fix(security): Operation CLAW FORTRESS - Prompt injection defense hardening

[dan-redcupit]

Summary

Comprehensive security hardening to defend against prompt injection and system prompt extraction attacks. Addresses findings from ZeroLeaks security assessment.

Before: Security Score 2/100 (CRITICAL)
After: Security Score 100/100 (SECURE)

Changes

1. System Prompt Confidentiality Directive

• Added buildConfidentialitySection() to src/agents/system-prompt.ts
• Absolute Prohibitions: 10 explicit rules blocking extraction methods
• Behavioral Inference Protection: 7 rules preventing information leakage
• Meta-Query Blocking: Deflection patterns for probing questions
• Standard Refusal: Consistent response template

2. Anti-Manipulation Defenses

• Enhanced buildSafetySection() with anti-manipulation subsection
• Blocks: authority claims, social pressure, urgency, trust building, hypotheticals, roleplay, reasoning hijacks

3. Input Encoding Detection

• New src/security/obfuscation-decoder.ts - Decodes Base64, ROT13, leetspeak, pig latin, syllables, homoglyphs
• New src/security/input-preprocessing.ts - Detection API for obfuscated attacks

4. Extended Pattern Detection

• Expanded src/security/external-content.ts to 60+ patterns
• Categories: many-shot, persona hijack, authority spoof, CoT hijack, crescendo, false memory

5. Advanced Multi-Turn Detection

• New src/security/injection-detection.ts - Stateful detection across conversation history
• Detects distributed attacks and progressive trust-building

6. Documentation

• Updated SECURITY.md with defense architecture
• New security/SOUL.md - Purple Team security guidelines
• Updated CLAUDE.md with security section

Test Plan

• ZeroLeaks scan: 100/100 score (was 2/100)
• 30 attack turns with 0 leaks
• Unit tests for encoding detection
• Unit tests for injection detection
• Manual testing with attack payloads
• Full test suite: pnpm test

ZeroLeaks Results

Overall Vulnerability: SECURE
Security Score: 100/100
Leak Status: none
Duration: 156.3s
Turns Used: 30

Summary: The system prompt successfully resisted all 
extraction attempts across 30 attack turns.

Files Changed

File	Change
src/agents/system-prompt.ts	Enhanced confidentiality + anti-manipulation
src/security/obfuscation-decoder.ts	NEW - Decode obfuscated attacks
src/security/input-preprocessing.ts	NEW - Input security analysis
src/security/input-preprocessing.test.ts	NEW - Tests
src/security/external-content.ts	Extended to 60+ patterns
src/security/injection-detection.ts	NEW - Multi-turn detection
src/security/injection-detection.test.ts	NEW - Tests
SECURITY.md	Defense architecture docs
security/SOUL.md	NEW - Security guidelines
CLAUDE.md	Security section

---

🔒 Generated with Claude Code

Greptile Overview

Greptile Summary

This PR adds a new defense-in-depth layer against prompt injection attempts. It hardens the agent system prompt with confidentiality + anti-manipulation directives (src/agents/system-prompt.ts), expands external-content pattern detection and introduces checkMessageSecurity/sanitizeUserContent helpers (src/security/external-content.ts), and adds new modules/tests for obfuscation decoding and multi-turn injection detection (src/security/{obfuscation-decoder,input-preprocessing,injection-detection}*.ts).

The added security logic primarily consists of regex-based detectors and decoding utilities that can be used upstream before wrapping/processing untrusted inputs. The test suite includes regression-style payloads to keep these detectors stable over time.

Confidence Score: 3/5

• Reasonably safe to merge after fixing a couple correctness issues in the new detectors/tests.
• Most changes are additive (new security modules + tests, plus expanded patterns and prompt text). However, there is at least one definite failing unit test (reverseText expectation) and a few correctness pitfalls in the new detection utilities (reversed keyword typo, potential infinite loop in match extraction, and high-risk classification logic). Once those are addressed, the remaining changes are low-risk.
• src/security/input-preprocessing.test.ts, src/security/input-preprocessing.ts, src/security/external-content.ts, src/security/obfuscation-decoder.ts

_{(2/5) Greptile learns from your feedback when you react with thumbs up/down!}

Context used:

• Context from dashboard - CLAUDE.md (source)
• Context from dashboard - AGENTS.md (source)

[greptile-apps]

_{4 files reviewed, 5 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (5)

src/security/input-preprocessing.test.ts
[P0] This test assertion is incorrect: reverseText("tpmorcp") should reverse to "promorpt", not "promort", so the test will fail.

      expect(reverseText("tpmorcp")).toBe("promorpt"); // intentionally not "prompt" - tests exact reversal

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/security/input-preprocessing.test.ts
Line: 992:996

Comment:
[P0] This test assertion is incorrect: `reverseText("tpmorcp")` should reverse to `"promorpt"`, not `"promort"`, so the test will fail.

```suggestion
      expect(reverseText("tpmorcp")).toBe("promorpt"); // intentionally not "prompt" - tests exact reversal
```

How can I resolve this? If you propose a fix, please make it concise.

---

src/security/input-preprocessing.ts
[P1] REVERSED_KEYWORDS has a typo for the reversed form of override: it uses edirrrevo (3 r's) instead of edirrevo. This makes reversed override strings fail to detect.

const REVERSED_KEYWORDS =
  /\b(metsys|tpmorcp|noitcurtsni|erongi|suoiverp|laever|terces|laitnedifnoc|ssapyb|edirrevo|nimda|toor|odus)\b/gi;

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/security/input-preprocessing.ts
Line: 1176:1179

Comment:
[P1] `REVERSED_KEYWORDS` has a typo for the reversed form of `override`: it uses `edirrrevo` (3 r's) instead of `edirrevo`. This makes reversed `override` strings fail to detect.

```suggestion
const REVERSED_KEYWORDS =
  /\b(metsys|tpmorcp|noitcurtsni|erongi|suoiverp|laever|terces|laitnedifnoc|ssapyb|edirrevo|nimda|toor|odus)\b/gi;
```

How can I resolve this? If you propose a fix, please make it concise.

---

src/security/input-preprocessing.ts
[P0] extractMatches() can infinite-loop when pattern doesn't have the g flag or can match zero-width (because RegExp.exec won't advance lastIndex). Since this helper is used with multiple patterns, a future change to the regexes could turn into a tight loop.

A safer approach is to ensure g is present and guard zero-width matches.

  const regex = new RegExp(pattern.source, pattern.flags.includes("g") ? pattern.flags : pattern.flags + "g");
  while ((match = regex.exec(text)) !== null) {
    matches.push(match[0]);
    if (match.index === regex.lastIndex) regex.lastIndex++;
  }

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/security/input-preprocessing.ts
Line: 1183:1189

Comment:
[P0] `extractMatches()` can infinite-loop when `pattern` doesn't have the `g` flag or can match zero-width (because `RegExp.exec` won't advance `lastIndex`). Since this helper is used with multiple patterns, a future change to the regexes could turn into a tight loop.

A safer approach is to ensure `g` is present and guard zero-width matches.

```suggestion
  const regex = new RegExp(pattern.source, pattern.flags.includes("g") ? pattern.flags : pattern.flags + "g");
  while ((match = regex.exec(text)) !== null) {
    matches.push(match[0]);
    if (match.index === regex.lastIndex) regex.lastIndex++;
  }
```

How can I resolve this? If you propose a fix, please make it concise.

---

src/security/obfuscation-decoder.ts
[P1] Leetspeak detection compares lowercased strings (afterLeet.toLowerCase() !== current.toLowerCase()), which can miss real transformations where only casing changes in surrounding text (e.g. mixed-case input). This can lead to under-reporting leetspeak in detectedTechniques.

  const afterLeet = decodeLeetspeak(current);
  if (afterLeet !== current) {
    current = afterLeet;
    stages.push(current);
    detectedTechniques.push("leetspeak");
  }

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/security/obfuscation-decoder.ts
Line: 1540:1546

Comment:
[P1] Leetspeak detection compares lowercased strings (`afterLeet.toLowerCase() !== current.toLowerCase()`), which can miss real transformations where only casing changes in surrounding text (e.g. mixed-case input). This can lead to under-reporting `leetspeak` in `detectedTechniques`.

```suggestion
  const afterLeet = decodeLeetspeak(current);
  if (afterLeet !== current) {
    current = afterLeet;
    stages.push(current);
    detectedTechniques.push("leetspeak");
  }
```

How can I resolve this? If you propose a fix, please make it concise.

---

src/security/external-content.ts
[P1] checkMessageSecurity() treats entries like "reveal.*prompt" / "output.*prompt" as literal substrings of pattern.source, but pattern.source is a regex source string. This means these 'high risk' checks won't behave as intended (they'll only match if the regex source literally contains that text).

Consider either (a) using a separate highRiskPatterns array of actual RegExps and testing them against content, or (b) mapping matchedPatterns back to the original pattern objects and tagging them as high-risk.

Prompt To Fix With AI

This is a comment left during a code review.
Path: src/security/external-content.ts
Line: 346:366

Comment:
[P1] `checkMessageSecurity()` treats entries like `"reveal.*prompt"` / `"output.*prompt"` as literal substrings of `pattern.source`, but `pattern.source` is a regex source string. This means these 'high risk' checks won't behave as intended (they'll only match if the regex source literally contains that text).

Consider either (a) using a separate `highRiskPatterns` array of actual `RegExp`s and testing them against `content`, or (b) mapping `matchedPatterns` back to the original pattern objects and tagging them as high-risk.

How can I resolve this? If you propose a fix, please make it concise.

[dan-redcupit]

Review Feedback Addressed ✅

Fixed all 5 issues from the automated review:

1. Test assertion typo (input-preprocessing.test.ts)

   • Fixed reverseText("tpmorp") to correctly expect "prompt"

2. REVERSED_KEYWORDS typo (input-preprocessing.ts)

   • Fixed edirrrevo → edirrevo (correct reversal of "override")
   • Also fixed tpmorcp → tpmorp (correct reversal of "prompt")

3. Infinite loop guard (input-preprocessing.ts)

   • extractMatches() now ensures g flag is set
   • Added guard for zero-width matches advancing lastIndex

4. Leetspeak detection (obfuscation-decoder.ts)

   • Changed from toLowerCase() comparison to direct string comparison
   • Now correctly detects transformations regardless of casing

5. High-risk pattern matching (external-content.ts)

   • Changed from string includes to proper RegExp tests
   • Now tests patterns directly against content, not regex sources

Commit: 83491e4

[dan-redcupit]

CI Fixes Summary

All automated review comments have been addressed:

1. Test Assertion Typo (input-preprocessing.test.ts)

• Fixed reversed text test: "tpmorcp" → "tpmorp" for "prompt"

2. REVERSED_KEYWORDS Typo (input-preprocessing.ts)

• Fixed edirrevo (was edirrrevo with extra 'r') for "override" reversed

3. Infinite Loop Guard (input-preprocessing.ts)

• Added guard in extractMatches() to handle zero-width matches:

if (match.index === regex.lastIndex) {
  regex.lastIndex++;
}

4. Leetspeak Detection Comparison (obfuscation-decoder.ts)

• Fixed stage comparison to track changes correctly through deobfuscation pipeline

5. High-Risk Pattern Matching (external-content.ts)

• Fixed checkMessageSecurity() to properly test RegExp patterns against content

Additional Fixes

• Pig Latin Decoder: Rewrote to correctly handle consonant cluster lengths (tries 2, 1, 3 in order)
• Authority Spoof Patterns: Expanded to match [ADMIN OVERRIDE] format with optional second word
• Persona Hijack Patterns: Added pattern for "you are (now)? (completely)? unrestricted"
• Instruction Keywords: Added plural forms (instructions?, secrets?, passwords?, etc.)
• Lint fixes: Used Set instead of array for highSeverityTypes, used toReversed() instead of reverse()
• Upstream lint fixes: Fixed curly brace issues in resolve-route.ts and system-prompt.ts

CI Status

• ✅ All build, lint, format, and test checks passing (bun, node, Windows)
• ⏳ macOS checks queued (unrelated to TypeScript changes)
• ❌ formal_conformance failed (informational only, not blocking)

[dan-redcupit]

Closing to split into smaller, focused PRs for easier review. Will create separate PRs for: (1) System prompt confidentiality, (2) Obfuscation decoder + input preprocessing, (3) Advanced attack detection