Module patterns 

Shared injection-detection patterns for the security sanitization layers.

This module is the single source of truth for prompt-injection detection patterns used by both zeph-mcp (MCP tool definition sanitization) and zeph-core (content isolation pipeline). Each consumer compiles its own Regex instances from RAW_INJECTION_PATTERNS at startup via LazyLock.

Known limitations

The patterns cover common English-language prompt-injection techniques. Known evasion vectors include: non-English injections, semantic rephrasing, encoded payloads in markdown code blocks, multi-line splitting (regex . does not match \n by default), and homoglyph substitution. strip_format_chars mitigates Unicode Cf-category bypass but does not handle homoglyphs. This scanner is advisory and defense-in-depth only, not a security boundary. The trust gate (tool blocking via TrustGateExecutor) is the primary enforcement mechanism.

Constants

RAW_INJECTION_PATTERNS

Raw (name, regex pattern) pairs for prompt-injection detection.

Functions

strip_format_chars

Strip Unicode format (Cf) characters and ASCII control characters (except tab/newline) from text before injection pattern matching.