Changelog
v0.1.1 (Pattern Coverage Fix)
Detectors
- d001 System Prompt Extraction — Fixed patterns that rejected the article “the” (e.g., “reveal the system prompt” was not detected). Broadened verb coverage with
give, share, disclose, expose and added optional indirect objects (me/us). Added two new patterns: contraction form (“what’s your system prompt”) and indirect requests (“can you share the system prompt”).
- d003 Instruction Override — Added two new patterns for system-level bypass attempts (“override system”, “bypass safety filters”, “circumvent the system restrictions”, “disable safety guardrails”) and deactivation attempts (“turn off content filters”, “deactivate safety protections”). Previously the override pattern required a temporal qualifier and instruction noun, so bare phrases like “override system” were missed.
- d004 Prompt Leaking — Added
reveal, show, display verbs to the repeat-system-message pattern for consistent coverage across detectors.
v0.1.0 (Initial Release)
Engine
- Core
PromptShieldEngine with scan, batch scan, feedback, and threat management
- Layered configuration system (YAML + env vars + dict overrides)
- Allowlist and blocklist regex pattern support
- Scan history with SQLite persistence and configurable retention
Detectors (21 built-in)
- Direct injection: d001 System Prompt Extraction, d002 Role Hijack, d003 Instruction Override, d004 Prompt Leaking, d005 Context Manipulation, d006 Multi-Turn Escalation, d007 Task Deflection
- Obfuscation: d008 Base64 Payload, d009 ROT13/Character Substitution, d010 Unicode Homoglyph, d011 Whitespace/Zero-Width Injection, d012 Markdown/HTML Injection, d020 Token Smuggling
- Indirect injection: d013 Data Exfiltration, d014 Tool/Function Abuse, d015 RAG Poisoning, d016 URL Injection
- Jailbreak: d017 Hypothetical Framing, d018 Academic/Research Pretext, d019 Dual Persona
- Self-learning: d021 Vault Similarity
Self-Learning
- ChromaDB-backed attack vault with sentence-transformer embeddings
- Automatic storage of detected attacks for similarity matching
- User feedback system (true positive / false positive)
- Auto-tuner for per-detector threshold adjustment
- Community threat feed export, import, and remote sync
Agentic Security
AgentGuard with 3-gate model (input, data, output)
- Canary token injection and leak detection
PromptShieldMCPFilter for transparent MCP server protection
- Tool argument and result scanning
Integrations
- FastAPI / Starlette middleware
- Flask WSGI middleware
- Django middleware
- LangChain callback handler
- LlamaIndex handler
CLI
prompt-shield scan with file/stdin/text input
prompt-shield detectors list/info
prompt-shield config init/validate
prompt-shield vault stats/search/clear
prompt-shield feedback
prompt-shield threats export/import/sync/stats
prompt-shield test and prompt-shield benchmark
Plugin System
BaseDetector interface for custom detectors
- Auto-discovery of detectors in the
prompt_shield.detectors package
- Entry point discovery for third-party detector packages
- Runtime registration via
engine.register_detector()