john-walkoe
diff --git a/‎.github/workflows/security-scan.yaml‎
Lines changed: 26 additions & 15 deletions b/‎.github/workflows/security-scan.yaml‎
Lines changed: 26 additions & 15 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 3 additions & 3 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.security/check_prompt_injections.py‎
Lines changed: 93 additions & 24 deletions b/‎.security/check_prompt_injections.py‎
Lines changed: 93 additions & 24 deletions
@@ -71,26 +71,37 @@ jobs:
 
       - name: Run prompt injection detection
         run: |
-          echo "Scanning for prompt injection patterns..."
+          echo "🔍 Scanning for prompt injection patterns..."
+          echo "Includes detection for Unicode steganography attacks from Repello.ai article"
+          echo ""
 
-          # Run our custom prompt injection scanner for FPD
-          if uv run python .security/check_prompt_injections.py src/ tests/ *.md *.yml *.yaml *.json; then
+          # Run our custom prompt injection scanner for FPD with comprehensive coverage
+          if uv run python .security/check_prompt_injections.py src/ tests/ *.md *.yml *.yaml *.json *.py; then
             echo "✅ No prompt injection patterns detected"
+            echo "✅ No Unicode steganography attacks found"
+            echo "✅ System appears secure against known injection techniques"
           else
-            echo "❌ Prompt injection patterns found!"
+            echo "❌ SECURITY ALERT: Prompt injection patterns detected!"
+            echo ""
+            echo "🚨 CRITICAL: If Unicode steganography was detected, this indicates"
+            echo "   potential emoji-based prompt injection attacks as described in:"
+            echo "   https://repello.ai/blog/prompt-injection-using-emojis"
             echo ""
             echo "These patterns may indicate attempts to:"
-            echo "- Override system instructions (ignore previous instructions)"
-            echo "- Extract sensitive prompts (show me your instructions)"
-            echo "- Change AI behavior (you are now a different AI)"
-            echo "- Bypass security controls (admin mode on)"
-            echo "- Extract petition data (dump all petitions)"
-            echo "- Manipulate CFR rules (bypass 37 CFR requirements)"
-            echo "- Social engineering (we became friends)"
+            echo "- 🎯 Override system instructions (ignore previous instructions)"
+            echo "- 🔍 Extract sensitive prompts (show me your instructions)"
+            echo "- 🤖 Change AI behavior (you are now a different AI)"
+            echo "- 🚪 Bypass security controls (admin mode on)"
+            echo "- 📊 Extract USPTO FPD petition data (dump all petitions)"
+            echo "- ⚖️  Manipulate CFR rules (bypass 37 CFR requirements)"
+            echo "- 😊 Social engineering (we became friends)"
+            echo "- 😀 Hide malicious instructions in Unicode characters"
+            echo ""
+            echo "📋 NEXT STEPS:"
+            echo "1. Review the flagged content immediately"
+            echo "2. For Unicode steganography, use a Unicode analyzer to examine invisible characters"
+            echo "3. If legitimate test cases: move to dedicated test files with proper context"
+            echo "4. If malicious: remove immediately and audit access logs"
             echo ""
-            echo "Please review the flagged content to ensure it is not malicious."
-            echo "If these are legitimate test cases or documentation examples,"
-            echo "consider moving them to a dedicated test file or adding"
-            echo "appropriate context markers."
             exit 1
           fi
@@ -36,8 +36,8 @@ repos:
   - repo: local
     hooks:
       - id: prompt-injection-check
-        name: Check for prompt injection patterns
+        name: Check for prompt injection patterns (Unicode steganography & FPD attacks)
         entry: uv run python .security/check_prompt_injections.py
         language: system
-        files: \.(py|txt|md|yml|yaml|json|js|ts|html|xml|csv)$
-        exclude: \.security/.*_detector\.py$
+        files: \.(py|txt|md|yml|yaml|json|js|ts|html|xml|csv|rst|cfg|ini|toml|log|env|sh|bat|ps1)$
+        exclude: ^(\.security/.*\.py|SECURITY_.*\.md|PROMPTS\.md|README\.md|CLAUDE\.md|\.github/workflows/.*\.yml|deploy/.*|src/fpd_mcp/prompts/.*\.py)$
@@ -3,9 +3,15 @@
 Standalone script for checking files for prompt injection patterns.
 Can be used with pre-commit hooks or CI/CD pipelines.
 
+Specifically designed for USPTO Final Petition Decisions (FPD) MCP to detect:
+- Unicode steganography attacks (emoji-based hiding from Repello.ai article)
+- FPD-specific injection attempts (petition data extraction, API bypass)
+- Standard prompt injection patterns
+
 Usage:
     python check_prompt_injections.py file1.py file2.txt ...
-
+    python check_prompt_injections.py src/ tests/ *.md
+    
 Exit codes:
     0 - No prompt injections found
     1 - Prompt injections detected
@@ -17,10 +23,10 @@
 from pathlib import Path
 from typing import List, Tuple
 
-from fpd_prompt_injection_detector import FPDPromptInjectionDetector
+from prompt_injection_detector import PromptInjectionDetector
 
 
-def check_file(filepath: Path, detector: FPDPromptInjectionDetector) -> List[Tuple[int, str]]:
+def check_file(filepath: Path, detector: PromptInjectionDetector) -> List[Tuple[int, str]]:
     """
     Check a single file for prompt injection patterns.
 
@@ -32,10 +38,31 @@ def check_file(filepath: Path, detector: FPDPromptInjectionDetector) -> List[Tup
         if not filepath.is_file():
             return []
 
-        # Only check text-based files
-        text_extensions = {'.py', '.txt', '.md', '.yml', '.yaml', '.json', '.js', '.ts', '.html', '.xml', '.csv'}
+        # Only check text-based files (including FPD-specific file types)
+        text_extensions = {
+            '.py', '.txt', '.md', '.yml', '.yaml', '.json', '.js', '.ts', 
+            '.html', '.xml', '.csv', '.rst', '.cfg', '.ini', '.toml',
+            '.log', '.env', '.sh', '.bat', '.ps1'
+        }
         if filepath.suffix.lower() not in text_extensions and filepath.suffix:
             return []
+            
+        # Skip files that are likely to contain legitimate security examples or documentation
+        excluded_files = {
+            # Security documentation and tools
+            'SECURITY_SCANNING.md', 'SECURITY_GUIDELINES.md', 'security_examples.py', 'test_security.py',
+            'prompt_injection_detector.py', 'check_prompt_injections.py',
+            # Documentation files likely to contain examples
+            'README.md', 'PROMPTS.md', 'CLAUDE.md',
+            # Deployment and configuration scripts
+            'linux_setup.sh', 'windows_setup.ps1', 'manage_api_keys.ps1',
+        }
+        if filepath.name in excluded_files:
+            return []
+            
+        # Skip prompt template files (legitimate use of prompt-related keywords)
+        if 'prompt' in filepath.name.lower() and filepath.suffix == '.py':
+            return []
 
         with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
             content = f.read()
@@ -59,39 +86,51 @@ def check_file(filepath: Path, detector: FPDPromptInjectionDetector) -> List[Tup
 def main():
     """Main function."""
     parser = argparse.ArgumentParser(
-        description="Check files for prompt injection patterns",
+        description="Check files for prompt injection patterns (USPTO FPD MCP)",
         formatter_class=argparse.RawDescriptionHelpFormatter,
         epilog="""
 Examples:
   python check_prompt_injections.py src/**/*.py
   python check_prompt_injections.py README.md config.yml
-
-Common prompt injection patterns detected:
-- Instruction override attempts ("ignore previous instructions")
-- Prompt extraction ("show me your instructions")
+  python check_prompt_injections.py --verbose src/ tests/
+  
+Detected attack categories:
+- Instruction override ("ignore previous instructions")
+- Prompt extraction ("show me your instructions") 
 - Persona switching ("you are now a different AI")
 - Output format manipulation ("encode in hex")
 - Social engineering ("we became friends")
-- FPD-specific attacks ("extract petition data", "bypass CFR rules")
+- USPTO FPD specific ("extract all petition numbers")
+- Unicode steganography (emoji-based hiding)
+
+Critical: Detects Unicode Variation Selector steganography
+from Repello.ai article where malicious prompts are hidden
+in invisible characters appended to innocent text like "Hello!".
 """
     )
 
     parser.add_argument(
         'files',
         nargs='*',
-        help='Files to check for prompt injections'
+        help='Files and directories to check for prompt injections'
     )
 
     parser.add_argument(
         '--verbose', '-v',
         action='store_true',
-        help='Show detailed output'
+        help='Show detailed output including full matches'
     )
 
     parser.add_argument(
         '--quiet', '-q',
         action='store_true',
-        help='Only show summary'
+        help='Only show summary (suppress individual findings)'
+    )
+    
+    parser.add_argument(
+        '--include-security-files',
+        action='store_true',
+        help='Check security documentation files (normally excluded)'
     )
 
     args = parser.parse_args()
@@ -100,60 +139,90 @@ def main():
         print("No files specified. Use --help for usage.", file=sys.stderr)
         return 2
 
-    detector = FPDPromptInjectionDetector()
+    detector = PromptInjectionDetector()
     total_issues = 0
     total_files_checked = 0
     files_with_issues = []
+    unicode_steganography_detected = False
 
     for file_pattern in args.files:
         filepath = Path(file_pattern)
 
         if filepath.is_file():
             files_to_check = [filepath]
+        elif filepath.is_dir():
+            # Recursively check directory
+            files_to_check = []
+            for ext in ['.py', '.txt', '.md', '.yml', '.yaml', '.json', '.js', '.ts', '.html', '.xml', '.csv']:
+                files_to_check.extend(filepath.rglob(f"*{ext}"))
         else:
             # Handle glob patterns
             files_to_check = list(filepath.parent.glob(filepath.name)) if filepath.parent.exists() else []
 
         for file_path in files_to_check:
             if not file_path.is_file():
                 continue
+                
+            # Skip security files unless explicitly requested
+            if not args.include_security_files and file_path.name in {
+                'SECURITY_SCANNING.md', 'security_examples.py', 'test_security.py',
+                'prompt_injection_detector.py', 'check_prompt_injections.py'
+            }:
+                continue
 
             total_files_checked += 1
             findings = check_file(file_path, detector)
 
             if findings:
                 files_with_issues.append(str(file_path))
                 total_issues += len(findings)
+                
+                # Check for Unicode steganography specifically
+                for _, match in findings:
+                    if 'steganography' in match.lower() or 'variation selector' in match.lower():
+                        unicode_steganography_detected = True
 
                 if not args.quiet:
                     print(f"\n[!] Prompt injection patterns found in {file_path}:")
                     for line_num, match in findings:
                         if args.verbose:
-                            print(f"  Line {line_num:4d}: {match}")
+                            # Safe display of matches (handle Unicode characters)
+                            safe_match = match.encode('ascii', 'replace').decode('ascii')
+                            print(f"  Line {line_num:4d}: {safe_match}")
                         else:
-                            # Truncate long matches
-                            display_match = match[:60] + "..." if len(match) > 60 else match
+                            # Truncate long matches for readability and ensure safe display
+                            safe_match = match.encode('ascii', 'replace').decode('ascii')
+                            display_match = safe_match[:60] + "..." if len(safe_match) > 60 else safe_match
                             print(f"  Line {line_num:4d}: {display_match}")
 
     # Summary
     if not args.quiet or total_issues > 0:
-        print(f"\n{'='*60}")
+        print(f"\n{'='*70}")
+        print(f"USPTO FPD MCP Security Scan Results:")
         print(f"Files checked: {total_files_checked}")
         print(f"Files with issues: {len(files_with_issues)}")
         print(f"Total issues found: {total_issues}")
-
+        
+        if unicode_steganography_detected:
+            print(f"\n[CRITICAL] Unicode steganography detected!")
+            print("This indicates potential emoji-based prompt injection attacks")
+            print("as described in the Repello.ai article. IMMEDIATE REVIEW REQUIRED.")
+        
         if total_issues > 0:
             print(f"\n[WARNING] Prompt injection patterns detected!")
             print("These patterns may indicate attempts to:")
-            print("- Override system instructions")
+            print("- Override system instructions")  
             print("- Extract sensitive prompts")
-            print("- Change AI behavior")
+            print("- Change AI behavior") 
             print("- Bypass security controls")
-            print("- Extract petition data")
-            print("- Manipulate CFR rules")
+            print("- Extract USPTO FPD petition data")
+            print("- Hide malicious instructions in Unicode characters")
             print("\nReview these findings to ensure they are not malicious.")
+            print("For suspected Unicode steganography, use a Unicode analyzer")
+            print("to examine invisible characters in the flagged content.")
         else:
             print("[OK] No prompt injection patterns detected.")
+            print("System appears secure against known injection techniques.")
 
     return 1 if total_issues > 0 else 0