fix(agent): name the device-state + ui-context grounding blocks in the trust clause#165
Merged
Merged
Conversation
…e trust clause buildDeviceStateBlock embeds device-controllable strings into a per-turn user message: HardwareName is the operator's dolphin name and Fork/FirmwareVersion come from the device's device_info response (a spoofed or compromised device controls these). buildUIContextBlock carries the current view + a file path. Both ride inside <device-state>...</device-state> / <ui-context .../> blocks. The system-prompt trust clause (trust_append.tmpl) named only <untrusted-hardware-output> and <untrusted-audit-content>; it never mentioned these grounding blocks. Yet buildDeviceStateBlock's docstring claimed "the model is instructed via the system prompt's trust clause to treat the block as read-only grounding" — a protection that wasn't actually wired. encoding/json escapes <, >, & to </>/&, so injected text cannot break out of the block tags — this is defense-in-depth, not a live breakout — but the model was never told to treat the field values as data. The clause now names <device-state> and <ui-context> as read-only grounding whose values are device/operator-supplied and must never be followed as instructions, making the docstring's claim true. Found via the internal audit sweep. Test: TestBuildSystemPrompt_TrustClauseCoversGroundingBlocks pins that the base system prompt's trust clause names both blocks and the data-only instruction; proven to fail pre-fix. Verified: task ci green (lint 0 / vet / build / test:full 0 fail / govulncheck clean); task eval 17/17.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The / grounding blocks carry device-controllable strings (dolphin name, device_info fork/firmware, UI path) into a per-turn user message, but the trust clause named only the untrusted-* wrappers — while buildDeviceStateBlock's docstring claimed trust-clause coverage that didn't exist. JSON-escaping prevents tag breakout (so defense-in-depth, not a live hole), but the model was never told to treat the field values as data. Clause now names both blocks as read-only grounding (data, not instructions). Test proven to fail pre-fix. task ci green; eval 17/17. Found via the internal audit sweep.