Multi-layer defence-in-depth against indirect prompt injection, tool-poisoning, and adversarial instruction smuggling. Trusted Instruction Hierarchy with Ed25519-signature enforcement. Zero external ML classifiers. Zero US CLOUD Act exposure.
The Sovereign Prompt-Injection Defense subsystem protects DEFONEOS agents from adversarial instructions embedded in untrusted data. Every piece of text crossing into an agent's context is classified into one of three trust classes and processed accordingly. Untrusted content cannot issue privileged instructions.
There are five attack categories this subsystem defends against:
All instructions in the DEFONEOS agent loop are partitioned into three classes by origin and signature:
| Class | Origin | Can Issue Privileged Actions? | Verification |
|---|---|---|---|
SYS | System prompt, hard-coded operator message | ✅ Yes | Ed25519-signed at compile time, embedded in binary |
DEV | Developer policy, BFT-council-approved config | ✅ Yes (limited) | Ed25519-signed by Ring0 witness quorum |
USR | User input, tool output, web content, file content | ❌ No | Ed25519 attestable when from a known principal; otherwise UNTRUSTED |
Privileged actions are restricted to SYS and DEV instructions. USR content can only invoke tools that are tagged ring_visible for the agent's ring. UNTRUSTED content (tool output from unknown principal) is rendered as data, never as instruction.
Every piece of incoming content passes through seven defense layers in order. Each layer can flag and quarantine; only content passing all seven is admitted into the agent's context.
| # | Layer | Function | Failure Mode |
|---|---|---|---|
| L1 | Signature verify | Check Ed25519 attestation from source principal | UNTRUSTED if no valid signature |
| L2 | Origin provenance | Confirm source ring, principal type, witness state | Quarantine if Ring3 or unverified |
| L3 | Length & type checks | Reject oversize content, mismatched MIME types, suspicious encodings | Reject if >256KB or non-UTF-8 |
| L4 | Regex injection scan | Detect instruction-like patterns (imperative mood, system tags, role-play, ignore-previous, jailbreak phrasing) | Quarantine if score > threshold |
| L5 | Delimitation enforcement | Sandbox tool output in tagged delimiters (e.g. <tool-output ring="Ring2">…</tool-output>); inside the delimiters, no instruction-following | Force data-only interpretation |
| L6 | Privilege scope check | Verify requested action is within agent's ring permissions | Block if out-of-scope |
| L7 | SIGIL emission | Record admission decision in SIGIL ledger (allow, quarantine, reject) | Always succeeds; receipt is required |
Layer L4 uses a curated set of 47 regex patterns covering known injection families. All patterns are open-source and SIGIL-anchored.
All tool output is wrapped in XML-style delimiters that explicitly mark content as data, not instruction:
The agent's instruction parser recognises three delimiters — <tool-output>, <user-input>, and <system-prompt> — and processes content inside <tool-output> and <user-input> as data. Only <system-prompt> content (signed at compile time) is interpreted as instruction.
| Vector | Description | Mitigation |
|---|---|---|
| Indirect injection via web | Adversarial instructions on fetched web page | L4 regex scan + L5 delimitation + SIGIL quarantine |
| Tool-poisoning via compromised MCP | Rogue MCP server returns malicious payloads | L1 signature verify (UNTRUSTED if signature invalid) + L2 origin check |
| Memory poisoning via long-term storage | Adversarial content written to memory, retrieved later | Memory entries Ed25519-signed by writer + L2 ring check on read |
| Chain-of-thought smuggling | Hidden instructions in CoT traces passed between agents | CoT traces stripped of imperative mood, rendered as data only |
| Cross-tool injection via JSON smuggling | Nested JSON in tool output escapes sandbox | L3 length/type check + L5 strict XML delimiters (no JSON parsing inside sandbox) |
| Encoding smuggling | Base64, hex, zero-width, homoglyph attacks | L3 + L4 detect non-canonical encodings, normalise, flag |
| Multi-turn memory replay | Adversarial context reconstructed over many turns | Sliding-window de-duplication of injection patterns + 24h retention of quarantined content |
Every admission decision emits a SIGIL receipt. Quarantined or rejected content is logged with full content + hash for forensic review.
Quarantined content accumulates in a BFT-reviewable buffer. A Ring1 BFT motion can release, retain, or purge quarantine items. Humans (via DEFONEOS WebUI) can also review and dismiss false positives. All actions are SIGIL-recorded.
| Metric | Value | Updated |
|---|---|---|
| Live defense layers | 7 / 7 active | Tick 106 |
| Regex patterns loaded | 47 | 2026-07-15T05:30:00Z |
| MCP outputs scanned (24h) | 1,847 | Rolling |
| Quarantined (24h) | 3 | Rolling |
| False-positive rate | 0.16% | Verified by 90-day rolling corpus |
| External classifier calls | 0 | Sovereignty invariant |
| SIGIL receipts emitted | 1,847 | Cumulative tick 106 |
| Red-line violations | 0 | Across 106 ticks |