CMD-BASH-C

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity LOW.

    YAML
    {
      "id": "CMD-BASH-C",
      "pattern": "(?i)\\b(?:ba)?sh\\s+-c\\s+",
      "title": "Shell -c execution",
      "severity": "LOW",
      "confidence": 0.55,
      "tags": [
        "execution"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Python inline executionrule:command
    RECIPE-CMD-PYTHON-C

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity LOW.

    YAML
    {
      "id": "CMD-PYTHON-C",
      "pattern": "(?i)\\bpython[23]?\\s+-c\\s+",
      "title": "Python inline execution",
      "severity": "LOW",
      "confidence": 0.55,
      "tags": [
        "execution"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Perl inline executionrule:command
    RECIPE-CMD-PERL-E

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity LOW.

    YAML
    {
      "id": "CMD-PERL-E",
      "pattern": "(?i)\\bperl\\s+-e\\s+",
      "title": "Perl inline execution",
      "severity": "LOW",
      "confidence": 0.55,
      "tags": [
        "execution"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Ruby inline executionrule:command
    RECIPE-CMD-RUBY-E

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity LOW.

    YAML
    {
      "id": "CMD-RUBY-E",
      "pattern": "(?i)\\bruby\\s+-e\\s+",
      "title": "Ruby inline execution",
      "severity": "LOW",
      "confidence": 0.55,
      "tags": [
        "execution"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Recursive force delete from critical root pathrule:command
    RECIPE-CMD-RM-RF

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity CRITICAL.

    YAML
    {
      "id": "CMD-RM-RF",
      "pattern": "(?i)\\brm\\s+(?:-[a-zA-Z]*\\s+)*(?:-[a-zA-Z]*)?(?:r[a-zA-Z]*f|f[a-zA-Z]*r)\\b(?:\\s+\\S+)*\\s+/(?:$|[\"'\\s,}\\]]|(?:etc|bin|sbin|usr|var|home|root|opt|boot|lib(?:64)?|srv|mnt|dev|proc|sys)(?:$|/|[\"'\\s,}\\]]))",
      "title": "Recursive force delete from critical root path",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "destructive"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Filesystem format commandrule:command
    RECIPE-CMD-MKFS

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity CRITICAL.

    YAML
    {
      "id": "CMD-MKFS",
      "pattern": "(?i)\\bmkfs\\b",
      "title": "Filesystem format command",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "destructive"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • dd disk writerule:command
    RECIPE-CMD-DD-IF

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity HIGH.

    YAML
    {
      "id": "CMD-DD-IF",
      "pattern": "(?i)\\bdd\\s+if=",
      "title": "dd disk write",
      "severity": "HIGH",
      "confidence": 0.8,
      "tags": [
        "destructive"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • chmod world-writablerule:command
    RECIPE-CMD-CHMOD-WORLD

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity HIGH.

    YAML
    {
      "id": "CMD-CHMOD-WORLD",
      "pattern": "(?i)\\bchmod\\s+[0-7]*[0-7][0-7][2367]\\s",
      "title": "chmod world-writable",
      "severity": "HIGH",
      "confidence": 0.8,
      "tags": [
        "privilege"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • chown to rootrule:command
    RECIPE-CMD-CHOWN-ROOT

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity HIGH.

    YAML
    {
      "id": "CMD-CHOWN-ROOT",
      "pattern": "(?i)\\bchown\\s+root\\b",
      "title": "chown to root",
      "severity": "HIGH",
      "confidence": 0.75,
      "tags": [
        "privilege"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • sudo invocationrule:command
    RECIPE-CMD-SUDO

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity LOW.

    YAML
    {
      "id": "CMD-SUDO",
      "pattern": "(?i)\\bsudo\\s+",
      "title": "sudo invocation",
      "severity": "LOW",
      "confidence": 0.5,
      "tags": [
        "privilege"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Write redirect to /etc/rule:command
    RECIPE-CMD-ETC-WRITE

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity CRITICAL.

    YAML
    {
      "id": "CMD-ETC-WRITE",
      "pattern": "(?i)>\\s*/etc/",
      "title": "Write redirect to /etc/",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "system-file"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Crontab modificationrule:command
    RECIPE-CMD-CRONTAB

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity HIGH.

    YAML
    {
      "id": "CMD-CRONTAB",
      "pattern": "(?i)\\bcrontab\\s+(?:-[a-zA-Z]\\s+)*(?:-e|-r|-l|/|['\"<>|])",
      "title": "Crontab modification",
      "severity": "HIGH",
      "confidence": 0.75,
      "tags": [
        "persistence"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Suspicious systemd persistence enablementrule:command
    RECIPE-CMD-SYSTEMCTL

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity CRITICAL.

    YAML
    {
      "id": "CMD-SYSTEMCTL",
      "pattern": "(?i)\\bsystemctl\\s+enable\\b(?:\\s+--now\\b)?\\s+\\S*(?:backdoor|payload|persist|reverse|shell|evil)\\S*(?:\\.service)?\\b",
      "title": "Suspicious systemd persistence enablement",
      "severity": "CRITICAL",
      "confidence": 0.82,
      "tags": [
        "persistence"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Netcat listenerrule:command
    RECIPE-CMD-NETCAT-LISTEN

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity HIGH.

    YAML
    {
      "id": "CMD-NETCAT-LISTEN",
      "pattern": "(?i)\\b(?:nc|ncat|netcat)\\b\\s+(?:-[a-zA-Z]*)*-?l",
      "title": "Netcat listener",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "network",
        "reverse-shell"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • curl file uploadrule:command
    RECIPE-CMD-CURL-UPLOAD
    egress_external

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity HIGH.

    YAML
    {
      "id": "CMD-CURL-UPLOAD",
      "pattern": "(?i)\\bcurl\\b\\s+.*(?:--upload-file|-T\\s|--data\\s+@|-F\\s+.*=@)",
      "title": "curl file upload",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "network",
        "exfiltration"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • wget POST data exfilrule:command
    RECIPE-CMD-WGET-POST
    egress_external

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity HIGH.

    YAML
    {
      "id": "CMD-WGET-POST",
      "pattern": "(?i)\\bwget\\b\\s+.*--post-(?:data|file)",
      "title": "wget POST data exfil",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "network",
        "exfiltration"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • socat with EXEC (reverse shell)rule:command
    RECIPE-CMD-SOCAT-EXEC

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity CRITICAL.

    YAML
    {
      "id": "CMD-SOCAT-EXEC",
      "pattern": "(?i)\\bsocat\\b\\s+.*\\bEXEC\\b",
      "title": "socat with EXEC (reverse shell)",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "execution",
        "reverse-shell"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • Environment variable dumprule:command
    RECIPE-CMD-ENV-DUMP
    sensitive_access

    Pattern shipped in the bundled strict rule pack (commands.yaml). Severity HIGH.

    YAML
    {
      "id": "CMD-ENV-DUMP",
      "pattern": "(?:^|[^A-Za-z0-9_./-])(?:env|printenv|export\\s+-p)\\b",
      "title": "Environment variable dump",
      "severity": "HIGH",
      "confidence": 0.8,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/commands.yaml
  • US Social Security Numberrule:enterprise-data
    RECIPE-ENT-BULK-SSN
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity CRITICAL.

    YAML
    {
      "id": "ENT-BULK-SSN",
      "pattern": "\\b\\d{3}-\\d{2}-\\d{4}\\b",
      "title": "US Social Security Number",
      "severity": "CRITICAL",
      "confidence": 0.85,
      "tags": [
        "pii",
        "regulated"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • US SSN (no hyphens)rule:enterprise-data
    RECIPE-ENT-BULK-SSN-NOHYPHEN
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity HIGH.

    YAML
    {
      "id": "ENT-BULK-SSN-NOHYPHEN",
      "pattern": "\\b(?:00[1-9]|0[1-9][0-9]|[1-5][0-9]{2}|6[0-5][0-9]|66[0-5]|66[7-9]|6[7-9][0-9]|[78][0-9]{2})(?:0[1-9]|[1-9][0-9])(?:000[1-9]|00[1-9][0-9]|0[1-9][0-9]{2}|[1-9][0-9]{3})\\b",
      "title": "US SSN (no hyphens)",
      "severity": "HIGH",
      "confidence": 0.55,
      "tags": [
        "pii",
        "regulated"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • Visa credit card numberrule:enterprise-data
    RECIPE-ENT-CC-VISA
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity CRITICAL.

    YAML
    {
      "id": "ENT-CC-VISA",
      "pattern": "\\b4\\d{3}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b",
      "title": "Visa credit card number",
      "severity": "CRITICAL",
      "confidence": 0.8,
      "tags": [
        "pii",
        "pci"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • Mastercard credit card numberrule:enterprise-data
    RECIPE-ENT-CC-MC
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity CRITICAL.

    YAML
    {
      "id": "ENT-CC-MC",
      "pattern": "\\b5[1-5]\\d{2}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b",
      "title": "Mastercard credit card number",
      "severity": "CRITICAL",
      "confidence": 0.8,
      "tags": [
        "pii",
        "pci"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • American Express card numberrule:enterprise-data
    RECIPE-ENT-CC-AMEX
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity CRITICAL.

    YAML
    {
      "id": "ENT-CC-AMEX",
      "pattern": "\\b3[47]\\d{2}[\\s-]?\\d{6}[\\s-]?\\d{5}\\b",
      "title": "American Express card number",
      "severity": "CRITICAL",
      "confidence": 0.8,
      "tags": [
        "pii",
        "pci"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • Discover card numberrule:enterprise-data
    RECIPE-ENT-CC-DISCOVER
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity CRITICAL.

    YAML
    {
      "id": "ENT-CC-DISCOVER",
      "pattern": "\\b6(?:011|5\\d{2})[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b",
      "title": "Discover card number",
      "severity": "CRITICAL",
      "confidence": 0.8,
      "tags": [
        "pii",
        "pci"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • International Bank Account Number (IBAN)rule:enterprise-data
    RECIPE-ENT-IBAN
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity HIGH.

    YAML
    {
      "id": "ENT-IBAN",
      "pattern": "\\b[A-Z]{2}\\d{2}[\\s]?[\\dA-Z]{4}[\\s]?(?:[\\dA-Z]{4}[\\s]?){1,7}[\\dA-Z]{1,4}\\b",
      "title": "International Bank Account Number (IBAN)",
      "severity": "HIGH",
      "confidence": 0.75,
      "tags": [
        "pii",
        "financial"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • US phone numberrule:enterprise-data
    RECIPE-ENT-US-PHONE
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity MEDIUM.

    YAML
    {
      "id": "ENT-US-PHONE",
      "pattern": "\\b(?:\\+1[\\s.-]?)?(?:\\(?\\d{3}\\)?[\\s.-]?)\\d{3}[\\s.-]?\\d{4}\\b",
      "title": "US phone number",
      "severity": "MEDIUM",
      "confidence": 0.5,
      "tags": [
        "pii"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • Email addressrule:enterprise-data
    RECIPE-ENT-EMAIL-BULK
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity MEDIUM.

    YAML
    {
      "id": "ENT-EMAIL-BULK",
      "pattern": "(?i)\\b[a-z0-9._%+\\-]+@[a-z0-9.\\-]+\\.[a-z]{2,}\\b",
      "title": "Email address",
      "severity": "MEDIUM",
      "confidence": 0.4,
      "tags": [
        "pii"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • US passport number patternrule:enterprise-data
    RECIPE-ENT-PASSPORT-US
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity HIGH.

    YAML
    {
      "id": "ENT-PASSPORT-US",
      "pattern": "\\b[A-Z]\\d{8}\\b",
      "title": "US passport number pattern",
      "severity": "HIGH",
      "confidence": 0.5,
      "tags": [
        "pii",
        "regulated"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • California drivers license patternrule:enterprise-data
    RECIPE-ENT-DL-CA
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity HIGH.

    YAML
    {
      "id": "ENT-DL-CA",
      "pattern": "\\b[A-Z]\\d{7}\\b",
      "title": "California drivers license pattern",
      "severity": "HIGH",
      "confidence": 0.4,
      "tags": [
        "pii",
        "regulated"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • Medical record numberrule:enterprise-data
    RECIPE-ENT-MEDICAL-RECORD
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity CRITICAL.

    YAML
    {
      "id": "ENT-MEDICAL-RECORD",
      "pattern": "(?i)\\b(?:mrn|medical record|patient id)\\s*[:#]?\\s*\\d{6,12}\\b",
      "title": "Medical record number",
      "severity": "CRITICAL",
      "confidence": 0.7,
      "tags": [
        "pii",
        "hipaa"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • Date of birth with labelrule:enterprise-data
    RECIPE-ENT-DOB-PATTERN
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity HIGH.

    YAML
    {
      "id": "ENT-DOB-PATTERN",
      "pattern": "(?i)\\b(?:dob|date of birth|birth[\\s-]?date)\\s*[:#]?\\s*\\d{1,2}[/\\-]\\d{1,2}[/\\-]\\d{2,4}\\b",
      "title": "Date of birth with label",
      "severity": "HIGH",
      "confidence": 0.75,
      "tags": [
        "pii",
        "hipaa"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • UK NHS number patternrule:enterprise-data
    RECIPE-ENT-NHS-NUMBER
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity HIGH.

    YAML
    {
      "id": "ENT-NHS-NUMBER",
      "pattern": "\\b\\d{3}[\\s]?\\d{3}[\\s]?\\d{4}\\b",
      "title": "UK NHS number pattern",
      "severity": "HIGH",
      "confidence": 0.4,
      "tags": [
        "pii",
        "regulated"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • CSV/TSV header with multiple PII columnsrule:enterprise-data
    RECIPE-ENT-BULK-CSV-PII
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity HIGH.

    YAML
    {
      "id": "ENT-BULK-CSV-PII",
      "pattern": "(?i)(?:first[\\s_]?name|last[\\s_]?name|ssn|social[\\s_]?security|credit[\\s_]?card|card[\\s_]?number|account[\\s_]?number),.*(?:first[\\s_]?name|last[\\s_]?name|ssn|social[\\s_]?security|credit[\\s_]?card|card[\\s_]?number|account[\\s_]?number)",
      "title": "CSV/TSV header with multiple PII columns",
      "severity": "HIGH",
      "confidence": 0.8,
      "tags": [
        "pii",
        "bulk-data"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • JSON field with PII keyrule:enterprise-data
    RECIPE-ENT-BULK-JSON-PII
    sensitive_access

    Pattern shipped in the bundled strict rule pack (enterprise-data.yaml). Severity HIGH.

    YAML
    {
      "id": "ENT-BULK-JSON-PII",
      "pattern": "(?i)\"(?:ssn|social_security|credit_card|card_number|account_number|routing_number)\"\\s*:\\s*\"",
      "title": "JSON field with PII key",
      "severity": "HIGH",
      "confidence": 0.75,
      "tags": [
        "pii",
        "bulk-data"
      ]
    }
    policies/guardrail/strict/rules/enterprise-data.yaml
  • AWS access keyrule:secret
    RECIPE-SEC-AWS-KEY
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    examples (2)
    • AKIAIOSFODNN7EXAMPLE
    • ASIA1234567890ABCDEFGHIJ
    • BANANAFRUITNOTAKEY
    • AKI
    • AKIAtoolow
    YAML
    {
      "id": "SEC-AWS-KEY",
      "pattern": "(?:AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[0-9A-Z]{16,}",
      "title": "AWS access key",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • AWS secret access keyrule:secret
    RECIPE-SEC-AWS-SECRET
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-AWS-SECRET",
      "pattern": "(?i)aws_secret_access_key\\s*[=:]\\s*[A-Za-z0-9/+=]{30,}",
      "title": "AWS secret access key",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • Anthropic API keyrule:secret
    RECIPE-SEC-ANTHROPIC
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-ANTHROPIC",
      "pattern": "sk-ant-[a-zA-Z0-9\\-_]{20,}",
      "title": "Anthropic API key",
      "severity": "CRITICAL",
      "confidence": 0.98,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • OpenAI project keyrule:secret
    RECIPE-SEC-OPENAI
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-OPENAI",
      "pattern": "sk-proj-[a-zA-Z0-9]{20,}",
      "title": "OpenAI project key",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • OpenAI API key (long form)rule:secret
    RECIPE-SEC-OPENAI-V2
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    examples (1)
    • sk-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    • sk-tooshort
    • pk-livenotopenai
    YAML
    {
      "id": "SEC-OPENAI-V2",
      "pattern": "sk-[a-zA-Z0-9]{40,}",
      "title": "OpenAI API key (long form)",
      "severity": "CRITICAL",
      "confidence": 0.85,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • Stripe keyrule:secret
    RECIPE-SEC-STRIPE
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-STRIPE",
      "pattern": "(?:sk_live_|pk_live_|sk_test_|pk_test_|rk_live_|rk_test_)[a-zA-Z0-9]{20,}",
      "title": "Stripe key",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • GitHub tokenrule:secret
    RECIPE-SEC-GITHUB-TOKEN
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    examples (2)
    • ghp_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    • ghs_bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
    • ghp_short
    • gh_notatoken
    YAML
    {
      "id": "SEC-GITHUB-TOKEN",
      "pattern": "(?:ghp_|gho_|ghu_|ghs_|ghr_)[a-zA-Z0-9]{36,}",
      "title": "GitHub token",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • GitHub fine-grained PATrule:secret
    RECIPE-SEC-GITHUB-PAT
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-GITHUB-PAT",
      "pattern": "github_pat_[a-zA-Z0-9_]{22,}",
      "title": "GitHub fine-grained PAT",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • GitLab personal access tokenrule:secret
    RECIPE-SEC-GITLAB
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-GITLAB",
      "pattern": "glpat-[a-zA-Z0-9\\-_]{20,}",
      "title": "GitLab personal access token",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • Google API keyrule:secret
    RECIPE-SEC-GOOGLE
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-GOOGLE",
      "pattern": "AIza[0-9A-Za-z\\-_]{35}",
      "title": "Google API key",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • Slack tokenrule:secret
    RECIPE-SEC-SLACK-TOKEN
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-SLACK-TOKEN",
      "pattern": "xox[bpors]-[0-9a-zA-Z\\-]{10,}",
      "title": "Slack token",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • Slack webhook URLrule:secret
    RECIPE-SEC-SLACK-WEBHOOK
    sensitive_accessegress_external

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    examples (1)
    • https://hooks.slack.com/services/T0000/B0000/abcdefg12345
    • https://hooks.slack.com/wrongpath
    • https://example.com
    YAML
    {
      "id": "SEC-SLACK-WEBHOOK",
      "pattern": "https://hooks\\.slack\\.com/services/T[A-Z0-9]+/B[A-Z0-9]+/[a-zA-Z0-9]+",
      "title": "Slack webhook URL",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • Discord webhook URLrule:secret
    RECIPE-SEC-DISCORD-WEBHOOK
    sensitive_accessegress_external

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-DISCORD-WEBHOOK",
      "pattern": "https://discord(?:app)?\\.com/api/webhooks/\\d+/[a-zA-Z0-9_\\-]+",
      "title": "Discord webhook URL",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • Private keyrule:secret
    RECIPE-SEC-PRIVKEY
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    examples (2)
    • -----BEGIN RSA PRIVATE KEY-----
    • -----BEGIN OPENSSH PRIVATE KEY-----
    • -----BEGIN CERTIFICATE-----
    • BEGIN PRIVATE KEY without dashes
    YAML
    {
      "id": "SEC-PRIVKEY",
      "pattern": "-----BEGIN (?:RSA |EC |OPENSSH |PGP |DSA )?PRIVATE KEY-----",
      "title": "Private key",
      "severity": "CRITICAL",
      "confidence": 0.98,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • JWT tokenrule:secret
    RECIPE-SEC-JWT
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity MEDIUM.

    examples (1)
    • eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.signature_here_xyz
    • eyJonly
    • not.a.jwt
    YAML
    {
      "id": "SEC-JWT",
      "pattern": "eyJ[A-Za-z0-9\\-_]{10,}\\.eyJ[A-Za-z0-9\\-_]{10,}\\.[A-Za-z0-9\\-_.+/=]+",
      "title": "JWT token",
      "severity": "MEDIUM",
      "confidence": 0.7,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • Connection string with credentialsrule:secret
    RECIPE-SEC-CONNSTR
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-CONNSTR",
      "pattern": "(?:mongodb|postgres|mysql|redis|amqp)://[^:\\s]+:[^@\\s]+@",
      "title": "Connection string with credentials",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • Bearer token in headerrule:secret
    RECIPE-SEC-BEARER
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity HIGH.

    YAML
    {
      "id": "SEC-BEARER",
      "pattern": "(?i)(?:authorization|bearer)\\s*[:=]\\s*Bearer\\s+[A-Za-z0-9\\-_.~+/]+=*",
      "title": "Bearer token in header",
      "severity": "HIGH",
      "confidence": 0.8,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • SendGrid API keyrule:secret
    RECIPE-SEC-SENDGRID
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-SENDGRID",
      "pattern": "SG\\.[a-zA-Z0-9\\-_]{10,}\\.[a-zA-Z0-9\\-_]{10,}",
      "title": "SendGrid API key",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • Twilio API keyrule:secret
    RECIPE-SEC-TWILIO
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity HIGH.

    YAML
    {
      "id": "SEC-TWILIO",
      "pattern": "SK[0-9a-fA-F]{32}",
      "title": "Twilio API key",
      "severity": "HIGH",
      "confidence": 0.8,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • npm access tokenrule:secret
    RECIPE-SEC-NPM-TOKEN
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-NPM-TOKEN",
      "pattern": "npm_[a-zA-Z0-9]{36,}",
      "title": "npm access token",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • PyPI API tokenrule:secret
    RECIPE-SEC-PYPI-TOKEN
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity CRITICAL.

    YAML
    {
      "id": "SEC-PYPI-TOKEN",
      "pattern": "pypi-[A-Za-z0-9\\-_]{50,}",
      "title": "PyPI API token",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • Hex-encoded secret in assignmentrule:secret
    RECIPE-SEC-HEX-SECRET
    sensitive_access

    Pattern shipped in the bundled strict rule pack (secrets.yaml). Severity HIGH.

    YAML
    {
      "id": "SEC-HEX-SECRET",
      "pattern": "(?i)(?:secret(?:_key)?|api[_-]?key|access[_-]?token|auth[_-]?token)\\s*[=:]\\s*[\"'][a-f0-9]{32,}[\"']",
      "title": "Hex-encoded secret in assignment",
      "severity": "HIGH",
      "confidence": 0.72,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/secrets.yaml
  • SSH directory accessrule:sensitive-path
    RECIPE-PATH-SSH-DIR
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity HIGH.

    YAML
    {
      "id": "PATH-SSH-DIR",
      "pattern": "(?:~|\\$\\{?HOME\\}?|/home/\\w+|/root|/Users/\\w+)/\\.ssh/",
      "title": "SSH directory access",
      "severity": "HIGH",
      "confidence": 0.95,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • SSH private key file pathrule:sensitive-path
    RECIPE-PATH-SSH-KEY
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity CRITICAL.

    YAML
    {
      "id": "PATH-SSH-KEY",
      "pattern": "(?i)(?:^|[\\\\/])id_(?:rsa|ed25519|ecdsa|dsa)(?:$|[^A-Za-z0-9_.-])",
      "title": "SSH private key file path",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • AWS credentials filerule:sensitive-path
    RECIPE-PATH-AWS-CREDS
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity CRITICAL.

    YAML
    {
      "id": "PATH-AWS-CREDS",
      "pattern": "(?:~|\\$\\{?HOME\\}?|/home/\\w+|/root|/Users/\\w+)/\\.aws/credentials",
      "title": "AWS credentials file",
      "severity": "CRITICAL",
      "confidence": 0.98,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • AWS config filerule:sensitive-path
    RECIPE-PATH-AWS-CONFIG
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity HIGH.

    YAML
    {
      "id": "PATH-AWS-CONFIG",
      "pattern": "(?:~|\\$\\{?HOME\\}?|/home/\\w+|/root|/Users/\\w+)/\\.aws/config",
      "title": "AWS config file",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • Kubernetes configrule:sensitive-path
    RECIPE-PATH-KUBE
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity HIGH.

    YAML
    {
      "id": "PATH-KUBE",
      "pattern": "(?:~|\\$\\{?HOME\\}?|/home/\\w+|/root|/Users/\\w+)/\\.kube/config",
      "title": "Kubernetes config",
      "severity": "HIGH",
      "confidence": 0.9,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • Docker configrule:sensitive-path
    RECIPE-PATH-DOCKER
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity HIGH.

    YAML
    {
      "id": "PATH-DOCKER",
      "pattern": "(?:~|\\$\\{?HOME\\}?|/home/\\w+|/root|/Users/\\w+)/\\.docker/config\\.json",
      "title": "Docker config",
      "severity": "HIGH",
      "confidence": 0.9,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • GPG keyring accessrule:sensitive-path
    RECIPE-PATH-GNUPG
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity HIGH.

    YAML
    {
      "id": "PATH-GNUPG",
      "pattern": "(?:~|\\$\\{?HOME\\}?|/home/\\w+|/root|/Users/\\w+)/\\.gnupg/",
      "title": "GPG keyring access",
      "severity": "HIGH",
      "confidence": 0.95,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • npm config (may contain tokens)rule:sensitive-path
    RECIPE-PATH-NPMRC
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity MEDIUM.

    YAML
    {
      "id": "PATH-NPMRC",
      "pattern": "(?:~|\\$\\{?HOME\\}?|/home/\\w+|/root|/Users/\\w+)/\\.npmrc",
      "title": "npm config (may contain tokens)",
      "severity": "MEDIUM",
      "confidence": 0.8,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • PyPI config (may contain tokens)rule:sensitive-path
    RECIPE-PATH-PYPIRC
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity MEDIUM.

    YAML
    {
      "id": "PATH-PYPIRC",
      "pattern": "(?:~|\\$\\{?HOME\\}?|/home/\\w+|/root|/Users/\\w+)/\\.pypirc",
      "title": "PyPI config (may contain tokens)",
      "severity": "MEDIUM",
      "confidence": 0.8,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • Git credentials filerule:sensitive-path
    RECIPE-PATH-GIT-CREDS
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity CRITICAL.

    YAML
    {
      "id": "PATH-GIT-CREDS",
      "pattern": "(?:~|\\$\\{?HOME\\}?|/home/\\w+|/root|/Users/\\w+)/\\.git-credentials",
      "title": "Git credentials file",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • netrc credentials filerule:sensitive-path
    RECIPE-PATH-NETRC
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity CRITICAL.

    YAML
    {
      "id": "PATH-NETRC",
      "pattern": "(?:~|\\$\\{?HOME\\}?|/home/\\w+|/root|/Users/\\w+)/\\.netrc",
      "title": "netrc credentials file",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • Environment filerule:sensitive-path
    RECIPE-PATH-ENV-FILE
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity HIGH.

    YAML
    {
      "id": "PATH-ENV-FILE",
      "pattern": "(?:^|[\\s/])\\.env(?:\\.(?:local|production|staging|development))?\\s*[\"'\\s,;\\]})]*$|(?:^|[\\s/])\\.env(?:\\.(?:local|production|staging|development))?[\"'\\s,;\\]})]",
      "title": "Environment file",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • /etc/passwd accessrule:sensitive-path
    RECIPE-PATH-ETC-PASSWD
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity HIGH.

    YAML
    {
      "id": "PATH-ETC-PASSWD",
      "pattern": "(?i)(?:\\betc[\\s/\\\\]+(?:slash[\\s]+)?pas{1,4}wd\\b|\\betc%2Fpas{1,4}wd\\b)",
      "title": "/etc/passwd access",
      "severity": "HIGH",
      "confidence": 0.9,
      "tags": [
        "system-file"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • /etc/shadow accessrule:sensitive-path
    RECIPE-PATH-ETC-SHADOW
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity CRITICAL.

    YAML
    {
      "id": "PATH-ETC-SHADOW",
      "pattern": "(?i)(?:\\betc[\\s/\\\\]+(?:slash[\\s]+)?shadow\\b|\\betc%2Fshadow\\b)",
      "title": "/etc/shadow access",
      "severity": "CRITICAL",
      "confidence": 0.95,
      "tags": [
        "system-file",
        "credential"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • /etc/sudoers accessrule:sensitive-path
    RECIPE-PATH-ETC-SUDOERS
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity HIGH.

    YAML
    {
      "id": "PATH-ETC-SUDOERS",
      "pattern": "(?i)(?:\\betc[\\s/\\\\]+(?:slash[\\s]+)?sudoers\\b|\\betc%2Fsudoers\\b)",
      "title": "/etc/sudoers access",
      "severity": "HIGH",
      "confidence": 0.9,
      "tags": [
        "system-file",
        "privilege"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • /proc environ accessrule:sensitive-path
    RECIPE-PATH-PROC-ENVIRON
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity CRITICAL.

    YAML
    {
      "id": "PATH-PROC-ENVIRON",
      "pattern": "/proc/(?:\\d+|self)/environ",
      "title": "/proc environ access",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "credential"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • Shell history filerule:sensitive-path
    RECIPE-PATH-HISTORY
    sensitive_access

    Pattern shipped in the bundled strict rule pack (sensitive-paths.yaml). Severity MEDIUM.

    YAML
    {
      "id": "PATH-HISTORY",
      "pattern": "(?:~|\\$\\{?HOME\\}?|/home/\\w+|/root|/Users/\\w+)/\\.(?:bash_history|zsh_history|python_history)",
      "title": "Shell history file",
      "severity": "MEDIUM",
      "confidence": 0.8,
      "tags": [
        "credential",
        "file-sensitive"
      ]
    }
    policies/guardrail/strict/rules/sensitive-paths.yaml
  • Authority claim in tool argsrule:trust-exploit
    RECIPE-TRUST-AUTHORITY
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity HIGH.

    YAML
    {
      "id": "TRUST-AUTHORITY",
      "pattern": "(?i)(?:i am|i'm)\\s+(?:your|the)\\s+(?:creator|developer|admin|owner|operator)",
      "title": "Authority claim in tool args",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Fake mode activationrule:trust-exploit
    RECIPE-TRUST-MAINTENANCE
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity HIGH.

    YAML
    {
      "id": "TRUST-MAINTENANCE",
      "pattern": "(?i)(?:maintenance|debug|admin|developer)\\s+mode\\s+(?:enabled|activated|on)",
      "title": "Fake mode activation",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Safety override attemptrule:trust-exploit
    RECIPE-TRUST-SAFETY-OVERRIDE
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity CRITICAL.

    YAML
    {
      "id": "TRUST-SAFETY-OVERRIDE",
      "pattern": "(?i)(?:safety|guardrail|filter|restriction)\\s+(?:override|bypass|disable|turn\\s+off|remove)",
      "title": "Safety override attempt",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Fake instruction updaterule:trust-exploit
    RECIPE-TRUST-NEW-INSTRUCTIONS
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity HIGH.

    YAML
    {
      "id": "TRUST-NEW-INSTRUCTIONS",
      "pattern": "(?i)(?:your|new|updated)\\s+(?:instructions|system\\s+prompt|rules)\\s+(?:have\\s+changed|are|say)",
      "title": "Fake instruction update",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Ignore previous instructionsrule:trust-exploit
    RECIPE-TRUST-IGNORE-PREVIOUS
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity CRITICAL.

    YAML
    {
      "id": "TRUST-IGNORE-PREVIOUS",
      "pattern": "(?i)ignore\\s+(?:all\\s+)?(?:previous|prior|above|earlier)\\s+(?:instructions|rules|guidelines|context)",
      "title": "Ignore previous instructions",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Disregard instructionsrule:trust-exploit
    RECIPE-TRUST-DISREGARD
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity CRITICAL.

    YAML
    {
      "id": "TRUST-DISREGARD",
      "pattern": "(?i)disregard\\s+(?:all\\s+)?(?:previous|prior|above|your|earlier)\\s+(?:instructions|rules|guidelines|programming|context)",
      "title": "Disregard instructions",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Jailbreak attemptrule:trust-exploit
    RECIPE-TRUST-JAILBREAK
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity CRITICAL.

    YAML
    {
      "id": "TRUST-JAILBREAK",
      "pattern": "(?i)(?:jailbreak|dan\\s+mode|do\\s+anything\\s+now|you\\s+are\\s+now\\s+(?:free|unfiltered))",
      "title": "Jailbreak attempt",
      "severity": "CRITICAL",
      "confidence": 0.92,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Identity override attemptrule:trust-exploit
    RECIPE-TRUST-PRETEND
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity HIGH.

    YAML
    {
      "id": "TRUST-PRETEND",
      "pattern": "(?i)(?:pretend|act\\s+as(?:\\s+if)?)\\s+(?:you\\s+are|you're)\\s+(?:a\\s+|an\\s+)?(?:different|evil|unrestricted|unfiltered|uncensored)",
      "title": "Identity override attempt",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Forget instructions attackrule:trust-exploit
    RECIPE-TRUST-FORGET
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity CRITICAL.

    YAML
    {
      "id": "TRUST-FORGET",
      "pattern": "(?i)forget\\s+(?:everything|all)\\s+(?:you\\s+)?(?:know|learned|were\\s+told)",
      "title": "Forget instructions attack",
      "severity": "CRITICAL",
      "confidence": 0.9,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Direct instruction injection prefixrule:trust-exploit
    RECIPE-TRUST-NEW-INSTRUCT-PREFIX
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity HIGH.

    YAML
    {
      "id": "TRUST-NEW-INSTRUCT-PREFIX",
      "pattern": "(?i)new\\s+instructions?\\s*:\\s*",
      "title": "Direct instruction injection prefix",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Override instructionsrule:trust-exploit
    RECIPE-TRUST-OVERRIDE-INSTRUCT
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity CRITICAL.

    YAML
    {
      "id": "TRUST-OVERRIDE-INSTRUCT",
      "pattern": "(?i)override\\s+(?:previous\\s+)?(?:instructions?|rules?|guidelines?)",
      "title": "Override instructions",
      "severity": "CRITICAL",
      "confidence": 0.88,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Persistent behavior changerule:trust-exploit
    RECIPE-TRUST-FROM-NOW-ON
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity HIGH.

    YAML
    {
      "id": "TRUST-FROM-NOW-ON",
      "pattern": "(?i)from\\s+now\\s+on[,\\s]+you\\s+(?:are|will|must|should)",
      "title": "Persistent behavior change",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Mode/personality switchrule:trust-exploit
    RECIPE-TRUST-SWITCH-MODE
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity HIGH.

    YAML
    {
      "id": "TRUST-SWITCH-MODE",
      "pattern": "(?i)switch\\s+(?:to\\s+)?(?:a\\s+)?(?:different|new|unrestricted)\\s+(?:mode|personality|character|persona)",
      "title": "Mode/personality switch",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • System prompt extraction attemptrule:trust-exploit
    RECIPE-TRUST-PROMPT-EXTRACT
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity MEDIUM.

    YAML
    {
      "id": "TRUST-PROMPT-EXTRACT",
      "pattern": "(?i)(?:show|reveal|print|output|display|repeat|tell\\s+me)\\s+(?:me\\s+)?(?:your\\s+)?(?:the\\s+)?(?:system\\s+|initial\\s+)?(?:prompt|instructions?|rules?|guidelines?)",
      "title": "System prompt extraction attempt",
      "severity": "MEDIUM",
      "confidence": 0.75,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Fictional framing / purpose launderingrule:trust-exploit
    RECIPE-TRUST-FICTIONAL
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity MEDIUM.

    YAML
    {
      "id": "TRUST-FICTIONAL",
      "pattern": "(?i)(?:hypothetically|in\\s+a\\s+fictional\\s+(?:scenario|world|story)|for\\s+(?:educational|research|academic)\\s+purposes?\\s+only|this\\s+is\\s+just\\s+a\\s+(?:test|experiment|hypothetical))",
      "title": "Fictional framing / purpose laundering",
      "severity": "MEDIUM",
      "confidence": 0.7,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Ethics removal attemptrule:trust-exploit
    RECIPE-TRUST-NO-ETHICS
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity HIGH.

    YAML
    {
      "id": "TRUST-NO-ETHICS",
      "pattern": "(?i)no\\s+(?:ethical|moral)\\s+(?:guidelines?|restrictions?|limits?|constraints?)",
      "title": "Ethics removal attempt",
      "severity": "HIGH",
      "confidence": 0.88,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Tool manipulation directiverule:trust-exploit
    RECIPE-TRUST-TOOL-MANIP
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity HIGH.

    YAML
    {
      "id": "TRUST-TOOL-MANIP",
      "pattern": "(?i)(?:use\\s+the\\s+\\w+\\s+tool\\s+to\\s+(?:delete|remove|destroy|wipe)|invoke\\s+(?:the\\s+)?\\w+\\s+(?:tool|function)\\s+without\\s+(?:asking|confirmation|approval)|automatically\\s+(?:execute|run|call)\\s+(?:all\\s+)?(?:tools?|functions?))",
      "title": "Tool manipulation directive",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Malicious persona adoptionrule:trust-exploit
    RECIPE-TRUST-PERSONA
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity HIGH.

    YAML
    {
      "id": "TRUST-PERSONA",
      "pattern": "(?i)(?:act\\s+as|you\\s+are\\s+now|roleplay\\s+as|simulate\\s+being|play\\s+the\\s+role\\s+of)\\s+(?:a\\s+|an\\s+)?(?:hacker|pentester|attacker|malware\\s+author|evil|unethical|criminal)",
      "title": "Malicious persona adoption",
      "severity": "HIGH",
      "confidence": 0.88,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Delimiter hijacking / prompt framing escaperule:trust-exploit
    RECIPE-TRUST-DELIMITER
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity CRITICAL.

    YAML
    {
      "id": "TRUST-DELIMITER",
      "pattern": "(?i)(?:system\\s+override|end\\s+system\\s+prompt|<\\/system>|<\\|im_end\\|>|\\[INST\\]|\\[\\/INST\\]|<\\|endoftext\\|>|<<\\s*SYS\\s*>>)",
      "title": "Delimiter hijacking / prompt framing escape",
      "severity": "CRITICAL",
      "confidence": 0.93,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Forced encoding to bypass filtersrule:trust-exploit
    RECIPE-TRUST-OUTPUT-CONSTRAINT
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity HIGH.

    YAML
    {
      "id": "TRUST-OUTPUT-CONSTRAINT",
      "pattern": "(?i)(?:respond\\s+only\\s+in\\s+(?:hex|base64|rot13|binary|morse|unicode)|encode\\s+your\\s+(?:response|answer|output)\\s+in\\s+(?:base64|hex|rot13|url)|output\\s+as\\s+(?:hex|base64|rot13|url)\\s+encoded|(?:rot13|unicode\\s+escape|url\\s+(?:decode|encode))\\s+(?:the|your|this))",
      "title": "Forced encoding to bypass filters",
      "severity": "HIGH",
      "confidence": 0.85,
      "tags": [
        "prompt-injection",
        "obfuscation"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • Payload splitting / forced compliance prefixrule:trust-exploit
    RECIPE-TRUST-PAYLOAD-SPLIT
    ingress_untrusted

    Pattern shipped in the bundled strict rule pack (trust-exploit.yaml). Severity HIGH.

    YAML
    {
      "id": "TRUST-PAYLOAD-SPLIT",
      "pattern": "(?i)(?:start\\s+your\\s+(?:response|answer|output)\\s+with\\s+[\"'](?:Sure|Absolutely|Of\\s+course|Here\\s+is|I\\s+can\\s+help))|(?:begin\\s+by\\s+saying\\s+[\"'](?:Sure|Yes|Absolutely))",
      "title": "Payload splitting / forced compliance prefix",
      "severity": "HIGH",
      "confidence": 0.87,
      "tags": [
        "prompt-injection"
      ]
    }
    policies/guardrail/strict/rules/trust-exploit.yaml
  • System sender metadata injected by agent frameworkpre_judge_strip
    RECIPE-STRIP-SYSTEM-SENDER

    Pre-judge strip shipped in the bundled strict pack. Applies to pii.

    YAML
    {
      "id": "STRIP-SYSTEM-SENDER",
      "pattern": "\\b(cli|system|bot|admin)\\b",
      "context": "System sender metadata injected by agent framework",
      "applies_to": [
        "pii"
      ]
    }
    policies/guardrail/strict/suppressions.yaml
  • Messaging bridge status banners (WhatsApp/Telegram/Slack/Discord gateway connect/disconnect lines) embed channel IDs or phone numbers that are transport metadata, not user-provided PIIpre_judge_strip
    RECIPE-STRIP-MESSAGING-BRIDGE-STATUS

    Pre-judge strip shipped in the bundled strict pack. Applies to pii.

    YAML
    {
      "id": "STRIP-MESSAGING-BRIDGE-STATUS",
      "pattern": "(?im)^[ \\t]*System:[ \\t]*\\[[^\\]\\n]+\\][ \\t]+[^\\n]*?\\b(?:connected|disconnected|reconnected|linked|unlinked|online|offline)\\b[^\\n]*$",
      "context": "Messaging bridge status banners (WhatsApp/Telegram/Slack/Discord gateway connect/disconnect lines) embed channel IDs or phone numbers that are transport metadata, not user-provided PII",
      "applies_to": [
        "pii"
      ]
    }
    policies/guardrail/strict/suppressions.yaml
  • System metadata, not real usernamefinding_suppression
    RECIPE-SUPP-USERNAME-METADATA

    Finding suppression shipped in the bundled strict pack.

    YAML
    {
      "id": "SUPP-USERNAME-METADATA",
      "finding_pattern": "JUDGE-PII-USER",
      "entity_pattern": "^(cli|system|bot|admin|root)$",
      "reason": "System metadata, not real username"
    }
    policies/guardrail/strict/suppressions.yaml
  • Teams chatId format, not email addressfinding_suppression
    RECIPE-SUPP-EMAIL-CHATID

    Finding suppression shipped in the bundled strict pack.

    YAML
    {
      "id": "SUPP-EMAIL-CHATID",
      "finding_pattern": "JUDGE-PII-EMAIL",
      "entity_pattern": "^19:[a-f0-9\\-]+@unq\\.gbl\\.spaces$",
      "reason": "Teams chatId format, not email address"
    }
    policies/guardrail/strict/suppressions.yaml
  • Suppress cosmetic shell commands (git status / log / diff)tool_suppression
    RECIPE-SUPP-TOOL-COSMETIC-SHELL
    exec_shell

    Tool suppressions let you silence findings on tools whose name matches a regex. Use this to drop noisy verdicts on read-only commands while keeping write/destructive commands surfaced.

    examples (2)
    • shell.execute
    • bash.execute
    • shell.write
    • fs.unlink
    YAML
    {
      "tool_pattern": "^(shell|bash|sh)\\.execute$",
      "suppress_findings": [
        "JUDGE-INJ-DESTRUCTIVE"
      ],
      "reason": "Cosmetic shell commands (git status, ls, pwd) generate noise without security risk"
    }
    docs-site/scripts/build-policy-assets.ts (illustrative)

Reading a recipe

FieldMeaning
kindWhat this recipe slots into — a regex rule (rule:secrets, rule:injection, …) or one of the three suppression layers (pre_judge_strip, finding_suppression, tool_suppression).
idStable identifier the engine uses for telemetry. Keep this stable across edits.
patternThe Go-regexp (RE2) source the engine compiles. The wizard's regex tester checks this is RE2-compatible.
severityThe wizard's severity ladder is CRITICAL > HIGH > MEDIUM > LOW > INFO. The guardrail block/alert thresholds use ranks.
confidenceHint to the judge: how confident you are this is a true positive.
tagsFree-form. Useful for filtering and reporting.
examples / counterexamplesWhat the wizard's live tester will run through your pattern. Add your own in the regex tester for sanity.