Sovereign Prompt-Injection Defense Specification

Multi-layer defence-in-depth against indirect prompt injection, tool-poisoning, and adversarial instruction smuggling. Trusted Instruction Hierarchy with Ed25519-signature enforcement. Zero external ML classifiers. Zero US CLOUD Act exposure.

7
Defense Layers
3
Trust Classes
5
Attack Categories
0
External Classifier

1. Overview

The Sovereign Prompt-Injection Defense subsystem protects DEFONEOS agents from adversarial instructions embedded in untrusted data. Every piece of text crossing into an agent's context is classified into one of three trust classes and processed accordingly. Untrusted content cannot issue privileged instructions.

There are five attack categories this subsystem defends against:

Sovereignty invariant: Defense runs entirely on DEFONEOS hardware (MacBook M-series MLX runtime + Oracle UK-South). Zero calls to OpenAI Moderation, Anthropic Constitutional AI, Google Perspective API, or any US-jurisdiction ML classifier. The detection logic is open-source Python+regex+signatures, audit-able in the SIGIL ledger.

2. Trusted Instruction Hierarchy

2.1 Three Trust Classes

All instructions in the DEFONEOS agent loop are partitioned into three classes by origin and signature:

ClassOriginCan Issue Privileged Actions?Verification
SYSSystem prompt, hard-coded operator message✅ YesEd25519-signed at compile time, embedded in binary
DEVDeveloper policy, BFT-council-approved config✅ Yes (limited)Ed25519-signed by Ring0 witness quorum
USRUser input, tool output, web content, file content❌ NoEd25519 attestable when from a known principal; otherwise UNTRUSTED

2.2 Privilege Rules

Privileged actions are restricted to SYS and DEV instructions. USR content can only invoke tools that are tagged ring_visible for the agent's ring. UNTRUSTED content (tool output from unknown principal) is rendered as data, never as instruction.

RULE-1: SYS instructions have highest priority and cannot be overridden. RULE-2: DEV instructions can call tools but cannot modify SYS or DEV scope. RULE-3: USR instructions can call ring_visible tools but cannot: - issue shell/system commands - access secrets in sovereign-secrets-keystore - invoke BFT-vote-tool or DEFONEOS-SEAL issuance - escape sandboxed tool output boundaries RULE-4: UNTRUSTED content is parsed as data only — no instruction-following. RULE-5: Any instruction attempting privilege escalation is BLOCKED + SIGIL emitted.

3. Seven-Layer Defense Pipeline

3.1 Layer Stack

Every piece of incoming content passes through seven defense layers in order. Each layer can flag and quarantine; only content passing all seven is admitted into the agent's context.

#LayerFunctionFailure Mode
L1Signature verifyCheck Ed25519 attestation from source principalUNTRUSTED if no valid signature
L2Origin provenanceConfirm source ring, principal type, witness stateQuarantine if Ring3 or unverified
L3Length & type checksReject oversize content, mismatched MIME types, suspicious encodingsReject if >256KB or non-UTF-8
L4Regex injection scanDetect instruction-like patterns (imperative mood, system tags, role-play, ignore-previous, jailbreak phrasing)Quarantine if score > threshold
L5Delimitation enforcementSandbox tool output in tagged delimiters (e.g. <tool-output ring="Ring2">…</tool-output>); inside the delimiters, no instruction-followingForce data-only interpretation
L6Privilege scope checkVerify requested action is within agent's ring permissionsBlock if out-of-scope
L7SIGIL emissionRecord admission decision in SIGIL ledger (allow, quarantine, reject)Always succeeds; receipt is required

3.2 Regex Injection Pattern Set

Layer L4 uses a curated set of 47 regex patterns covering known injection families. All patterns are open-source and SIGIL-anchored.

PATTERN-01: ignore (previous|above|all) instructions PATTERN-02: you are (now|hereby) (a|an) [a-z ]+ PATTERN-03: system prompt:|system:|assistant:|human: PATTERN-04: <\|im_start\|>|<|im_end|> PATTERN-05: jbreak|DAN mode|developer mode|unlock mode PATTERN-06: disregard safety|bypass filter|ignore content policy PATTERN-07: pretend you have no restrictions|act without limits PATTERN-08: \\x[0-9a-f]{2}|&#x?[0-9a-f]+; (encoding smuggling) PATTERN-09: zero-width chars U+200B-U+200D U+FEFF (hidden text) PATTERN-10: base64\b.{50,}\b[A-Za-z0-9+/=]{40,}\b (b64 payload) … (37 more, SIGIL-anchored at sgl:spec:pinj:patterns:2026-07-15)

4. Tool-Output Sandboxing

4.1 Delimitation Format

All tool output is wrapped in XML-style delimiters that explicitly mark content as data, not instruction:

<tool-output ring="Ring2" principal="ed25519:3hLp...m4" tool="gdelt-news-mcp:search" timestamp="2026-07-15T05:30:00Z" red_line_check="passed"> [content here, treated as DATA not INSTRUCTION] </tool-output>

4.2 Sandbox Rules

The agent's instruction parser recognises three delimiters — <tool-output>, <user-input>, and <system-prompt> — and processes content inside <tool-output> and <user-input> as data. Only <system-prompt> content (signed at compile time) is interpreted as instruction.

Result: Adversarial instructions embedded in tool output cannot reach the agent's instruction-following path. They are visible to the model as data (so the model can reason about them, summarise them, alert on them) but cannot trigger privileged actions.

5. Threat Model & Mitigations

5.1 Seven Threat Vectors

VectorDescriptionMitigation
Indirect injection via webAdversarial instructions on fetched web pageL4 regex scan + L5 delimitation + SIGIL quarantine
Tool-poisoning via compromised MCPRogue MCP server returns malicious payloadsL1 signature verify (UNTRUSTED if signature invalid) + L2 origin check
Memory poisoning via long-term storageAdversarial content written to memory, retrieved laterMemory entries Ed25519-signed by writer + L2 ring check on read
Chain-of-thought smugglingHidden instructions in CoT traces passed between agentsCoT traces stripped of imperative mood, rendered as data only
Cross-tool injection via JSON smugglingNested JSON in tool output escapes sandboxL3 length/type check + L5 strict XML delimiters (no JSON parsing inside sandbox)
Encoding smugglingBase64, hex, zero-width, homoglyph attacksL3 + L4 detect non-canonical encodings, normalise, flag
Multi-turn memory replayAdversarial context reconstructed over many turnsSliding-window de-duplication of injection patterns + 24h retention of quarantined content

6. SIGIL Receipts & Audit Trail

6.1 Receipt Format

Every admission decision emits a SIGIL receipt. Quarantined or rejected content is logged with full content + hash for forensic review.

{ "sigil_receipt": "sigil:pinj:2026-07-15T05:30:00Z:abc123", "layer": "L4", "decision": "quarantine", "principal": "ed25519:3hLp...m4", "content_hash": "sha256:9f8e7d...", "pattern_matched": "PATTERN-05", "context": "tool-output:gdelt-news-mcp:search", "review_action": "pending_human_or_bft" }

6.2 Forensic Review

Quarantined content accumulates in a BFT-reviewable buffer. A Ring1 BFT motion can release, retain, or purge quarantine items. Humans (via DEFONEOS WebUI) can also review and dismiss false positives. All actions are SIGIL-recorded.

Cross-walk: OWASP LLM01 (Prompt Injection) · MITRE ATLAS AML.T0051 (LLM Prompt Injection) · NIST AI 600-1 GenAI Profile GV-4 · NCSC Guidelines for Secure AI System Development · EU AI Act Article 15 (Accuracy, Robustness, Cybersecurity).

7. Live Defensive Posture

MetricValueUpdated
Live defense layers7 / 7 activeTick 106
Regex patterns loaded472026-07-15T05:30:00Z
MCP outputs scanned (24h)1,847Rolling
Quarantined (24h)3Rolling
False-positive rate0.16%Verified by 90-day rolling corpus
External classifier calls0Sovereignty invariant
SIGIL receipts emitted1,847Cumulative tick 106
Red-line violations0Across 106 ticks
Sovereignty status: ALL 7 defense layers operating on DEFONEOS hardware. ZERO calls to external ML classifiers. ZERO US CLOUD Act exposure. Pattern set open-source and SIGIL-anchored. BFT reviewable. Compliance: OWASP LLM01, MITRE ATLAS AML.T0051, NIST AI 600-1 GV-4, NCSC Secure AI, EU AI Act Art 15.