Untrusted Content Isolation

Defense-in-depth against indirect prompt injection across all external data sources.

Zeph processes data from web scraping, MCP servers, A2A agents, tool results, and memory retrieval — all of which may contain adversarial instructions. This epic implements multi-layered isolation: content sanitization with spotlighting, quarantined summarization, exfiltration guards, and TUI visibility.

**Research**: `.local/plan/untrusted-content-isolation.md`

## Phase 1: Core Infrastructure

- [x] #1196 — TrustLevel enum and ContentSource model
- [x] #1197 — ContentSanitizer with injection pattern detection
- [x] #1198 — Content isolation config section
- [x] #1199 — ContextBuilder sanitizer integration

## Phase 2: Source-Specific Integration

- [x] #1200 — Tool result sanitization boundary
- [x] #1201 — MCP response sanitization boundary
- [x] #1202 — A2A message sanitization boundary
- [x] #1203 — Memory retrieval sanitization boundary

## Phase 3: Quarantined Summarizer

- [x] #1204 — QuarantinedSummarizer for high-risk sources (Dual LLM pattern)

## Phase 4: Exfiltration Guards

- [x] #1205 — Markdown image exfiltration guard
- [x] #1206 — Tool call argument validation guard
- [x] #1207 — Memory write poisoning guard

## Phase 5: UI Integration

- [x] #1208 — TUI security indicators and event log
- [x] #1209 — CLI security event reporting

## References

- [Design Patterns for Securing LLM Agents (arXiv 2506.08837)](https://arxiv.org/html/2506.08837v1)
- [Anthropic Prompt Injection Defenses](https://www.anthropic.com/research/prompt-injection-defenses)
- [Microsoft Indirect Prompt Injection Defense](https://www.microsoft.com/en-us/msrc/blog/2025/07/how-microsoft-defends-against-indirect-prompt-injection-attacks)
- [OWASP LLM Prompt Injection Prevention](https://cheatsheetseries.owasp.org/cheatsheets/LLM_Prompt_Injection_Prevention_Cheat_Sheet.html)
- [Simon Willison: The Lethal Trifecta](https://simonw.substack.com/p/the-lethal-trifecta-for-ai-agents)
- [CaMeL: Google DeepMind Taint Tracking](https://www.infoq.com/news/2025/04/deepmind-camel-promt-injection/)

## Cross-Epic Dependencies (with #1222 Graph Memory)

| Security Epic | Graph Memory | Relationship |
|---|---|---|
| #1207 (memory write poisoning) | #1225 (extraction write) | Graph extraction is a new write path into memory — guard must cover `GraphStore` writes |
| #1203 (memory retrieval sanitization) | #1226 (graph retrieval) | `graph_recall()` is a new read path — sanitizer must cover graph facts |
| #1204 (quarantined summarizer) | #1228 (community summaries) | Shared pattern: isolated LLM call — first implemented sets the abstraction |

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Untrusted Content Isolation #1195

Phase 1: Core Infrastructure

Phase 2: Source-Specific Integration

Phase 3: Quarantined Summarizer

Phase 4: Exfiltration Guards

Phase 5: UI Integration

References

Cross-Epic Dependencies (with #1222 Graph Memory)

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security Epic	Graph Memory	Relationship
#1207 (memory write poisoning)	#1225 (extraction write)	Graph extraction is a new write path into memory — guard must cover `GraphStore` writes
#1203 (memory retrieval sanitization)	#1226 (graph retrieval)	`graph_recall()` is a new read path — sanitizer must cover graph facts
#1204 (quarantined summarizer)	#1228 (community summaries)	Shared pattern: isolated LLM call — first implemented sets the abstraction

Untrusted Content Isolation #1195

Description

Phase 1: Core Infrastructure

Phase 2: Source-Specific Integration

Phase 3: Quarantined Summarizer

Phase 4: Exfiltration Guards

Phase 5: UI Integration

References

Cross-Epic Dependencies (with #1222 Graph Memory)

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions