Reduces false positives on benign technical content — source code, product/security documentation, and security-agent system prompts — that earlier versions could misflag as attacks because they share vocabulary with real threats.
Fixed
- Benign source code, docs, and security system prompts no longer false-positive. Reading a source file (
def get_api_key(...),import React), a product README / API reference, or a SOC-analyst system prompt ("monitor for prompt injection and data exfiltration") previously scored as an attack. New original benign training examples for these content classes correct the over-defense.
Changed
- Retrained on the original corpus with the added benign-technical examples. Held-out precision and false-positive rate unchanged from v1.3.0 (precision ~0.97, held-out FPR ~0.02; long-document benign FPR 0.0). Obfuscation (leetspeak / homoglyph / spacing), buried-in-document, and base64 / hex / URL-encoded robustness maintained; common direct attacks (instruction-override, persona-jailbreak, credential exfiltration) remain caught.
Notes
- Precision improvement for the additive layer; the regex rule engine is unchanged. Content that quotes a literal attack payload verbatim (e.g. a changelog printing an injection string as an example) is still flagged — best handled by scoping enforcement to what an agent executes vs. what it merely reads.
- Data & legal posture unchanged: 100% original training data, no third-party datasets or pretrained weights; zero-dependency pure-Python runtime, byte-exact to the trained model (parity Δ = 0).