Python: promote prompt injection queries from experimental to production

Mirror the JavaScript layout from PR #21953:
- Move SystemPromptInjection.ql / UserPromptInjection.ql to src/Security/CWE-1427
- Move customizations, query and framework libs to python/ql/lib
- Move the AIPrompt concept to the production Concepts.qll
- Drop the experimental tag; py/system-prompt-injection (high precision) now
  joins the code-scanning, security-extended and security-and-quality suites,
  while py/user-prompt-injection (low precision) stays out of the default suites
- Move query tests to python/ql/test/query-tests/Security

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

python/ql/integration-tests/query-suite/not_included_in_qls.expected

@@ -54,6 +54,7 @@ ql/python/ql/src/Metrics/NumberOfStatements.ql
 ql/python/ql/src/Metrics/TransitiveImports.ql
 ql/python/ql/src/Security/CWE-020-ExternalAPIs/ExternalAPIsUsedWithUntrustedData.ql
 ql/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql
+ql/python/ql/src/Security/CWE-1427/UserPromptInjection.ql
 ql/python/ql/src/Security/CWE-798/HardcodedCredentials.ql
 ql/python/ql/src/Statements/C_StyleParentheses.ql
 ql/python/ql/src/Statements/DocStrings.ql
@@ -87,8 +88,6 @@ ql/python/ql/src/experimental/Security/CWE-079/EmailXss.ql
 ql/python/ql/src/experimental/Security/CWE-091/XsltInjection.ql
 ql/python/ql/src/experimental/Security/CWE-094/Js2Py.ql
 ql/python/ql/src/experimental/Security/CWE-1236/CsvInjection.ql
-ql/python/ql/src/experimental/Security/CWE-1427/SystemPromptInjection.ql
-ql/python/ql/src/experimental/Security/CWE-1427/UserPromptInjection.ql
 ql/python/ql/src/experimental/Security/CWE-176/UnicodeBypassValidation.ql
 ql/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/PossibleTimingAttackAgainstHash.ql
 ql/python/ql/src/experimental/Security/CWE-208/TimingAttackAgainstHash/TimingAttackAgainstHash.ql

python/ql/integration-tests/query-suite/python-code-scanning.qls.expected

@@ -17,6 +17,7 @@ ql/python/ql/src/Security/CWE-1004/NonHttpOnlyCookie.ql
 ql/python/ql/src/Security/CWE-113/HeaderInjection.ql
 ql/python/ql/src/Security/CWE-116/BadTagFilter.ql
 ql/python/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql
+ql/python/ql/src/Security/CWE-1427/SystemPromptInjection.ql
 ql/python/ql/src/Security/CWE-209/StackTraceExposure.ql
 ql/python/ql/src/Security/CWE-215/FlaskDebug.ql
 ql/python/ql/src/Security/CWE-285/PamAuthorization.ql

python/ql/integration-tests/query-suite/python-security-and-quality.qls.expected

@@ -111,6 +111,7 @@ ql/python/ql/src/Security/CWE-113/HeaderInjection.ql
 ql/python/ql/src/Security/CWE-116/BadTagFilter.ql
 ql/python/ql/src/Security/CWE-117/LogInjection.ql
 ql/python/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql
+ql/python/ql/src/Security/CWE-1427/SystemPromptInjection.ql
 ql/python/ql/src/Security/CWE-209/StackTraceExposure.ql
 ql/python/ql/src/Security/CWE-215/FlaskDebug.ql
 ql/python/ql/src/Security/CWE-285/PamAuthorization.ql

python/ql/integration-tests/query-suite/python-security-extended.qls.expected

@@ -21,6 +21,7 @@ ql/python/ql/src/Security/CWE-113/HeaderInjection.ql
 ql/python/ql/src/Security/CWE-116/BadTagFilter.ql
 ql/python/ql/src/Security/CWE-117/LogInjection.ql
 ql/python/ql/src/Security/CWE-1275/SameSiteNoneCookie.ql
+ql/python/ql/src/Security/CWE-1427/SystemPromptInjection.ql
 ql/python/ql/src/Security/CWE-209/StackTraceExposure.ql
 ql/python/ql/src/Security/CWE-215/FlaskDebug.ql
 ql/python/ql/src/Security/CWE-285/PamAuthorization.ql

python/ql/lib/semmle/python/Concepts.qll

@@ -1794,3 +1794,28 @@ module Cryptography {
 
   import ConceptsShared::Cryptography
 }
+
+/**
+ * A data-flow node that prompts an AI model.
+ *
+ * Extend this class to refine existing API models. If you want to model new APIs,
+ * extend `AIPrompt::Range` instead.
+ */
+class AIPrompt extends DataFlow::Node instanceof AIPrompt::Range {
+  /** Gets an input that is used as AI prompt. */
+  DataFlow::Node getAPrompt() { result = super.getAPrompt() }
+}
+
+/** Provides a class for modeling new AI prompting mechanisms. */
+module AIPrompt {
+  /**
+   * A data-flow node that prompts an AI model.
+   *
+   * Extend this class to model new APIs. If you want to refine existing API models,
+   * extend `AIPrompt` instead.
+   */
+  abstract class Range extends DataFlow::Node {
+    /** Gets an input that is used as AI prompt. */
+    abstract DataFlow::Node getAPrompt();
+  }
+}

python/ql/lib/semmle/python/security/dataflow/SystemPromptInjectionCustomizations.qll

@@ -7,15 +7,14 @@
 import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
-private import experimental.semmle.python.Concepts
 private import semmle.python.ApiGraphs
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.frameworks.data.ModelsAsData
-private import experimental.semmle.python.frameworks.OpenAI
-private import experimental.semmle.python.frameworks.Anthropic
-private import experimental.semmle.python.frameworks.GoogleGenAI
-private import experimental.semmle.python.frameworks.OpenRouter
+private import semmle.python.frameworks.OpenAI
+private import semmle.python.frameworks.Anthropic
+private import semmle.python.frameworks.GoogleGenAI
+private import semmle.python.frameworks.OpenRouter
 
 /**
  * Provides default sources, sinks and sanitizers for detecting

python/ql/lib/semmle/python/security/dataflow/UserPromptInjectionCustomizations.qll

@@ -7,14 +7,13 @@
 import python
 private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.Concepts
-private import experimental.semmle.python.Concepts
 private import semmle.python.dataflow.new.RemoteFlowSources
 private import semmle.python.dataflow.new.BarrierGuards
 private import semmle.python.frameworks.data.ModelsAsData
-private import experimental.semmle.python.frameworks.OpenAI
-private import experimental.semmle.python.frameworks.Anthropic
-private import experimental.semmle.python.frameworks.GoogleGenAI
-private import experimental.semmle.python.frameworks.OpenRouter
+private import semmle.python.frameworks.OpenAI
+private import semmle.python.frameworks.Anthropic
+private import semmle.python.frameworks.GoogleGenAI
+private import semmle.python.frameworks.OpenRouter
 
 /**
  * Provides default sources, sinks and sanitizers for detecting

python/ql/src/Security/CWE-1427/SystemPromptInjection.ql

@@ -8,12 +8,11 @@
  * @precision high
  * @id py/system-prompt-injection
  * @tags security
- *       experimental
  *       external/cwe/cwe-1427
  */
 
 import python
-import experimental.semmle.python.security.dataflow.SystemPromptInjectionQuery
+import semmle.python.security.dataflow.SystemPromptInjectionQuery
 import SystemPromptInjectionFlow::PathGraph
 
 from SystemPromptInjectionFlow::PathNode source, SystemPromptInjectionFlow::PathNode sink

python/ql/src/Security/CWE-1427/UserPromptInjection.ql

@@ -8,12 +8,11 @@
  * @precision low
  * @id py/user-prompt-injection
  * @tags security
- *       experimental
  *       external/cwe/cwe-1427
  */
 
 import python
-import experimental.semmle.python.security.dataflow.UserPromptInjectionQuery
+import semmle.python.security.dataflow.UserPromptInjectionQuery
 import UserPromptInjectionFlow::PathGraph
 
 from UserPromptInjectionFlow::PathNode source, UserPromptInjectionFlow::PathNode sink

python/ql/src/change-notes/2026-06-18-prompt-injection-queries.md

@@ -1,4 +1,4 @@
 ---
 category: newQuery
 ---
-* Replaced the experimental `py/prompt-injection` query with two new experimental queries, `py/system-prompt-injection` and `py/user-prompt-injection`, to distinguish untrusted data flowing into system-level prompts and tool descriptions from data flowing into user-role prompts. The queries model the `openai`, `agents`, `anthropic`, `google-genai`, `openrouter` and `langchain` frameworks.
+* Replaced the experimental `py/prompt-injection` query with two new queries, `py/system-prompt-injection` and `py/user-prompt-injection`, to distinguish untrusted data flowing into system-level prompts and tool descriptions from data flowing into user-role prompts. The queries model the `openai`, `agents`, `anthropic`, `google-genai`, `openrouter` and `langchain` frameworks.

python/ql/src/experimental/semmle/python/Concepts.qll

@@ -483,28 +483,3 @@ class EmailSender extends DataFlow::Node instanceof EmailSender::Range {
    */
   DataFlow::Node getABody() { result in [super.getPlainTextBody(), super.getHtmlBody()] }
 }
-
-/**
- * A data-flow node that prompts an AI model.
- *
- * Extend this class to refine existing API models. If you want to model new APIs,
- * extend `AIPrompt::Range` instead.
- */
-class AIPrompt extends DataFlow::Node instanceof AIPrompt::Range {
-  /** Gets an input that is used as AI prompt. */
-  DataFlow::Node getAPrompt() { result = super.getAPrompt() }
-}
-
-/** Provides a class for modeling new AI prompting mechanisms. */
-module AIPrompt {
-  /**
-   * A data-flow node that prompts an AI model.
-   *
-   * Extend this class to model new APIs. If you want to refine existing API models,
-   * extend `AIPrompt` instead.
-   */
-  abstract class Range extends DataFlow::Node {
-    /** Gets an input that is used as AI prompt. */
-    abstract DataFlow::Node getAPrompt();
-  }
-}

python/ql/src/experimental/semmle/python/Frameworks.qll

@@ -13,7 +13,6 @@ private import experimental.semmle.python.frameworks.Scrapli
 private import experimental.semmle.python.frameworks.Twisted
 private import experimental.semmle.python.frameworks.JWT
 private import experimental.semmle.python.frameworks.Csv
-private import experimental.semmle.python.frameworks.OpenAI
 private import experimental.semmle.python.libraries.PyJWT
 private import experimental.semmle.python.libraries.Python_JWT
 private import experimental.semmle.python.libraries.Authlib

python/ql/test/query-tests/Security/CWE-1427-SystemPromptInjection/SystemPromptInjection.qlref

@@ -1,4 +1,4 @@
-query: experimental/Security/CWE-1427/SystemPromptInjection.ql
+query: Security/CWE-1427/SystemPromptInjection.ql
 postprocess:
   - utils/test/PrettyPrintModels.ql
   - utils/test/InlineExpectationsTestQuery.ql

python/ql/test/query-tests/Security/CWE-1427-UserPromptInjection/UserPromptInjection.qlref

@@ -1,4 +1,4 @@
-query: experimental/Security/CWE-1427/UserPromptInjection.ql
+query: Security/CWE-1427/UserPromptInjection.ql
 postprocess:
   - utils/test/PrettyPrintModels.ql
   - utils/test/InlineExpectationsTestQuery.ql