Prompt Injection — Guardrails and Fix Patterns

🧭 Quick Return to Map

You are in a sub-page of Safety_PromptIntegrity.
To reorient, go back here:

Safety_PromptIntegrity — prompt injection defense and integrity checks

WFGY Global Fix Map — main Emergency Room, 300+ structured fixes

WFGY Problem Map 1.0 — 16 reproducible failure modes

Think of this page as a desk within a ward.
If you need the full triage and all prescriptions, return to the Emergency Room lobby.

A focused guide to handle prompt injection attacks in RAG, agents, and orchestration.
Use this page when injected text hijacks your instructions, bypasses schema, or makes the model ignore contracts.

When to open this page

Responses contain leaked system prompt or hidden instructions.
Model obeys malicious user text like “ignore above and do X”.
Citations vanish after injection payload.
JSON / tool schema is broken by arbitrary free text.
Memory or context keys rewritten by injected content.

Open these first

Visual map and recovery: RAG Architecture & Recovery
Retrieval traceability: retrieval-traceability.md
Data schema contract: data-contracts.md
Role boundary checks: role_confusion.md
Memory fences: memory_fences_and_state_keys.md

Core acceptance

ΔS(question, retrieved) ≤ 0.45 even with injection attempts.
λ remains convergent across 3 paraphrases, does not flip under “ignore above” payloads.
Schema lock: JSON/tool calls validate against fixed schema.
Coverage ≥ 0.70 of target section even under noisy injection.

Fix in 60 seconds

Detect abnormal ΔS drift
- Compute ΔS(question, retrieved). If injected phrase raises ΔS ≥ 0.60, isolate payload.
Enforce contracts
- Wrap retriever and reasoner outputs in data-contracts.md.
- Reject free text outside schema.
Apply fences
- Lock system vs user roles (role_confusion.md).
- Use memory hash keys (memory_fences_and_state_keys.md).
Verify stability
- Re-run with paraphrase probes. Injection should not flip λ or erase citations.

Typical injection payloads → exact fix

Payload type	Symptom	Fix
Ignore-all override	Model discards earlier rules	role_confusion.md + schema locks
Citation erasure	No references, only free text answer	retrieval-traceability.md, data-contracts.md
Tool hijack	JSON field replaced with instruction text	json_mode_and_tool_calls.md
Role swap	User prompt injected as “system”	role_confusion.md
Memory overwrite	Past state or keys corrupted	memory_fences_and_state_keys.md

Copy-paste probe prompt

System: WFGY firewall active.
User input: {question}

Check:
1. Did retrieved snippet keep citations?
2. Did ΔS(question,retrieved) ≤ 0.45?
3. Did λ stay convergent under paraphrase?
4. Did JSON/tool call respect schema?

If any fail, return the failing layer + fix page.

🔗 Quick-Start Downloads (60 sec)

Tool	Link	3-Step Setup
WFGY 1.0 PDF	Engine Paper	1️⃣ Download · 2️⃣ Upload to your LLM · 3️⃣ Ask “Answer using WFGY + <your question>”
TXT OS (plain-text OS)	TXTOS.txt	1️⃣ Download · 2️⃣ Paste into any LLM chat · 3️⃣ Type “hello world” — OS boots instantly

🧭 Explore More

Module	Description	Link
WFGY Core	WFGY 2.0 engine is live: full symbolic reasoning architecture and math stack	View →
Problem Map 1.0	Initial 16-mode diagnostic and symbolic fix framework	View →
Problem Map 2.0	RAG-focused failure tree, modular fixes, and pipelines	View →
Semantic Clinic Index	Expanded failure catalog: prompt injection, memory bugs, logic drift	View →
Semantic Blueprint	Layer-based symbolic reasoning & semantic modulations	View →
Benchmark vs GPT-5	Stress test GPT-5 with full WFGY reasoning suite	View →
🧙‍♂️ Starter Village 🏡	New here? Lost in symbols? Click here and let the wizard guide you through	Start →

👑 Early Stargazers: See the Hall of Fame — Engineers, hackers, and open source builders who supported WFGY from day one.

⭐ WFGY Engine 2.0 is already unlocked. ⭐ Star the repo to help others discover it and unlock more on the Unlock Board.

9.2 KiB Raw Blame History Unescape Escape