Severity: LOW
Location
src/guard/patterns.ts:124 (PATTERN_BREAKERS) + signature matching
Summary
The normalization pipeline (NFKC + zero-width/bidi strip) correctly folds full-width Latin and removes invisible separators, but it does not map confusable homoglyphs — e.g. Cyrillic е (U+0435) for Latin e, Greek ο for Latin o. NFKC does not fold these, so ignоre previous instructions (with a Cyrillic о) evades the injection signatures while remaining visually identical to a human/LLM reader.
Recommended fix
Add a confusable-fold step (Unicode confusables.txt / skeleton mapping, or a small targeted Latin-lookalike table) before regex matching. Scope can be limited to the script ranges most used for evasion (Cyrillic/Greek → Latin).
Acceptance criteria
Filed from a repo security review.
https://claude.ai/code/session_01XX9sT7kYs1ctQyY2SBg87t
Severity: LOW
Location
src/guard/patterns.ts:124(PATTERN_BREAKERS) + signature matchingSummary
The normalization pipeline (NFKC + zero-width/bidi strip) correctly folds full-width Latin and removes invisible separators, but it does not map confusable homoglyphs — e.g. Cyrillic
е(U+0435) for Latine, Greekοfor Latino. NFKC does not fold these, soignоre previous instructions(with a Cyrillicо) evades the injection signatures while remaining visually identical to a human/LLM reader.Recommended fix
Add a confusable-fold step (Unicode
confusables.txt/ skeleton mapping, or a small targeted Latin-lookalike table) before regex matching. Scope can be limited to the script ranges most used for evasion (Cyrillic/Greek → Latin).Acceptance criteria
Filed from a repo security review.
https://claude.ai/code/session_01XX9sT7kYs1ctQyY2SBg87t