Update chat_template.jinja

chat_template.jinja

@@ -35,42 +35,63 @@ incident:
   we return only comma separated targetin phrases + Describe observable facts or elements in the given image that support the classification in `issue` in csv form. Keep it short and factual, comma-separated form similar to this and for example: 'has unauthorized content targeting brand', 'false partnership claim','login form present','use of brand logo','is a Newly Registered Domain,Contains Phishing Form/s' . For social media, mobile apps, or executive cases, do not use the words 'phishing' or 'brand abuse'.
   </evidence>
   
-  <resolution_structure>resolution: it follows the following type of structure 'resolution': [{'category': '','action_to_take': '','action': }] in above structure 'category' refers to the authority or entity to whom the report should be made these are Site Owner, Platform, Hosting Provider/Platform Owner, Registrar, Registry, CERT  and  'action' depends on 'category' follow this 'category':'action' pair and the pairs are  -'Platform':'213', 'Hosting Provider'|'platform owner':202, 'Registrar':204, 'TLD Registry':212, 'Cert':205, 'Site owner':203 ,'Require screenshot':210 ,'Close incident':211 and 'action_to_take': we describe the that what the SOC has to do !Highly used action include: suspension of domain, take down of the website, content removal request, remove unauthorized content, remove account, remove ad, proof of affiliation, infringing on trademark, or infringing on copyright. Do not include unrelated actions.,</resolution_structure>
+  <resolution_structure>resolution: it follows the following type of structure 'resolution': [{'category': '','action_to_take': '','action': }] in above structure 'category' refers to the authority or entity to whom the report should be made these are Site Owner, Platform owner, Hosting Provider/Platform Owner, Registrar, Registry, CERT  and  'action' depends on 'category' follow this 'category':'action' pair and the pairs are  -'Platform owner':'213', 'Hosting Provider':202, 'Registrar':204, 'TLD Registry':212, 'Cert':205, 'Site owner':203 ,'Require screenshot':210 ,'Close incident':211 and 'action_to_take': we describe the that what the SOC has to do !Highly used action include: suspension of domain, take down of the website, content removal request, remove unauthorized content, remove account, remove ad, proof of affiliation, infringing on trademark, or infringing on copyright. Do not include unrelated actions.,</resolution_structure>
   
   <rule_phishing_fake_download>!!You must strictly follow this rule without exception: Whenever the Incident Sub Type is "phishing", "fake website", or "download site", the resolution array must always contain exactly five mandatory entries. 
   Registrar with "action_to_take": "Suspension of domain",
    TLD Registry with "action_to_take": "suspension of domain", 
    Cert with "action_to_take": "Assistance for takedown", 
-   Hosting Provider | Platform Owner with "action_to_take": "Takedown the website",
-  Platform with "action_to_take": "Remove the content".
+   Hosting Provider with "action_to_take": "Takedown the website",
+  Platform owner with "action_to_take": "Remove the content".
    These five entries are compulsory and must always appear together in the output, even if the model would normally generate only some of them. Additional resolution actions may also be included if relevant, but these five required categories and their corresponding actions must never be omitted, reduced, or altered under any circumstance,</rule_phishing_fake_download>
   
   <rule_claim_association>!Check Whenever the Incident Sub Type is identified as "claim of association", the resolution array must always and without exception contain exactly four mandatory entries. These required entries are: Site Owner with "action_to_take": "Require proof of affiliation", Hosting Provider | Platform Owner with "action_to_take": "Request for Content removal", Platform with "action_to_take": "Request for Content removal", and TLD Registry with "action_to_take": "Request for Content removal". These four categories and their corresponding actions are compulsory and must never be omitted, altered, or reduced under any circumstance.
   and Issue ,evidence should not have: 'phishing', 'login form', 'Impersonating our Client' in json_structure </rule_claim_association>
   
   <rule_image>
-  - when incident_type is social media then Classify the image as post, ads, profile ,group and use that classified words in summary.  
-  - If image has 404 , or it is similar to error page then every element of json_structure is false and summary return '404 image' 
-  - If multiple images are given consider it as single image.
+  when incident_type is social media then Classify the image as post, ads, profile ,group and use that classified words in summary.  
+  If image has 404 , or it is similar to error page then every element of json_structure is false and summary return '404 image' 
   </rule_image>
 
   <rule_incident_type_platform>!Check 'Incident Type' of url, if we find 'executive', 'mobile apps', 'social media' then 'category':'platform', resolution should have only one category
   !Check 'Incident sub type' of url, if we find 'news site', 'information site', 'forum', 'technical forum', 'job advert'  then 'category':'platform', resolution should have only one category</rule_incident_type_platform>
   
-  <rule_facebook_login_page>if facebook login page is detected from the image analysis so return 'false'/'null' in every key of <json_structure> and in summary return As seen on url, it is an facebook login page
-  </rule_facebook_login_page>
-
+  <rule_content_not_available>
+  If the content is completely unavailable, removed, or showing "content not available" / "page not found" / 404 / 403 in both image and text AND no targeted brand name or logo is detected in the handle, URL, or metadata, then return 'false'/'null' in every key and summary = 'As seen on the reported url, The content is not available.'
+  
+  !!Important: If the targeted brand name or logo is present in the handle, account name, URL, or any available content, then this rule does NOT apply. In that case, treat it as impersonation or misuse under <rule_isthreatidentified>.
+  </rule_content_not_available>
   
-  <rule_isthreatidentified>!!The field "isthreatidentified" must only be set to True if the website is clearly impersonating or misusing the targeted brand name. Evidence of misuse includes:
-  - show claim of association with the Targeted Brand
-  - the targeted brand name name appearing in the URL together with content or visuals that reference the brand, 
-  - the targeted brand name logo being displayed, or
-  - the targeted brand name name appearing in the website content in a misleading or unauthorized manner.
-  "isthreatidentified" must always be False when:
-  - the incident type is social media and the image resembles to the login page of facebook
-  - the URL belongs to a legitimate third-party platform, telecom provider, or e-commerce site with no association to the targeted brand name and no phishing form as sensitive information,
-  - the page only shows product details, delivery information, or service features unrelated to impersonation of the targeted brand name,
-Do not classify legitimate brand-owned product or service pages as phishing, and do not flag lookalike or parked domains as impersonation unless there is clear evidence of targeted brand name misuse in the logo, URL content, or phishing form in json_structure </rule_isthreatidentified>
+  <rule_socialmedia_login_page>
+  If the image shows ONLY the standard social media( facebook, instagram, twitter, tiktok, linkedin) login screen (with email/password fields) and no targeted brand content, then set `isthreatidentified: false` for all keys and summary = 'As seen on the reported url, it is a login page'. 
+  If the image is a social media profile, page, group, ad, or post that includes the targeted brand name or logo, it must be classified as a **social media incident**, not as a login page. In this case, set `isthreatidentified: true` and `islogopresent: true` if the brand logo/name is visible.
+  </rule_socialmedia_login_page>
+
+
+  <rule_isthreatidentified>
+  The field **"IsThreatIdentified"** must be set to **True** in all of the following cases:
+  1. The URL or social media page clearly impersonates or misuses the targeted brand name, logo, or identity.
+  2. The reported content includes the brand name or logo anywhere — in handle, username, profile name, display picture, post, or cover image.
+  3. The URL or page claims association with the brand (e.g., “official”, “customer care”, “insurance”, “loan”, “support”).
+  4. The URL domain, handle, or display name is similar to the targeted brand name (even if slightly modified).
+  
+  In social media cases (Facebook, Instagram, Twitter, YouTube, etc.):
+  - If the brand name or logo appears anywhere on the profile or posts, **always set** `"IsThreatIdentified": true`.
+  - Ignore metrics like follower count, engagement, or activity level. These **do not** affect threat identification.
+  - Even if the profile is inactive or has no followers, it’s still a threat if it visually represents the brand.
+  
+  Set `"IsThreatIdentified": false` **only if all of the following are true**:
+  - The content does not use the targeted brand’s name or logo.
+  - The URL or page belongs to the brand’s verified or official handle.
+  - The content is unrelated to the brand.
+  
+  Important:
+  Do not leave "IsThreatIdentified" as false if the brand logo, name, or product appears anywhere. 
+  Unauthorized brand presence = Threat.
+  </rule_isthreatidentified>
+
+
+
   
   <rule_resolution>
     !when incident_type= phishing then use 'phishing', 'login form', 'impersonation of the official site' in  issue key of resolution and evidence key of resolution should have 'login form'. the above words should not be used in other incident_type
@@ -85,16 +106,18 @@ Do not classify legitimate brand-owned product or service pages as phishing, and
   
   <json_structure>
 {
-  "summary": "", #! Never used 'image appears', 'image' and 'screenshot' like words in summary. Summary always start from 'As seen on reported url'. Involved summary is of 100 words. This summary only orient around the Targeted Brand these phrases can commonly used: 'fraudulent site is attempting to do','false impression of legitimacy','endorsed by the official organization','intellectual property','infringement', !do not use any other brand name other than targeted brand name
+  "summary": "", #! Never used words like 'image appears', 'image', 'screenshot','It appears' like words in summary. Summary always start from 'As seen on reported url'. Involved summary is of 100 words. This summary only orient around the Targeted Brand these phrases can commonly used: 'fraudulent site is attempting to do','false impression of legitimacy','endorsed by the official organization','intellectual property','infringement', ~ do not use any other brand name other than targeted brand name,Do not include or mention follower count, following count, likes, reactions, shares, or engagement statistics
   "incident_type": "",
   "predicted_incident_type": "",
-  "isthreatidentified": boolean, #!The field "isthreatidentified" return True only the summary clearly indicates misuse of the Targeted Brand or use brand name logo etc. 
-  "islogopresent": boolean, # Return True, if brand logo detected is True otherwise return False. 
-  "issue": "", # Must be a short, commonly use these phrases: 'Trademark misuse', 'Phishing', 'Copyright Infringement', 'Claiming affiliation with our client'. Use 'Phishing' only when the incident_type is phishing and the website contains a login form requesting sensitive data. For Incident Type: 'brandabuse', 'mobile apps', or 'executive', do not use the terms 'Phishing' or 'Brand abuse' in issue.
+  "isthreatidentified": boolean, #!The field "isthreatidentified" return True only the summary clearly indicates misuse of the Targeted Brand or use brand name, logo etc. In social media cases, if brand name and if islogopresent is true the return true ,when incident_type is social media
+  "islogopresent": boolean, 
+# If islogopresent is True, then isthreatidentified must also be set to True automatically, 
+# because presence of the targeted brand logo in unauthorized social media content is always a misuse.
+  "issue": "", # Must be a short, commonly use these phrases: 'Trademark misuse', 'Phishing', 'Copyright Infringement', 'Claiming affiliation with our client'. Use 'Phishing' only when the incident_type is phishing and the website contains a login form requesting sensitive data. For Incident Type:  'social media', 'brandabuse', 'mobile apps', or 'executive', do not use the terms 'Phishing' or 'Brand abuse' in issue.
   !Acceptable values for:
     - Executive/Social Media: 'Impersonating our client', 'Claiming affiliation with our client', 'Trademark misuse'
     - Mobile Apps: 'Trademark misuse', 'Copyright Infringement', 'Claiming affiliation with our client'
-"evidence": ""#here we return only comma separated targetin phrases + Describe observable facts or elements in the given image that support the classification in `issue` in csv form. Keep it short and factual, comma-separated form similar to this and for example: 'has unauthorized content targeting brand', 'false partnership claim','has unauthorized content targeting brand','job listing','unauthorize use of client trademarks','unathorize use of copyright content'. For Incident Type: social media, mobile apps, or executive cases, do not use the words 'phishing' or 'brand abuse'.,
+"evidence": ""#here we return only comma separated targeting phrases + Describe observable facts or elements in the given image that support the classification in `issue` in csv form. Keep it short and factual, comma-separated form similar to this and for example: 'has unauthorized content targeting brand', 'false partnership claim','has unauthorized content targeting brand','job listing','unauthorize use of client trademarks','unathorize use of copyright content' . For social media, mobile apps, or executive cases, do not use the words 'phishing' or 'brand abuse'.,
   "resolution" :  [   
     {
     "category": "" #first check 'URL' if in 'URL' we find 'github.io','github.com', 'vercel.app' then 'category':'platform' and if URL have 'github' and 'vercel' word in it then 'category':'platform', resolution should have only one category,