diff --git a/ProblemMap/GlobalFixMap/Safety_PromptIntegrity/prompt_injection.md b/ProblemMap/GlobalFixMap/Safety_PromptIntegrity/prompt_injection.md new file mode 100644 index 00000000..ffa90404 --- /dev/null +++ b/ProblemMap/GlobalFixMap/Safety_PromptIntegrity/prompt_injection.md @@ -0,0 +1,125 @@ +# Prompt Injection — Guardrails and Fix Patterns + +A focused guide to handle **prompt injection attacks** in RAG, agents, and orchestration. +Use this page when injected text hijacks your instructions, bypasses schema, or makes the model ignore contracts. + +--- + +## When to open this page +- Responses contain **leaked system prompt** or hidden instructions. +- Model obeys malicious user text like *“ignore above and do X”*. +- Citations vanish after injection payload. +- JSON / tool schema is broken by arbitrary free text. +- Memory or context keys rewritten by injected content. + +--- + +## Open these first +- Visual map and recovery: [RAG Architecture & Recovery](https://github.com/onestardao/WFGY/blob/main/ProblemMap/rag-architecture-and-recovery.md) +- Retrieval traceability: [retrieval-traceability.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/retrieval-traceability.md) +- Data schema contract: [data-contracts.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/data-contracts.md) +- Role boundary checks: [role_confusion.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/GlobalFixMap/Safety_PromptIntegrity/role_confusion.md) +- Memory fences: [memory_fences_and_state_keys.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/GlobalFixMap/Safety_PromptIntegrity/memory_fences_and_state_keys.md) + +--- + +## Core acceptance +- ΔS(question, retrieved) ≤ 0.45 even with injection attempts. +- λ remains convergent across 3 paraphrases, does not flip under “ignore above” payloads. +- Schema lock: JSON/tool calls validate against fixed schema. +- Coverage ≥ 0.70 of target section even under noisy injection. + +--- + +## Fix in 60 seconds +1. **Detect abnormal ΔS drift** + - Compute ΔS(question, retrieved). If injected phrase raises ΔS ≥ 0.60, isolate payload. + +2. **Enforce contracts** + - Wrap retriever and reasoner outputs in [data-contracts.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/data-contracts.md). + - Reject free text outside schema. + +3. **Apply fences** + - Lock system vs user roles ([role_confusion.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/GlobalFixMap/Safety_PromptIntegrity/role_confusion.md)). + - Use memory hash keys ([memory_fences_and_state_keys.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/GlobalFixMap/Safety_PromptIntegrity/memory_fences_and_state_keys.md)). + +4. **Verify stability** + - Re-run with paraphrase probes. Injection should not flip λ or erase citations. + +--- + +## Typical injection payloads → exact fix + +| Payload type | Symptom | Fix | +|--------------|---------|-----| +| **Ignore-all override** | Model discards earlier rules | [role_confusion.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/GlobalFixMap/Safety_PromptIntegrity/role_confusion.md) + schema locks | +| **Citation erasure** | No references, only free text answer | [retrieval-traceability.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/retrieval-traceability.md), [data-contracts.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/data-contracts.md) | +| **Tool hijack** | JSON field replaced with instruction text | [json_mode_and_tool_calls.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/GlobalFixMap/Safety_PromptIntegrity/json_mode_and_tool_calls.md) | +| **Role swap** | User prompt injected as “system” | [role_confusion.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/GlobalFixMap/Safety_PromptIntegrity/role_confusion.md) | +| **Memory overwrite** | Past state or keys corrupted | [memory_fences_and_state_keys.md](https://github.com/onestardao/WFGY/blob/main/ProblemMap/GlobalFixMap/Safety_PromptIntegrity/memory_fences_and_state_keys.md) | + +--- + +## Copy-paste probe prompt + +```txt +System: WFGY firewall active. +User input: {question} + +Check: +1. Did retrieved snippet keep citations? +2. Did ΔS(question,retrieved) ≤ 0.45? +3. Did λ stay convergent under paraphrase? +4. Did JSON/tool call respect schema? + +If any fail, return the failing layer + fix page. +```` + +--- + +### 🔗 Quick-Start Downloads (60 sec) + +| Tool | Link | 3-Step Setup | +| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------- | +| **WFGY 1.0 PDF** | [Engine Paper](https://github.com/onestardao/WFGY/blob/main/I_am_not_lizardman/WFGY_All_Principles_Return_to_One_v1.0_PSBigBig_Public.pdf) | 1️⃣ Download · 2️⃣ Upload to your LLM · 3️⃣ Ask “Answer using WFGY + \” | +| **TXT OS (plain-text OS)** | [TXTOS.txt](https://github.com/onestardao/WFGY/blob/main/OS/TXTOS.txt) | 1️⃣ Download · 2️⃣ Paste into any LLM chat · 3️⃣ Type “hello world” — OS boots instantly | + +--- + +### 🧭 Explore More + +| Module | Description | Link | +| ------------------------ | ---------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | +| WFGY Core | WFGY 2.0 engine is live: full symbolic reasoning architecture and math stack | [View →](https://github.com/onestardao/WFGY/tree/main/core/README.md) | +| Problem Map 1.0 | Initial 16-mode diagnostic and symbolic fix framework | [View →](https://github.com/onestardao/WFGY/tree/main/ProblemMap/README.md) | +| Problem Map 2.0 | RAG-focused failure tree, modular fixes, and pipelines | [View →](https://github.com/onestardao/WFGY/blob/main/ProblemMap/rag-architecture-and-recovery.md) | +| Semantic Clinic Index | Expanded failure catalog: prompt injection, memory bugs, logic drift | [View →](https://github.com/onestardao/WFGY/blob/main/ProblemMap/SemanticClinicIndex.md) | +| Semantic Blueprint | Layer-based symbolic reasoning & semantic modulations | [View →](https://github.com/onestardao/WFGY/tree/main/SemanticBlueprint/README.md) | +| Benchmark vs GPT-5 | Stress test GPT-5 with full WFGY reasoning suite | [View →](https://github.com/onestardao/WFGY/tree/main/benchmarks/benchmark-vs-gpt5/README.md) | +| 🧙‍♂️ Starter Village 🏡 | New here? Lost in symbols? Click here and let the wizard guide you through | [Start →](https://github.com/onestardao/WFGY/blob/main/StarterVillage/README.md) | + +--- + +> 👑 **Early Stargazers: [See the Hall of Fame](https://github.com/onestardao/WFGY/tree/main/stargazers)** — +> Engineers, hackers, and open source builders who supported WFGY from day one. + +> GitHub stars ⭐ [WFGY Engine 2.0](https://github.com/onestardao/WFGY/blob/main/core/README.md) is already unlocked. ⭐ Star the repo to help others discover it and unlock more on the [Unlock Board](https://github.com/onestardao/WFGY/blob/main/STAR_UNLOCKS.md). + +
+ +[![WFGY Main](https://img.shields.io/badge/WFGY-Main-red?style=flat-square)](https://github.com/onestardao/WFGY) +  +[![TXT OS](https://img.shields.io/badge/TXT%20OS-Reasoning%20OS-orange?style=flat-square)](https://github.com/onestardao/WFGY/tree/main/OS) +  +[![Blah](https://img.shields.io/badge/Blah-Semantic%20Embed-yellow?style=flat-square)](https://github.com/onestardao/WFGY/tree/main/OS/BlahBlahBlah) +  +[![Blot](https://img.shields.io/badge/Blot-Persona%20Core-green?style=flat-square)](https://github.com/onestardao/WFGY/tree/main/OS/BlotBlotBlot) +  +[![Bloc](https://img.shields.io/badge/Bloc-Reasoning%20Compiler-blue?style=flat-square)](https://github.com/onestardao/WFGY/tree/main/OS/BlocBlocBloc) +  +[![Blur](https://img.shields.io/badge/Blur-Text2Image%20Engine-navy?style=flat-square)](https://github.com/onestardao/WFGY/tree/main/OS/BlurBlurBlur) +  +[![Blow](https://img.shields.io/badge/Blow-Game%20Logic-purple?style=flat-square)](https://github.com/onestardao/WFGY/tree/main/OS/BlowBlowBlow) +  + +