Skip to content

docs(security): document the prompt-injection quarantine in the safety model#101

Merged
xunholy merged 1 commit into
mainfrom
docs/security-document-quarantine
Jun 24, 2026
Merged

docs(security): document the prompt-injection quarantine in the safety model#101
xunholy merged 1 commit into
mainfrom
docs/security-document-quarantine

Conversation

@xunholy

@xunholy xunholy commented Jun 24, 2026

Copy link
Copy Markdown
Owner

Summary

The README directs operators to SECURITY.md for "the safety model and threat boundary," but its Defensive postures section listed only the two operator toggles (--read-only, --confirm-risk) — it omitted the prompt-injection quarantine entirely. That's the always-on rail that wraps hardware-origin tool output (scanned SSIDs, NFC/NDEF records, BLE device names, SD-card file contents, and the results of workflows that read them) in <untrusted-hardware-output> + control-char sanitisation, so attacker-controllable RF/NFC/file content can't inject instructions into the model. It's a first-class part of the safety model — and was just hardened in v0.741 (#99) to cover hardware-reading workflows — so it belongs in the security policy.

Change (docs only)

Adds a third bullet to Defensive postures describing the quarantine: what it wraps, the paired system-prompt clause, and that it's an allow-list (default-wrap / fail-closed — a new tool is quarantined unless explicitly marked structured-internal). Reframes the intro as "two operator-facing toggles plus an always-on prompt-injection quarantine."

Description written against the current implementation (internal/agent/quarantine.go). No code or behaviour change.

…y model

The README directs operators to SECURITY.md for "the safety model and
threat boundary", and the "Defensive postures" section listed only the
two operator toggles (--read-only, --confirm-risk). It omitted the
prompt-injection quarantine entirely — the always-on rail that wraps
hardware-origin tool output (scanned SSIDs, NFC/NDEF, BLE device names,
SD-card file contents, and the results of workflows that read them) in
<untrusted-hardware-output> + control-char sanitisation so
attacker-controllable RF/NFC/file content can't inject instructions into
the model. That rail is a first-class part of the safety model (and was
just hardened in v0.741 to cover hardware-reading workflows), so it
belongs in the security policy.

Adds a third bullet to "Defensive postures" describing the quarantine:
what it wraps, the paired system-prompt clause, and that it is an
allow-list (default-wrap / fail-closed — a new tool is quarantined unless
explicitly marked structured-internal). Reframes the section intro as
"two operator-facing toggles plus an always-on prompt-injection
quarantine".

Docs-only; no code or behaviour change. The description was written
against the current implementation (internal/agent/quarantine.go).
@xunholy xunholy merged commit 2da2782 into main Jun 24, 2026
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant