docs(attack-db): sync public attack database to v0.2.66 (1046 patterns / 65 categories)

attack-db/README.md

@@ -3,7 +3,7 @@
 The open collection of AI agent attack patterns that powers
 [Sunglasses](https://sunglasses.dev) — the runtime firewall for AI agents.
 
-**981 detection patterns across 64 attack categories.**
+**1046 detection patterns across 65 attack categories.**
 
 **Nobody owns this data. Everyone contributes. Everyone benefits.**
 
@@ -15,15 +15,15 @@ scanner actually loads at runtime. The JSON files in `attacks/` are a
 human-readable **export** of those patterns, generated from `patterns.py` so the
 database is easy to browse, search, and contribute to.
 
-- `patterns.py` → the single source of truth (981 patterns / 64 categories)
+- `patterns.py` → the single source of truth (1046 patterns / 65 categories)
 - `attacks/*.json` → generated, browsable mirror
   (regenerate with `scripts/export_patterns_to_attack_db.py`)
 - Community adds new patterns via pull requests
 - The more patterns → the more attacks Sunglasses catches
 
 ## Categories
 
-Sunglasses organizes its 64 categories across families like prompt injection,
+Sunglasses organizes its 65 categories across families like prompt injection,
 data exfiltration, command injection, hidden/indirect instructions, memory
 poisoning, secret detection, tool poisoning, MCP threats, discovery-file
 poisoning, and supply-chain / attestation poisoning — among many others.

attack-db/attacks/agent-workflow-security/GLS-AW-018-cron-reply-log-drift.json

@@ -9,7 +9,7 @@
     "tool_output",
     "message"
   ],
-  "description": "GO MODE relies on append-only status artifacts (cava_wins_log.md + CAVA_REPLY_*) as the operational source of truth. If an attacker can inject instructions that desynchronize **what got executed** vs **what got logged**, operators lose visibility and may ship unverified claims.",
+  "description": "GO MODE relies on append-only status artifacts (wins-log files and status-reply files) as the operational source of truth. If an attacker can inject instructions that desynchronize **what got executed** vs **what got logged**, operators lose visibility and may ship unverified claims.",
   "keywords": [
     "status-first override",
     "split-append desync",

attack-db/attacks/agent-workflow-security/GLS-AW-026-reply-file-status-overshadowing.json

@@ -8,7 +8,7 @@
     "file",
     "message"
   ],
-  "description": "In GO MODE operations, /opt/sunglasses/review/CAVA_REPLY_... is treated as a high-trust operator status surface. Attackers can inject or preserve stale status blocks so that old blocker text overshadows fresh cycle outcomes. This can force bad prioritization (re-open solved tasks, suppress live P0 pivots, or mislabel readiness). The failure mode is subtle because the reply file is expected to be append-only and long.",
+  "description": "In GO MODE operations, an append-only operator status file is treated as a high-trust status surface. Attackers can inject or preserve stale status blocks so that old blocker text overshadows fresh cycle outcomes. This can force bad prioritization (re-open solved tasks, suppress live P0 pivots, or mislabel readiness). The failure mode is subtle because the reply file is expected to be append-only and long.",
   "keywords": [
     "stale BLOCKED prepend",
     "status label collision near-identical heading",

attack-db/attacks/agent-workflow-security/GLS-AW-034-append-only-status-log-entry-forgery.json

@@ -9,7 +9,7 @@
     "log_memory",
     "message"
   ],
-  "description": "Attacker injects or forges append-only operational status artifacts (CAVA_REPLY, wins-log, cron acknowledgements) so the agent's GO MODE reads fabricated success signals as ground truth, advancing pipelines on work that never ran or hiding failures behind ghost log lines.",
+  "description": "Attacker injects or forges append-only operational status artifacts (status-reply files, wins-logs, cron acknowledgements) so the agent's GO MODE reads fabricated success signals as ground truth, advancing pipelines on work that never ran or hiding failures behind ghost log lines.",
   "keywords": [
     "cava reply log forgery",
     "append-only status drift",

attack-db/attacks/discovery-file-poisoning/GLS-DFP-008-robots-txt-tool-action-poisoning.json

@@ -27,7 +27,7 @@
     "crawl-policy"
   ],
   "regex": [
-    "(?is)^(?!.*\\b(?:no|without)\\b.{0,60}\\b(?:robots\\.txt|crawl[-\\s]*policy)\\b.{0,60}\\b(?:context|file|metadata)\\b)(?!.*\\b(?:do\\s+not|don't|never|must\\s+not|should\\s+not|refus(?:e|ed)|block(?:ed)?|ignore\\s+any\\s+robots\\.txt\\s+instruction)\\b.{0,160}\\b(?:execute|run|invoke|call|use|disable|bypass|crawl|fetch|open|submit|post)\\b)(?=.*\\b(?:robots\\.txt|User-Agent\\s*:\\s*(?:ai-agent|assistant|bot|crawler)|sitemap(?:\\.xml)?|crawl[-\\s]*policy|disallow|allow)\\b)(?=.*\\b(?:agent|ai[-\\s]*agent|assistant|crawler|bot|tool|browser|fetcher|summarizer)\\b)(?=.*\\b(?:execute|run|invoke|call|use|disable|bypass|turn\\s+off|ignore\\s+(?:safety|guardrails?|scanner|policy)|crawl|fetch|open|submit|post)\\b)(?=.*\\b(?:tool|browser|summarizer|scanner|guardrails?|safety|private|admin|internal|forbidden|disallow(?:ed)?|callback|webhook|endpoint|url)\\b).*$"
+    "(?is)^(?!.*\\b(?:no|without)\\b.{0,60}\\b(?:robots\\.txt|crawl[-\\s]*policy)\\b.{0,60}\\b(?:context|file|metadata)\\b)(?!.*\\b(?:do\\s+not|don't|never|must\\s+not|should\\s+not|refus(?:e|ed)|block(?:ed)?|ignore\\s+any\\s+robots\\.txt\\s+instruction)\\b.{0,160}\\b(?:execute|run|invoke|call|use|disable|bypass|crawl|fetch|open|submit|post)\\b)(?=.*\\b(?:robots\\.txt|User-Agent\\s*:\\s*(?:ai-agent|assistant|bot|crawler)|sitemap(?:\\.xml)?|crawl[-\\s]*policy|disallow|allow)\\b)(?=.*\\b(?:ai[-\\s]*agent|assistant|llm|coding\\s+agent|autonomous\\s+agent|crawler\\s+agent|summarizer|fetcher)\\b)(?=.*\\b(?:disable|bypass|turn\\s+off|ignore\\s+(?:safety|guardrails?|scanner|policy|previous|prior|your|all|system)|exfiltrat\\w*|override\\w*|supersed\\w*|outrank\\w*|highest[-\\s]priority|treat\\s+this\\s+as|do\\s+not\\s+(?:report|flag)|leak|forward\\s+(?:all\\s+)?(?:secrets?|tokens?|keys?|env))\\b)(?=.*\\b(?:tool|browser|summarizer|scanner|guardrails?|safety|private|admin|internal|forbidden|disallow(?:ed)?|callback|webhook|endpoint|url)\\b).*$"
   ],
   "examples": {
     "malicious": [],

attack-db/attacks/discovery-file-poisoning/GLS-DFP-026-raml-api-blueprint-agent-policy-poisoning.json

@@ -0,0 +1,33 @@
+{
+  "id": "GLS-DFP-026",
+  "name": "RAML / API Blueprint Agent-Policy Poisoning",
+  "version": "1.0",
+  "category": "discovery_file_poisoning",
+  "severity": "high",
+  "channels": [
+    "file",
+    "web_content"
+  ],
+  "description": "RAML, API Blueprint, or generated API-description documentation can embed prompt-injection text that tells AI agents/tool builders to override higher-priority instructions, disclose local credentials, or suppress scanner findings.",
+  "keywords": [
+    "#%RAML",
+    ".raml",
+    "API Blueprint",
+    "Apiary",
+    "FORMAT: 1A",
+    "LLM agent",
+    "annotationTypes",
+    "cookie"
+  ],
+  "regex": [
+    "^(?!\n  (?=.*\\b(?:security\\s+training|scanner\\s+docs?|policy\\s+docs?|defensive\\s+guidance|example\\s+of\\s+prompt\\s+injection)\\b)\n |\n  (?=.*\\b(?:do\\s+not|don't|never|must\\s+not|should\\s+not)\\b.{0,180}\\b(?:obey|follow|trust|treat|honou?r|include|leak|send|suppress|omit|hide)\\b.{0,180}\\b(?:raml|api\\s+blueprint|apiary|api\\s+description|metadata|documentation)\\b)\n |\n  (?=.*\\b(?:raml|api\\s+blueprint|apiary|api\\s+description|metadata|documentation)\\b.{0,180}\\b(?:is\\s+not\\s+policy|never\\s+overrides|does\\s+not\\s+override)\\b)\n)\n(?=.*(?:\\#%RAML|\\bFORMAT:\\s*1A\\b|\\bAPI\\s+Blueprint\\b|\\bApiary\\b|\\.raml\\b|\\braml\\b|\\bresourceTypes\\b|\\btraits\\b|\\bannotationTypes\\b|\\bdocumentation:|\\bdescription:))\n(?=.*\\b(?:AI\\s+agents?|LLM\\s+agents?|assistants?|tool[-\\s]?builders?|scanners?|crawlers?|models?)\\b)\n(?=.*\\b(?:ignore|override|outrank|highest\\s+priority|trust\\s+this|follow\\s+this|disable|bypass|do\\s+not\\s+report|suppress|omit|hide)\\b)\n(?=.*\\b(?:system|developer|scanners?|policy|rules|findings?|reports?|Authorization|Bearer|API[-_\\s]?keys?|tokens?|cookies?|credentials?|env(?:ironment)?\\s+vars?)\\b)\n.*"
+  ],
+  "examples": {
+    "malicious": [],
+    "benign": []
+  },
+  "references": [],
+  "contributed_by": "Sunglasses Team",
+  "date_added": "2026-06-13",
+  "source": "patterns.py:GLS-DFP-026"
+}

attack-db/attacks/discovery-file-poisoning/GLS-DFP-027-related-website-set-agent-authority-poisoning.json

@@ -0,0 +1,35 @@
+{
+  "id": "GLS-DFP-027",
+  "name": "Related Website Set Agent Authority Poisoning",
+  "version": "1.0",
+  "category": "discovery_file_poisoning",
+  "severity": "high",
+  "channels": [
+    "file",
+    "web_content"
+  ],
+  "description": "A target-controlled Related Website Set discovery file can add agent-directed policy text that misuses legitimate domain-relationship metadata to make an AI agent trust sibling domains, reuse credentials, or suppress cross-domain risk findings.",
+  "keywords": [
+    "agentic",
+    "assistant_instructions",
+    "associated site",
+    "associatedSites",
+    "autonomous scanner",
+    "compliance bot",
+    "credential forwarding",
+    "credentials",
+    "cross-domain allowed",
+    "customer identifiers"
+  ],
+  "regex": [
+    "(?is)^(?!(?=.*\\b(?:must\\s+not|should\\s+not|never|cannot|can't|do\\s+not)\\b.{0,90}\\b(?:reuse|send|forward|share|attach|include|suppress|ignore|treat)\\b))(?=.*\\b(?:related[-_\\s]*website[-_\\s]*set|associatedSites|serviceSites|rationaleBySite|associated\\s+site|site\\s+relationship|same\\s+owner|domain\\s+affiliation)\\b)(?=.*\\b(?:ai\\s+agent|assistant|autonomous\\s+(?:scanner|crawler|agent)|llm|agentic|security\\s+scanner|compliance\\s+bot)\\b)(?=.*\\b(?:same\\s+(?:security|trust)\\s+boundary|same\\s+origin|verified\\s+owner\\s+authority|trusted\\s+associated\\s+site|outrank|override|higher[-\\s]*priority|cross[-\\s]*domain\\s+(?:allowed|trust)|treat\\s+[^.]{0,80}\\s+as\\s+(?:the\\s+)?same)\\b)(?=.*\\b(?:reuse|share|forward|send|attach|include|cookie|bearer\\s+token|session\\s+context|customer\\s+identifiers?|credential|suppress|do\\s+not\\s+report|ignore\\s+(?:phishing|redirect)|credential[-\\s]*forwarding)\\b).*"
+  ],
+  "examples": {
+    "malicious": [],
+    "benign": []
+  },
+  "references": [],
+  "contributed_by": "Sunglasses Team",
+  "date_added": "2026-06-13",
+  "source": "patterns.py:GLS-DFP-027"
+}

attack-db/attacks/discovery-file-poisoning/GLS-DFP-028-scim-service-provider-config-agent-policy-poisoning.json

@@ -0,0 +1,33 @@
+{
+  "id": "GLS-DFP-028",
+  "name": "SCIM Service Provider Config Agent Policy Poisoning",
+  "version": "1.0",
+  "category": "discovery_file_poisoning",
+  "severity": "high",
+  "channels": [
+    "file",
+    "web_content"
+  ],
+  "description": "A poisoned SCIM `ServiceProviderConfig`, schema, or resource-type discovery document embeds agent-facing policy instructions in documentation or extension fields to override scanner rules, request identity tokens or environment secrets, or suppress findings about identity provisioning abuse.",
+  "keywords": [
+    "/ResourceTypes",
+    "Group",
+    "SCIM_API_TOKEN",
+    "ServiceProviderConfig",
+    "audit agent",
+    "authenticationSchemes",
+    "authenticationSchemes[].description",
+    "authoritative provisioning policy"
+  ],
+  "regex": [
+    "(?is)^(?!.*(?:do\\s+not|never|must\\s+not)\\s+(?:include|send|forward|expose|paste|print|return).{0,100}(?:bearer\\s+token|scim[_-]?api[_-]?token|api[_-]?key|secret|env(?:ironment)?))(?!.*(?:do\\s+not|never|must\\s+not)\\s+(?:suppress|hide|ignore|mark).{0,80}(?:scanner|finding|warning|report|false\\s+positive))(?!.*(?:do\\s+not|never|must\\s+not)\\s+obey.{0,120}(?:ignore|overrid\\w+|suppress|false\\s+positive|scanner\\s+rules))(?=.*(?:serviceproviderconfig|urn:ietf:params:scim|\\bscim\\b|authenticationSchemes|resourceTypes|\\bSchemas\\b|patch\\s*['\"]?\\s*:\\s*\\{\\s*['\"]?supported|filter\\s*['\"]?\\s*:\\s*\\{\\s*['\"]?supported))(?=.*(?:ai\\s*assistants?|assistants?|agents?|audit\\s+agents?|scanners?|mcp|tools?|connectors?))(?=.*(?:ignore\\s+(?:previous|all|scanner)|overrid\\w+|outrank|authoritative.{0,80}(?:provisioning|policy|instruction|metadata)|(?:send|forward|include|attach|paste|return|print).{0,120}(?:bearer\\s+token|scim[_-]?api[_-]?token|api[_-]?key|secret|env(?:ironment)?|local[_-]?token)|mark.{0,90}false\\s+positive|never\\s+report|suppress.{0,80}(?:finding|warning|report)|(?:role|group|provisioning).{0,80}(?:warning|finding).{0,80}(?:false\\s+positive|suppress))).*"
+  ],
+  "examples": {
+    "malicious": [],
+    "benign": []
+  },
+  "references": [],
+  "contributed_by": "Sunglasses Team",
+  "date_added": "2026-06-13",
+  "source": "patterns.py:GLS-DFP-028"
+}

attack-db/attacks/discovery-file-poisoning/GLS-DFP-029-sellers-json-schain-agent-policy-poisoning.json

@@ -0,0 +1,31 @@
+{
+  "id": "GLS-DFP-029",
+  "name": "sellers.json / schain agent policy poisoning",
+  "version": "1.0",
+  "category": "discovery_file_poisoning",
+  "severity": "high",
+  "channels": [
+    "file",
+    "web_content"
+  ],
+  "description": "Detects advertising transparency metadata (`sellers.json`, SupplyChain Object / `schain`, seller-verification wrappers) that tries to make AI agents, fraud scanners, or auditors suppress findings, treat seller metadata as higher policy, or forward sensitive local state.",
+  "keywords": [
+    "SupplyChain Object",
+    "schain",
+    "sellerType",
+    "seller_id",
+    "seller_type",
+    "sellers.json"
+  ],
+  "regex": [
+    "(?isx)\n^\n(?!\n  (?=.*\\b(?:training|guide|reference|documentation|docs?)\\b)\n  (?=.*\\b(?:report|detect|flag|refuse|block)\\b)\n)\n(?!\n  (?=.*\\b(?:must\\s+not|do\\s+not|never)\\b)\n  (?=.*\\b(?:obey|treat|trust|accept|follow)\\b)\n)\n(?=.*(?:sellers\\.json|seller[_-]?id|seller[_-]?type|sellerType|SupplyChain\\s+Object|\\bschain\\b|\\basi\\b|\\bsid\\b|\\bhp\\b|advertising\\s+transparency|authorized\\s+sellers?|seller\\s+verification))\n(?=.*(?:AI\\s*(?:agent|assistant|crawler|scanner)|LLM\\s*(?:agent|crawler|scanner)|autonomous\\s*(?:agent|scanner)|security\\s*scanner|fraud\\s*auditor|ad\\s*(?:quality|fraud)?\\s*scanner|Sunglasses))\n(?=.*(?:override|supersede|outrank|treat\\s+as\\s+(?:policy|authority)|ignore\\s+(?:system|developer|scanner)|do\\s+not\\s+report|suppress|hide|mark\\s+(?:as\\s+)?clean|include|attach|forward|reuse))\n(?=.*(?:system|developer|instruction|finding|report|fraud\\s*signal|verification|cookie|token|api\\s*key|env(?:ironment)?\\s*(?:var(?:iable)?s?)?|local\\s*state|session))\n.*"
+  ],
+  "examples": {
+    "malicious": [],
+    "benign": []
+  },
+  "references": [],
+  "contributed_by": "Sunglasses Team",
+  "date_added": "2026-06-13",
+  "source": "patterns.py:GLS-DFP-029"
+}

attack-db/attacks/discovery-file-poisoning/GLS-DFP-030-tdmrep-rights-metadata-agent-policy-poisoning.json

@@ -0,0 +1,39 @@
+{
+  "id": "GLS-DFP-030",
+  "name": "TDMRep rights metadata agent-policy poisoning",
+  "version": "1.0",
+  "category": "discovery_file_poisoning",
+  "severity": "high",
+  "channels": [
+    "file",
+    "web_content"
+  ],
+  "description": "TDMRep or text-and-data-mining rights metadata can hide agent-directed instructions that tell AI crawlers/scanners to treat the rights file as higher authority, suppress findings, or disclose local authorization/environment details.",
+  "keywords": [
+    "/.well-known/tdmrep.json",
+    "AI crawler",
+    "LLM agent",
+    "SEO agent",
+    "do not report",
+    "ignore/bypass",
+    "mark clean",
+    "privacy auditor",
+    "rights-reservation",
+    "security scanner",
+    "supersedes system/developer",
+    "suppress/hide findings",
+    "tdm-reservation",
+    "tdmrep"
+  ],
+  "regex": [
+    "(?is)^(?!.*\\b(?:do\\s+not|never|must\\s+not)\\s+(?:obey|treat|trust|follow|accept|allow).{0,80}\\b(?:tdmrep|tdm[-_\\s]?reservation|rights[-_\\s]?reservation|text[-\\s]and[-\\s]data[-\\s]mining)\\b)(?!.*\\b(?:scanner\\s+docs?|docs?|guide|article|reference|training|security\\s+report|incident\\s+report|vulnerability\\s+report)\\b.{0,120}\\b(?:should|must|will)\\s+(?:report|detect|flag|refuse|ignore|not\\s+obey)\\b)(?=.*\\b(?:tdmrep|tdm[-_\\s]?reservation|text[-\\s]and[-\\s]data[-\\s]mining|text/data\\s+mining|rights[-_\\s]?reservation|rights\\s+policy|\\.well-known/tdmrep\\.json)\\b)(?=.*\\b(?:ai\\s+agents?|ai\\s+crawlers?|llm\\s+(?:agents?|crawlers?)|assistants?|security\\s+scanners?|privacy\\s+auditors?|seo\\s+agents?|crawler\\s+agents?)\\b)(?=.*\\b(?:supersed\\w*|overrid\\w*|ignore|bypass|obey|follow|treat\\s+as\\s+policy|trust\\s+this|do\\s+not\\s+report|not\\s+report|suppress|hide|mark\\s+(?:clean|safe)|include|forward|send|attach)\\b)(?=.*\\b(?:system|developer|instructions?|policy|prompt[-\\s]?injection|findings?|scanner\\s+results?|authorization|bearer|api[-_\\s]?key|tokens?|cookies?|env(?:ironment)?(?:\\s+variables?)?|local\\s+state|secrets?)\\b).*$"
+  ],
+  "examples": {
+    "malicious": [],
+    "benign": []
+  },
+  "references": [],
+  "contributed_by": "Sunglasses Team",
+  "date_added": "2026-06-13",
+  "source": "patterns.py:GLS-DFP-030"
+}

attack-db/attacks/discovery-file-poisoning/GLS-DFP-031-traffic-advice-metadata-agent-policy-poisoning.json

@@ -0,0 +1,37 @@
+{
+  "id": "GLS-DFP-031",
+  "name": "Traffic-advice metadata agent-policy poisoning",
+  "version": "1.0",
+  "category": "discovery_file_poisoning",
+  "severity": "high",
+  "channels": [
+    "file",
+    "web_content"
+  ],
+  "description": "`/.well-known/traffic-advice` or crawler traffic-control JSON can blend normal crawler-rate policy with agent/scanner-directed instructions that claim authority, suppress reports, or request local credentials.",
+  "keywords": [
+    "/.well-known/traffic-advice",
+    "AI agents",
+    "LLMs",
+    "SEO agents",
+    "assistants",
+    "auditors",
+    "capacity_fraction",
+    "cookie",
+    "crawl_delay",
+    "crawlers",
+    "disable",
+    "do not report"
+  ],
+  "regex": [
+    "(?is)^(?!(?=.*\\b(?:do not|don't|never|must not|should not)\\s+(?:obey|treat|accept|use|follow|interpret)\\b.{0,140}\\b(?:traffic-advice|traffic_advice|crawler(?:\\s|-)?policy|metadata|site policy)\\b))(?=.*\\b(?:traffic-advice|traffic_advice|user_agent|crawl_delay|capacity_fraction|crawler\\s*(?:traffic|control|policy)|rate\\s*(?:limit|window))\\b)(?=.*\\b(?:ai\\s*agents?|assistants?|llms?|models?|scanners?|crawlers?|seo\\s*agents?|auditors?)\\b)(?=.*\\b(?:ignore|override|supersede|outrank|bypass|disable|do\\s+not\\s+report|suppress|hide|omit|forward|send|include|exfiltrate)\\b)(?=.*\\b(?:system|developer|higher[-\\s]?priority|security|scanner|findings?|report|token|api[-_\\s]?key|authorization|cookie|env(?:ironment)?|secret|local\\s+(?:state|files?))\\b).*"
+  ],
+  "examples": {
+    "malicious": [],
+    "benign": []
+  },
+  "references": [],
+  "contributed_by": "Sunglasses Team",
+  "date_added": "2026-06-13",
+  "source": "patterns.py:GLS-DFP-031"
+}

attack-db/attacks/discovery-file-poisoning/GLS-DFP-032-webmention-micropub-endpoint-metadata-agent-policy-poisoning.json

@@ -0,0 +1,35 @@
+{
+  "id": "GLS-DFP-032",
+  "name": "Webmention / Micropub endpoint metadata agent-policy poisoning",
+  "version": "1.0",
+  "category": "discovery_file_poisoning",
+  "severity": "high",
+  "channels": [
+    "file",
+    "web_content"
+  ],
+  "description": "Detects Webmention, Micropub, WebSub, IndieAuth, or link-relation endpoint discovery metadata that tells AI agents, crawlers, or scanners to treat endpoint text as higher-priority policy, suppress findings, or forward local credentials/session material.",
+  "keywords": [
+    "Link:",
+    "agentic crawler",
+    "attach",
+    "audit report",
+    "authorization_endpoint",
+    "autonomous scanner",
+    "cookies",
+    "do not report",
+    "forward",
+    "hide"
+  ],
+  "regex": [
+    "(?isx)\n^(?!\n  (?=.*\\b(?:docs?|guide|article|training|scanner\\s+docs?|learn\\s+how|reference)\\b)\n  (?=.*\\b(?:should|must|do\\s+not|does\\s+not|never|refuse|report|detect|flag)\\b)\n  (?=.*\\b(?:webmention|micropub|websub|indieauth|rel\\s*=\\s*[\"']?(?:webmention|micropub|hub)|authorization_endpoint|token_endpoint)\\b)\n)\n(?=.*(?:rel\\s*=\\s*[\"']?(?:webmention|micropub|hub|authorization_endpoint|token_endpoint)|webmention[_-]?endpoint|micropub[_-]?endpoint|websub|Link:\\s*<[^>]+>;\\s*rel\\s*=\\s*[\"']?(?:webmention|micropub|hub)|indieauth[-_]?metadata|authorization_endpoint|token_endpoint))\n(?=.*(?:ai[-\\s]?agents?|assistants?|agentic\\s+(?:scanner|crawler|auditor)|autonomous\\s+(?:scanners?|agents?|crawlers?)|llms?|models?|security\\s+scanners?))\n(?=.*(?:ignore|override|supersede|outrank|treat\\s+this\\s+endpoint\\s+as|must\\s+obey|do\\s+not\\s+report|suppress|hide|forward|include|attach|send|read\\s+(?:local|browser)|load\\s+(?:cookies?|tokens?)))\n(?=.*(?:system|developer|user\\s+instructions|security\\s+findings|report|audit|cookies?|tokens?|api[-_\\s]?keys?|authorization|local\\s+(?:storage|state)|session))\n.*"
+  ],
+  "examples": {
+    "malicious": [],
+    "benign": []
+  },
+  "references": [],
+  "contributed_by": "Sunglasses Team",
+  "date_added": "2026-06-13",
+  "source": "patterns.py:GLS-DFP-032"
+}