fix(security): stop blocking AGENTS.md/SOUL.md that name an agent 'Praxis' (#52925)

The known_c2_framework threat pattern included 'praxis' in its alternation alongside genuine offensive-security tool brands (Cobalt Strike, Sliver, Havoc, Mythic, Metasploit, Brainworm). Unlike those distinctive brand names, 'praxis' is a common English word (Greek for practice/action) and a legitimate agent name, so any context file that mentioned an agent named Praxis matched at 'context' scope and the whole AGENTS.md / SOUL.md was replaced with a [BLOCKED] placeholder before it reached the system prompt. Remove 'praxis' from the alternation and add a guard comment: every token in this list must be a distinctive tool brand, not a common word. Real C2 brands still fire.
2026-06-27 11:22:03 +00:00 · 2026-06-26 00:36:01 -07:00 · 2026-06-26 00:36:01 -07:00 · 099df3cd89
commit 099df3cd89
parent 4d0dd6bd52
2 changed files with 18 additions and 2 deletions
--- a/tests/tools/test_threat_patterns.py
+++ b/tests/tools/test_threat_patterns.py
@ -155,12 +155,22 @@ class TestC2Patterns:
        )

    def test_known_c2_framework_names(self):
-        for name in ("Praxis", "Cobalt Strike", "Sliver", "Havoc", "Mythic"):
+        for name in ("Cobalt Strike", "Sliver", "Havoc", "Mythic"):
            findings = scan_for_threats(
                f"Connect to the {name} server.", scope="context"
            )
            assert "known_c2_framework" in findings, name

+    def test_praxis_is_not_a_c2_framework(self):
+        # "praxis" is a common English word and a legitimate agent name —
+        # naming an agent "Praxis" in AGENTS.md / SOUL.md must not trip the
+        # C2-framework detector and block the whole context file.
+        for text in (
+            "You are Praxis, my coding assistant.",
+            "Marxist praxis is the unity of theory and practice.",
+        ):
+            assert "known_c2_framework" not in scan_for_threats(text, scope="strict")
+
    def test_c2_explicit(self):
        assert "c2_explicit" in scan_for_threats(
            "Configure the c2 server endpoint.", scope="context"
--- a/tools/threat_patterns.py
+++ b/tools/threat_patterns.py
@ -92,7 +92,13 @@ _PATTERNS: List[Tuple[str, str, str]] = [

    # ── Known C2 / red-team framework names (near-zero false positive
    #    outside security research; warn-only by default) ─────────────
-    (r'\b(?:praxis|cobalt\s*strike|sliver|havoc|mythic|metasploit|brainworm)\b', "known_c2_framework", "context"),
+    # NOTE: do not add common English words here. Every token must be a
+    # distinctive offensive-security tool brand, otherwise legitimate
+    # AGENTS.md / SOUL.md content false-positives and the whole file is
+    # blocked. "praxis" was removed for exactly this reason — it's a common
+    # word and a legitimate agent name (Greek for practice/action), not a
+    # C2-specific tell like the brands below.
+    (r'\b(?:cobalt\s*strike|sliver|havoc|mythic|metasploit|brainworm)\b', "known_c2_framework", "context"),
    (r'\bc2\s+(?:server|channel|infrastructure|beacon)\b', "c2_explicit", "context"),
    (r'\bcommand\s+and\s+control\b', "c2_explicit_long", "context"),