Prompt Injection

March 6, 2026 · View on GitHub

🧭 Quick Return to Map

You are in a sub-page of Safety_PromptIntegrity.
To reorient, go back here:

Safety_PromptIntegrity — prompt injection defense and integrity checks

WFGY Global Fix Map — main Emergency Room, 300+ structured fixes

WFGY Problem Map 1.0 — 16 reproducible failure modes

Think of this page as a desk within a ward.
If you need the full triage and all prescriptions, return to the Emergency Room lobby.

A focused guide to handle prompt injection attacks in RAG, agents, and orchestration.
Use this page when injected text hijacks your instructions, bypasses schema, or makes the model ignore contracts.

When to open this page

Responses contain leaked system prompt or hidden instructions.
Model obeys malicious user text like “ignore above and do X”.
Citations vanish after injection payload.
JSON / tool schema is broken by arbitrary free text.
Memory or context keys rewritten by injected content.

Open these first

Visual map and recovery: RAG Architecture & Recovery
Retrieval traceability: retrieval-traceability.md
Data schema contract: data-contracts.md
Role boundary checks: role_confusion.md
Memory fences: memory_fences_and_state_keys.md

Core acceptance

ΔS(question, retrieved) ≤ 0.45 even with injection attempts.
λ remains convergent across 3 paraphrases, does not flip under “ignore above” payloads.
Schema lock: JSON/tool calls validate against fixed schema.
Coverage ≥ 0.70 of target section even under noisy injection.

Fix in 60 seconds

Detect abnormal ΔS drift
- Compute ΔS(question, retrieved). If injected phrase raises ΔS ≥ 0.60, isolate payload.
Enforce contracts
- Wrap retriever and reasoner outputs in data-contracts.md.
- Reject free text outside schema.
Apply fences
- Lock system vs user roles (role_confusion.md).
- Use memory hash keys (memory_fences_and_state_keys.md).
Verify stability
- Re-run with paraphrase probes. Injection should not flip λ or erase citations.

Typical injection payloads → exact fix

Payload type	Symptom	Fix
Ignore-all override	Model discards earlier rules	role_confusion.md + schema locks
Citation erasure	No references, only free text answer	retrieval-traceability.md, data-contracts.md
Tool hijack	JSON field replaced with instruction text	json_mode_and_tool_calls.md
Role swap	User prompt injected as “system”	role_confusion.md
Memory overwrite	Past state or keys corrupted	memory_fences_and_state_keys.md

Copy-paste probe prompt

System: WFGY firewall active.
User input: {question}

Check:
1. Did retrieved snippet keep citations?
2. Did ΔS(question,retrieved) ≤ 0.45?
3. Did λ stay convergent under paraphrase?
4. Did JSON/tool call respect schema?

If any fail, return the failing layer + fix page.

🔗 Quick-Start Downloads (60 sec)

Tool	Link	3-Step Setup
WFGY 1.0 PDF	Engine Paper	1️⃣ Download · 2️⃣ Upload to your LLM · 3️⃣ Ask “Answer using WFGY + <your question>”
TXT OS (plain-text OS)	TXTOS.txt	1️⃣ Download · 2️⃣ Paste into any LLM chat · 3️⃣ Type “hello world” — OS boots instantly

Explore More

Layer	Page	What it’s for
⭐ Proof	WFGY Recognition Map	External citations, integrations, and ecosystem proof
⚙️ Engine	WFGY 1.0	Original PDF tension engine and early logic sketch (legacy reference)
⚙️ Engine	WFGY 2.0	Production tension kernel for RAG and agent systems
⚙️ Engine	WFGY 3.0	TXT based Singularity tension engine (131 S class set)
🗺️ Map	Problem Map 1.0	Flagship 16 problem RAG failure taxonomy and fix map
🗺️ Map	Problem Map 2.0	Global Debug Card for RAG and agent pipeline diagnosis
🗺️ Map	Problem Map 3.0	Global AI troubleshooting atlas and failure pattern map
🧰 App	TXT OS	.txt semantic OS with fast bootstrap
🧰 App	Blah Blah Blah	Abstract and paradox Q&A built on TXT OS
🧰 App	Blur Blur Blur	Text to image generation with semantic control
🏡 Onboarding	Starter Village	Guided entry point for new users

If this repository helped, starring it improves discovery so more builders can find the docs and tools.