Added
DLP — broad secret coverage
- Expanded the DLP secret-redaction dictionary to broad coverage of credentials that must never leave the org: AI/LLM providers (OpenAI, Anthropic, OpenRouter, Groq, xAI, Perplexity, Hugging Face, Replicate, Fireworks, NVIDIA, Anyscale, LangSmith); cloud (broadened AWS key prefixes + secret/session/MWS tokens, Google API/OAuth tokens, Azure Storage keys, DigitalOcean); source control / CI / infra (GitHub fine-grained PATs, GitLab, npm, PyPI, RubyGems, Docker Hub, Vault, Terraform Cloud, Databricks, Atlassian, New Relic, Sentry); and payment / commerce / comms (Stripe restricted + webhook secrets, Square, and others).
Fail-safe
- Global proxy bypass —
LLM_FW_BYPASS=true(proxy.bypass) turns the proxy into a transparent tunnel (no MITM, no detection, no blocking), restoring connectivity instantly if a detection change locks the operator out.
Changed
- System prompt is now a trusted surface — parsers gained
extractSystem()(Anthropic/OpenAI/Cohere/Gemini/Bedrock) and the pipeline excludes the system prompt from injection scanning by default, fixing false-positive blocks on legitimate LLM traffic. Opt back in viadetection.scanSystemPrompt. - Embedding stage uses a contrastive margin against the benign corpus so injections separate cleanly from benign instructions while preserving cross-lingual recall.
- Detection recall raised to 100% on the JBB-behaviors set with a lower false-positive rate across JBB, HarmBench, and AdvBench.
Fixed
- DGA/exfil: the entropy check now also screens the registrable (apex) label, so bare DGA domains are caught.
- Whitelist now honored —
normalizeDomainEntry()strips scheme/path/port/userinfo/leading*.|.and whitespace, so operator entries likehttps://webhook.site,webhook.site/, and*.example.comactually match. - Urdu/Somali injections now have deterministic heuristics like the other hand-coded languages.
Scorecard: 100% TPR / 0% FPR (heuristic + embedding, judge off).
Full changelog: v0.2.0...v0.3.0