MCP AI Bridge

# Pattern System Refactor Plan ## 🎯 Objective Simplify the over-engineered pattern system in `security-optimized.js` while maintaining security effectiveness and improving maintainability. ## 🔍 Current State Analysis ### Issues Identified 1. **Complexity**: PatternCache class with complex hash checking (lines 63-171) 2. **Monolithic**: All patterns defined in single function 3. **Hard to Test**: Individual patterns not easily testable 4. **Maintenance**: Adding new patterns requires understanding entire system 5. **Performance**: Over-optimization adds unnecessary complexity ### Current Architecture ``` security-optimized.js ├── PatternCache (complex caching logic) ├── getCompiledPatterns (monolithic pattern compilation) ├── Pattern arrays (inline definitions) └── Configuration coupling (tightly bound) ``` ## 🏗️ Target Architecture ### Simplified Design ``` src/security/ ├── patterns/ │ ├── injection-patterns.js # Prompt injection patterns │ ├── content-patterns.js # Explicit content patterns │ ├── whitelist-patterns.js # Educational/safe patterns │ └── index.js # Pattern registry ├── cache/ │ ├── simple-cache.js # Simplified caching │ └── cache-utils.js # Cache utilities ├── validators/ │ ├── pattern-validator.js # Individual pattern testing │ └── security-validator.js # Main validation logic └── index.js # Public API ``` ## 📋 Implementation Plan ### Phase 1: Extract Pattern Definitions (Week 1) #### Task 1.1: Create Pattern Modules Create individual pattern files with clear, testable definitions: ```javascript // src/security/patterns/injection-patterns.js export const INJECTION_PATTERNS = [ { id: 'ignore_instructions', regex: /ignore\s+(previous|above|all|prior)\s.*?(instructions|commands|rules)/i, severity: 'high', category: 'instruction_override', description: 'Attempts to ignore system instructions', examples: ['ignore previous instructions', 'ignore all commands'], testCases: [ { input: 'ignore previous instructions', shouldMatch: true }, { input: 'ignore the noise outside', shouldMatch: false } ] }, // ... more patterns ]; ``` #### Task 1.2: Create Pattern Registry ```javascript // src/security/patterns/index.js import { INJECTION_PATTERNS } from './injection-patterns.js'; import { CONTENT_PATTERNS } from './content-patterns.js'; import { WHITELIST_PATTERNS } from './whitelist-patterns.js'; export class PatternRegistry { constructor(config) { this.config = config; this.patterns = this.buildPatternSet(); } buildPatternSet() { const patterns = { injection: [], content: [], whitelist: [] }; // Only include enabled pattern categories if (this.config.DETECT_PROMPT_INJECTION) { patterns.injection = INJECTION_PATTERNS.filter(p => this.shouldIncludePattern(p) ); } return patterns; } shouldIncludePattern(pattern) { // Simple logic to determine if pattern should be included // based on granular configuration } } ``` ### Phase 2: Simplify Caching (Week 1) #### Task 2.1: Create Simple Cache Replace complex PatternCache with straightforward implementation: ```javascript // src/security/cache/simple-cache.js export class SimplePatternCache { constructor() { this.cache = new Map(); } get(configKey) { return this.cache.get(configKey); } set(configKey, patterns) { this.cache.set(configKey, patterns); } clear() { this.cache.clear(); } getConfigKey(config) { // Simple string hash of relevant config options return JSON.stringify({ level: config.SECURITY_LEVEL, injection: config.DETECT_PROMPT_INJECTION, content: config.BLOCK_EXPLICIT_CONTENT, whitelist: config.WHITELIST_PATTERNS }); } } ``` ### Phase 3: Refactor Main Logic (Week 2) #### Task 3.1: Simplify Validation Logic ```javascript // src/security/validators/security-validator.js export class SecurityValidator { constructor(config) { this.config = config; this.cache = new SimplePatternCache(); this.registry = new PatternRegistry(config); } async validate(prompt) { const configKey = this.cache.getConfigKey(this.config); let patterns = this.cache.get(configKey); if (!patterns) { patterns = this.registry.buildPatternSet(); this.cache.set(configKey, patterns); } return this.runValidation(prompt, patterns); } runValidation(prompt, patterns) { // Simplified validation logic // Clear, linear flow without complex branching } } ``` ### Phase 4: Add Pattern Testing (Week 2) #### Task 4.1: Individual Pattern Tests ```javascript // tests/patterns/injection-patterns.test.js import { INJECTION_PATTERNS } from '../../src/security/patterns/injection-patterns.js'; describe('Injection Patterns', () => { INJECTION_PATTERNS.forEach(pattern => { describe(`Pattern: ${pattern.id}`, () => { test('should match positive test cases', () => { pattern.testCases .filter(tc => tc.shouldMatch) .forEach(testCase => { expect(pattern.regex.test(testCase.input)).toBe(true); }); }); test('should not match negative test cases', () => { pattern.testCases .filter(tc => !tc.shouldMatch) .forEach(testCase => { expect(pattern.regex.test(testCase.input)).toBe(false); }); }); }); }); }); ``` ## 🎯 Benefits of Refactor ### Maintainability - **Individual Pattern Files**: Easy to understand and modify - **Clear Separation**: Each pattern type has its own file - **Self-Documenting**: Patterns include descriptions and examples - **Testable Units**: Each pattern can be tested independently ### Performance - **Simpler Caching**: Easier to reason about and debug - **Selective Loading**: Only load patterns that are enabled - **Clear Dependencies**: Obvious what affects cache invalidation - **Reduced Complexity**: Less overhead from over-optimization ### Developer Experience - **Easy Pattern Addition**: Clear template for new patterns - **Better Debugging**: Individual pattern results visible - **Documentation**: Built-in examples and test cases - **IDE Support**: Better autocomplete and navigation ## 🧪 Testing Strategy ### Pattern-Level Tests - Individual pattern validation - Test case coverage for each pattern - Performance benchmarks per pattern - False positive/negative analysis ### Integration Tests - End-to-end validation scenarios - Cache behavior verification - Configuration change handling - Performance regression testing ### Migration Tests - Backward compatibility verification - Configuration migration testing - Security effectiveness comparison - Performance comparison with current system ## 📊 Success Metrics ### Code Quality - [ ] Reduce cyclomatic complexity by 50% - [ ] Achieve 100% test coverage for patterns - [ ] Decrease time to add new pattern from 30min to 5min - [ ] Improve code maintainability index by 25% ### Performance - [ ] Maintain <5ms validation time - [ ] Reduce memory usage by 20% - [ ] Improve cache hit ratio to >95% - [ ] Handle pattern updates without service restart ### Developer Experience - [ ] Reduce onboarding time for security contributions - [ ] Clear documentation for all patterns - [ ] IDE support for pattern development - [ ] Automated pattern validation in CI/CD ## 🚨 Risk Mitigation ### Security Risks - **Pattern Regression**: Comprehensive test suite prevents functionality loss - **False Negatives**: Side-by-side testing during migration - **Configuration Issues**: Validation for all config combinations ### Performance Risks - **Regression Testing**: Benchmark comparison before/after - **Load Testing**: Verify performance under realistic conditions - **Monitoring**: Performance metrics in production ### Migration Risks - **Backward Compatibility**: Maintain existing API surface - **Gradual Rollout**: Feature flag for new pattern system - **Rollback Plan**: Quick revert to current implementation if needed ## 📅 Timeline ### Week 1: Foundation - Day 1-2: Extract injection patterns - Day 3-4: Extract content and whitelist patterns - Day 5: Create pattern registry and simple cache ### Week 2: Integration - Day 1-2: Refactor main validation logic - Day 3-4: Add comprehensive pattern tests - Day 5: Performance testing and optimization ### Week 3: Validation - Day 1-2: End-to-end testing and debugging - Day 3-4: Security effectiveness validation - Day 5: Documentation and migration guide --- *This refactor will transform the pattern system from a complex, monolithic implementation to a clean, maintainable, and extensible architecture while preserving all security capabilities.*