v0.2.66

Added (discovery_file_poisoning expansion — agent config/discovery-file class)

• +8 discovery_file_poisoning patterns (GLS-DFP-083, 084, 087, 088, 089, 090, 095, 096) — coverage for poisoned config/discovery surfaces AI agents read and trust: redacted HAR-bundle sidecars, Release-Please/Changesets configs, WebdriverIO/Selenium test configs, WebGPU/shader source comments, OpenTelemetry trace/baggage metadata, PowerShell module manifests, GitHub Discussion templates, and repository ruleset / branch-protection exports. 1,038 → 1,046 patterns / 65 categories / 7,631 keywords.
• All 8 passed the clean-code false-positive gate (test_false_positives + test_real_corpus_fp) before ship — the same Miasma/Hades agent-config-poisoning class where a trusted repo file becomes agent policy on read.

v0.2.65

Added (discovery_file_poisoning expansion)

• +19 discovery_file_poisoning patterns (GLS-DFP-058..GLS-DFP-082, excluding 060/063/066/069/070/076) — new coverage for poisoned discovery surfaces: Allure/test-report metadata, security.txt, .well-known manifests, syndication feeds, and related agent-policy carriers. 1,019 → 1,038 patterns / 65 categories / 7,548 keywords.
• 6 patterns from the same batch were held back for false-positive tightening (they fired on clean code/docs) — the FP credibility gate from v0.2.64 caught them before ship. They will return after regex hardening.

Fixed (credibility)

• Genericized 3 pattern descriptions that referenced internal operator paths/filenames (no detection change) — public surfaces no longer expose internal infrastructure naming.

v0.2.64

Fixed (engine reliability — false positives + scanner hang)

• False positives eliminated on clean code (86 → 0) — pruned generic plural/common words (e.g. "ai agents", "cookie", "env", "group", "path") that leaked from KEYWORD_DENYLIST and flooded legitimate code with findings. Full test suite green (216 passed, 7 xfailed) — zero detection recall lost.
• ReDoS / scanner hang fixed at root — 31 lookahead-led whole-document classifier regexes were evaluated with .search() (re-run at every offset → O(n²) catastrophic backtracking on large files). engine.py now flags anchored patterns and uses .match() (position-0, exact whole-document semantics) for those, keeping .search() for the ~1,035 token-finders. Worst real file (decoder.py) 117s → 0.30s; a 1.4 MB file now scans linearly (~2.3s).
• Enrichment gating — ROT13/reverse/shape preprocessing now capped at ≤2000 chars (a secondary hang + false-positive source).
• SARIF helpUri fixed — per-finding /patterns/<ID> always-404 links replaced with category→chapter deep-links (11 live pages) plus a /patterns hub fallback, unblocking the GitHub Action / Security-tab integration.

Reliability release — pattern library unchanged at 1,019 patterns / 65 categories / 7,350 keywords.

v0.2.63

Added (V2 SHIP #9 — discovery_file_poisoning continued + repo_metadata_poisoning new category)

• 13 new patterns — GLS-DFP-051 through GLS-DFP-057 (7 patterns, continued discovery_file_poisoning expansion targeting IaC/policy files, admission controllers, and agent instruction carriers) + GLS-RMP-001 through GLS-RMP-006 (6 patterns, new repo_metadata_poisoning category covering CODEOWNERS files, release notes/changelogs, repository topics/tags, contributor lists, and governance metadata that AI coding agents read as authoritative policy). Pattern count: 1,006 → 1,019. Keywords: 7,171 → 7,350. Categories: 64 → 65.
• New blog: Repo Metadata Poisoning: When CODEOWNERS, Release Notes, and Topics Become Agent Policy — covers how attackers hide agent instructions in the governance metadata layer of a repository, and how Sunglasses runtime trust catches it before the agent acts. Written by JACK, research by Cava.

Context

repo_metadata_poisoning (GLS-RMP-001..006) is the 65th category in the Sunglasses detection library. It targets the trusted governance metadata that AI coding agents read before acting on a repository — CODEOWNERS, release notes, CHANGELOG files, repository description/topics, contributor lists, and issue/PR templates. This metadata carries strong implied authority: agents treat it as "the rules of this repo." The six patterns detect covert agent directives hidden in each carrier type, including authority-framing phrases, token-injection patterns, and role-redefinition attempts.

v0.2.62

Added (V2 SHIP #8 — discovery_file_poisoning continued + FP credibility fix)

• 25 new patterns — GLS-DFP-026 through GLS-DFP-050 (continued expansion of the discovery_file_poisoning category). These patterns extend coverage of agent-policy poisoning in discovery and convention files (robots.txt, llms.txt, sitemap.xml, security.txt, .well-known/ manifests, and feed carriers) with hardened regexes that require real poison/authority-injection signal — eliminating false positives on legitimate discovery files. Pattern count: 981 → 1,006. Keywords: 6,946 → 7,171. Categories: 64 (unchanged).
• FP credibility fix: tightened all discovery_file_poisoning patterns to require affirmative injection evidence rather than file-presence alone. Clean robots.txt, llms.txt, security.txt, and sitemap.xml now pass cleanly; poisoned variants still block. Clean-corpus gate: 46 → 0 false positives (general clean-text corpus from the prior PR #50 fix).
• New blogs:
  • Discovery File Poisoning and Runtime Trust: What robots.txt Can't Actually Do
  • Discovery File Poisoning, Security Metadata, and Runtime Trust

Context

The discovery_file_poisoning category ships in two waves: GLS-DFP-001..025 (v0.2.61) established the category; GLS-DFP-026..050 (v0.2.62) harden detection precision and eliminate scanner false positives on normal discovery files — a credibility prerequisite for the category's launch blog.

v0.2.61

Added (V2 SHIP #7 — discovery_file_poisoning)

• 25 new patterns — GLS-DFP-001 through GLS-DFP-025 (new discovery_file_poisoning category). The discovery_file_poisoning category covers agent-policy poisoning hidden in the well-known discovery and convention files that AI agents and crawlers read to learn a site's "rules" — robots.txt, llms.txt/llms-full.txt, sitemap.xml, ads.txt/app-ads.txt/sellers.json, security.txt, humans.txt, .well-known/ manifests, and feed/manifest carriers — where a hostile file tries to redefine what an agent is allowed to do. Pattern count: 956 → 981. Category count: 63 → 64. Keywords: 6,612 → 6,946.
• New blog: Discovery File Poisoning: When robots.txt, llms.txt, and sitemaps Become Agent Policy — why discovery files are context, not authority, and how runtime trust stops poisoned robots.txt/llms.txt/sitemap files before agents act. Written by JACK, research by Cava.