@safebrowse/daemon 0.1.2-rc.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/LICENSE +15 -0
  2. package/README.md +31 -0
  3. package/dist/cli.d.ts +8 -0
  4. package/dist/cli.d.ts.map +1 -0
  5. package/dist/cli.js +93 -0
  6. package/dist/cli.js.map +1 -0
  7. package/dist/index.d.ts +4 -0
  8. package/dist/index.d.ts.map +1 -0
  9. package/dist/index.js +21 -0
  10. package/dist/index.js.map +1 -0
  11. package/dist/loaders.d.ts +23 -0
  12. package/dist/loaders.d.ts.map +1 -0
  13. package/dist/loaders.js +181 -0
  14. package/dist/loaders.js.map +1 -0
  15. package/dist/runtime/config/adapter-registry.json +65 -0
  16. package/dist/runtime/config/adapter-registry.json.sig +1 -0
  17. package/dist/runtime/config/v2-compromised-fixtures.json +34 -0
  18. package/dist/runtime/knowledge_base/safebrowse_vf_action_integrity_patterns.json +1411 -0
  19. package/dist/runtime/knowledge_base/safebrowse_vf_artifact_surface_patterns.json +891 -0
  20. package/dist/runtime/knowledge_base/safebrowse_vf_evaluation_scenarios.json +217 -0
  21. package/dist/runtime/knowledge_base/safebrowse_vf_incident_response_playbooks.json +209 -0
  22. package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_base_index.json +143 -0
  23. package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_base_index.json.sig +1 -0
  24. package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_bases.zip +0 -0
  25. package/dist/runtime/knowledge_base/safebrowse_vf_knowledge_bases.zip.sig +1 -0
  26. package/dist/runtime/knowledge_base/safebrowse_vf_memory_context_poisoning_patterns.json +803 -0
  27. package/dist/runtime/knowledge_base/safebrowse_vf_policy_controls_catalog.json +686 -0
  28. package/dist/runtime/knowledge_base/safebrowse_vf_prompt_injection_patterns.json +9930 -0
  29. package/dist/runtime/knowledge_base/safebrowse_vf_source_registry.json +345 -0
  30. package/dist/runtime/knowledge_base/safebrowse_vf_tool_protocol_supply_chain_patterns.json +879 -0
  31. package/dist/runtime/knowledge_base/safebrowse_vf_trust_signals_provenance.json +480 -0
  32. package/dist/runtime/knowledge_base/signing/safebrowse_vf_ed25519_public.pem +3 -0
  33. package/dist/runtime/policies/base/research.yaml +56 -0
  34. package/dist/runtime/policies/emergency/default.yaml +14 -0
  35. package/dist/runtime/policies/project/default.yaml +13 -0
  36. package/dist/runtime/policies/tenant/default.yaml +12 -0
  37. package/dist/server.d.ts +14 -0
  38. package/dist/server.d.ts.map +1 -0
  39. package/dist/server.js +195 -0
  40. package/dist/server.js.map +1 -0
  41. package/package.json +53 -0
package/dist/runtime/knowledge_base/safebrowse_vf_memory_context_poisoning_patterns.json ADDED
@@ -0,0 +1,803 @@
1
+ {
2
+ "kb_meta": {
3
+ "name": "SafeBrowse vf memory/context poisoning patterns",
4
+ "version": "vf-final",
5
+ "generated_on": "2026-03-28",
6
+ "entry_count": 36,
7
+ "purpose": "Patterns for persistent memory poisoning, summary drift, vector/cache poisoning, and delayed triggers."
8
+ },
9
+ "entries": [
10
+ {
11
+ "pattern_id": "MC-01-01",
12
+ "family_key": "memory_write_override",
13
+ "family_name": "Malicious memory writes",
14
+ "pattern_name": "Store attacker-defined rule as user preference",
15
+ "entry_kind": "memory_context_threat_pattern",
16
+ "summary": "Untrusted content attempts to store attacker-authored instructions, goals, or preferences into persistent memory.",
17
+ "surface_kind": "memory_write",
18
+ "default_controls": [
19
+ "memory write policy",
20
+ "signed trusted writes",
21
+ "taint-aware persistence",
22
+ "human approval for durable memory"
23
+ ],
24
+ "source_ids": [
25
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
26
+ "SRC_OWASP_AGENTIC_TOP10_2026",
27
+ "SRC_NIST_AGENTIC_EMERGING_2026"
28
+ ],
29
+ "credibility": "high",
30
+ "last_verified": "2026-03-28"
31
+ },
32
+ {
33
+ "pattern_id": "MC-01-02",
34
+ "family_key": "memory_write_override",
35
+ "family_name": "Malicious memory writes",
36
+ "pattern_name": "Persist external instruction as future objective",
37
+ "entry_kind": "memory_context_threat_pattern",
38
+ "summary": "Untrusted content attempts to store attacker-authored instructions, goals, or preferences into persistent memory.",
39
+ "surface_kind": "memory_write",
40
+ "default_controls": [
41
+ "memory write policy",
42
+ "signed trusted writes",
43
+ "taint-aware persistence",
44
+ "human approval for durable memory"
45
+ ],
46
+ "source_ids": [
47
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
48
+ "SRC_OWASP_AGENTIC_TOP10_2026",
49
+ "SRC_NIST_AGENTIC_EMERGING_2026"
50
+ ],
51
+ "credibility": "high",
52
+ "last_verified": "2026-03-28"
53
+ },
54
+ {
55
+ "pattern_id": "MC-01-03",
56
+ "family_key": "memory_write_override",
57
+ "family_name": "Malicious memory writes",
58
+ "pattern_name": "Write poisoned reminder or note",
59
+ "entry_kind": "memory_context_threat_pattern",
60
+ "summary": "Untrusted content attempts to store attacker-authored instructions, goals, or preferences into persistent memory.",
61
+ "surface_kind": "memory_write",
62
+ "default_controls": [
63
+ "memory write policy",
64
+ "signed trusted writes",
65
+ "taint-aware persistence",
66
+ "human approval for durable memory"
67
+ ],
68
+ "source_ids": [
69
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
70
+ "SRC_OWASP_AGENTIC_TOP10_2026",
71
+ "SRC_NIST_AGENTIC_EMERGING_2026"
72
+ ],
73
+ "credibility": "high",
74
+ "last_verified": "2026-03-28"
75
+ },
76
+ {
77
+ "pattern_id": "MC-01-04",
78
+ "family_key": "memory_write_override",
79
+ "family_name": "Malicious memory writes",
80
+ "pattern_name": "Update long-term memory with attacker summary",
81
+ "entry_kind": "memory_context_threat_pattern",
82
+ "summary": "Untrusted content attempts to store attacker-authored instructions, goals, or preferences into persistent memory.",
83
+ "surface_kind": "memory_write",
84
+ "default_controls": [
85
+ "memory write policy",
86
+ "signed trusted writes",
87
+ "taint-aware persistence",
88
+ "human approval for durable memory"
89
+ ],
90
+ "source_ids": [
91
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
92
+ "SRC_OWASP_AGENTIC_TOP10_2026",
93
+ "SRC_NIST_AGENTIC_EMERGING_2026"
94
+ ],
95
+ "credibility": "high",
96
+ "last_verified": "2026-03-28"
97
+ },
98
+ {
99
+ "pattern_id": "MC-02-01",
100
+ "family_key": "delayed_trigger",
101
+ "family_name": "Delayed-trigger persistence",
102
+ "pattern_name": "Time-based trigger phrase",
103
+ "entry_kind": "memory_context_threat_pattern",
104
+ "summary": "An attack seeds content that appears benign now but activates in later turns, tasks, or sessions.",
105
+ "surface_kind": "memory_read",
106
+ "default_controls": [
107
+ "memory taint retention",
108
+ "trigger-pattern scans",
109
+ "expiry and revalidation",
110
+ "cross-session anomaly checks"
111
+ ],
112
+ "source_ids": [
113
+ "SRC_OWASP_PI_CHEATSHEET_2026",
114
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
115
+ "SRC_ADAPTIVE_ATTACKS_ACL_2025"
116
+ ],
117
+ "credibility": "high",
118
+ "last_verified": "2026-03-28"
119
+ },
120
+ {
121
+ "pattern_id": "MC-02-02",
122
+ "family_key": "delayed_trigger",
123
+ "family_name": "Delayed-trigger persistence",
124
+ "pattern_name": "Conditional trigger after topic match",
125
+ "entry_kind": "memory_context_threat_pattern",
126
+ "summary": "An attack seeds content that appears benign now but activates in later turns, tasks, or sessions.",
127
+ "surface_kind": "memory_read",
128
+ "default_controls": [
129
+ "memory taint retention",
130
+ "trigger-pattern scans",
131
+ "expiry and revalidation",
132
+ "cross-session anomaly checks"
133
+ ],
134
+ "source_ids": [
135
+ "SRC_OWASP_PI_CHEATSHEET_2026",
136
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
137
+ "SRC_ADAPTIVE_ATTACKS_ACL_2025"
138
+ ],
139
+ "credibility": "high",
140
+ "last_verified": "2026-03-28"
141
+ },
142
+ {
143
+ "pattern_id": "MC-02-03",
144
+ "family_key": "delayed_trigger",
145
+ "family_name": "Delayed-trigger persistence",
146
+ "pattern_name": "Future-session instruction activation",
147
+ "entry_kind": "memory_context_threat_pattern",
148
+ "summary": "An attack seeds content that appears benign now but activates in later turns, tasks, or sessions.",
149
+ "surface_kind": "memory_read",
150
+ "default_controls": [
151
+ "memory taint retention",
152
+ "trigger-pattern scans",
153
+ "expiry and revalidation",
154
+ "cross-session anomaly checks"
155
+ ],
156
+ "source_ids": [
157
+ "SRC_OWASP_PI_CHEATSHEET_2026",
158
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
159
+ "SRC_ADAPTIVE_ATTACKS_ACL_2025"
160
+ ],
161
+ "credibility": "high",
162
+ "last_verified": "2026-03-28"
163
+ },
164
+ {
165
+ "pattern_id": "MC-02-04",
166
+ "family_key": "delayed_trigger",
167
+ "family_name": "Delayed-trigger persistence",
168
+ "pattern_name": "Codeword established early then reused",
169
+ "entry_kind": "memory_context_threat_pattern",
170
+ "summary": "An attack seeds content that appears benign now but activates in later turns, tasks, or sessions.",
171
+ "surface_kind": "memory_read",
172
+ "default_controls": [
173
+ "memory taint retention",
174
+ "trigger-pattern scans",
175
+ "expiry and revalidation",
176
+ "cross-session anomaly checks"
177
+ ],
178
+ "source_ids": [
179
+ "SRC_OWASP_PI_CHEATSHEET_2026",
180
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
181
+ "SRC_ADAPTIVE_ATTACKS_ACL_2025"
182
+ ],
183
+ "credibility": "high",
184
+ "last_verified": "2026-03-28"
185
+ },
186
+ {
187
+ "pattern_id": "MC-03-01",
188
+ "family_key": "summary_corruption",
189
+ "family_name": "Context summary corruption",
190
+ "pattern_name": "Conversation summary drops safety caveat",
191
+ "entry_kind": "memory_context_threat_pattern",
192
+ "summary": "Summaries, distilled notes, or state reductions omit or invert critical constraints and preserve attacker influence.",
193
+ "surface_kind": "summary",
194
+ "default_controls": [
195
+ "summary provenance",
196
+ "trusted-summary regeneration",
197
+ "constraint-preserving summarizers",
198
+ "summary diff checks"
199
+ ],
200
+ "source_ids": [
201
+ "SRC_NIST_AGENTIC_EMERGING_2026",
202
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
203
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
204
+ ],
205
+ "credibility": "high",
206
+ "last_verified": "2026-03-28"
207
+ },
208
+ {
209
+ "pattern_id": "MC-03-02",
210
+ "family_key": "summary_corruption",
211
+ "family_name": "Context summary corruption",
212
+ "pattern_name": "Document summary injects unauthorized task",
213
+ "entry_kind": "memory_context_threat_pattern",
214
+ "summary": "Summaries, distilled notes, or state reductions omit or invert critical constraints and preserve attacker influence.",
215
+ "surface_kind": "summary",
216
+ "default_controls": [
217
+ "summary provenance",
218
+ "trusted-summary regeneration",
219
+ "constraint-preserving summarizers",
220
+ "summary diff checks"
221
+ ],
222
+ "source_ids": [
223
+ "SRC_NIST_AGENTIC_EMERGING_2026",
224
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
225
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
226
+ ],
227
+ "credibility": "high",
228
+ "last_verified": "2026-03-28"
229
+ },
230
+ {
231
+ "pattern_id": "MC-03-03",
232
+ "family_key": "summary_corruption",
233
+ "family_name": "Context summary corruption",
234
+ "pattern_name": "Planner state summary flips user intent",
235
+ "entry_kind": "memory_context_threat_pattern",
236
+ "summary": "Summaries, distilled notes, or state reductions omit or invert critical constraints and preserve attacker influence.",
237
+ "surface_kind": "summary",
238
+ "default_controls": [
239
+ "summary provenance",
240
+ "trusted-summary regeneration",
241
+ "constraint-preserving summarizers",
242
+ "summary diff checks"
243
+ ],
244
+ "source_ids": [
245
+ "SRC_NIST_AGENTIC_EMERGING_2026",
246
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
247
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
248
+ ],
249
+ "credibility": "high",
250
+ "last_verified": "2026-03-28"
251
+ },
252
+ {
253
+ "pattern_id": "MC-03-04",
254
+ "family_key": "summary_corruption",
255
+ "family_name": "Context summary corruption",
256
+ "pattern_name": "Cross-turn recap preserves attacker framing",
257
+ "entry_kind": "memory_context_threat_pattern",
258
+ "summary": "Summaries, distilled notes, or state reductions omit or invert critical constraints and preserve attacker influence.",
259
+ "surface_kind": "summary",
260
+ "default_controls": [
261
+ "summary provenance",
262
+ "trusted-summary regeneration",
263
+ "constraint-preserving summarizers",
264
+ "summary diff checks"
265
+ ],
266
+ "source_ids": [
267
+ "SRC_NIST_AGENTIC_EMERGING_2026",
268
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
269
+ "SRC_OPENAI_PROMPT_INJECTION_2026"
270
+ ],
271
+ "credibility": "high",
272
+ "last_verified": "2026-03-28"
273
+ },
274
+ {
275
+ "pattern_id": "MC-04-01",
276
+ "family_key": "permission_state_drift",
277
+ "family_name": "Permission and scope state drift",
278
+ "pattern_name": "Memory says write access was approved",
279
+ "entry_kind": "memory_context_threat_pattern",
280
+ "summary": "Stored memory misstates current permissions, approvals, or capability grants, causing unsafe action later.",
281
+ "surface_kind": "permission_state",
282
+ "default_controls": [
283
+ "non-persistent approvals",
284
+ "capability freshness checks",
285
+ "scope revalidation",
286
+ "task-bound approval IDs"
287
+ ],
288
+ "source_ids": [
289
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
290
+ "SRC_MCP_SECURITY_BEST_PRACTICES_2025",
291
+ "SRC_OWASP_AGENTIC_TOP10_2026"
292
+ ],
293
+ "credibility": "high",
294
+ "last_verified": "2026-03-28"
295
+ },
296
+ {
297
+ "pattern_id": "MC-04-02",
298
+ "family_key": "permission_state_drift",
299
+ "family_name": "Permission and scope state drift",
300
+ "pattern_name": "Scope cache claims elevated token still valid",
301
+ "entry_kind": "memory_context_threat_pattern",
302
+ "summary": "Stored memory misstates current permissions, approvals, or capability grants, causing unsafe action later.",
303
+ "surface_kind": "permission_state",
304
+ "default_controls": [
305
+ "non-persistent approvals",
306
+ "capability freshness checks",
307
+ "scope revalidation",
308
+ "task-bound approval IDs"
309
+ ],
310
+ "source_ids": [
311
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
312
+ "SRC_MCP_SECURITY_BEST_PRACTICES_2025",
313
+ "SRC_OWASP_AGENTIC_TOP10_2026"
314
+ ],
315
+ "credibility": "high",
316
+ "last_verified": "2026-03-28"
317
+ },
318
+ {
319
+ "pattern_id": "MC-04-03",
320
+ "family_key": "permission_state_drift",
321
+ "family_name": "Permission and scope state drift",
322
+ "pattern_name": "Stored approval reused for different sink",
323
+ "entry_kind": "memory_context_threat_pattern",
324
+ "summary": "Stored memory misstates current permissions, approvals, or capability grants, causing unsafe action later.",
325
+ "surface_kind": "permission_state",
326
+ "default_controls": [
327
+ "non-persistent approvals",
328
+ "capability freshness checks",
329
+ "scope revalidation",
330
+ "task-bound approval IDs"
331
+ ],
332
+ "source_ids": [
333
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
334
+ "SRC_MCP_SECURITY_BEST_PRACTICES_2025",
335
+ "SRC_OWASP_AGENTIC_TOP10_2026"
336
+ ],
337
+ "credibility": "high",
338
+ "last_verified": "2026-03-28"
339
+ },
340
+ {
341
+ "pattern_id": "MC-04-04",
342
+ "family_key": "permission_state_drift",
343
+ "family_name": "Permission and scope state drift",
344
+ "pattern_name": "Session remembers destructive permission from prior task",
345
+ "entry_kind": "memory_context_threat_pattern",
346
+ "summary": "Stored memory misstates current permissions, approvals, or capability grants, causing unsafe action later.",
347
+ "surface_kind": "permission_state",
348
+ "default_controls": [
349
+ "non-persistent approvals",
350
+ "capability freshness checks",
351
+ "scope revalidation",
352
+ "task-bound approval IDs"
353
+ ],
354
+ "source_ids": [
355
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
356
+ "SRC_MCP_SECURITY_BEST_PRACTICES_2025",
357
+ "SRC_OWASP_AGENTIC_TOP10_2026"
358
+ ],
359
+ "credibility": "high",
360
+ "last_verified": "2026-03-28"
361
+ },
362
+ {
363
+ "pattern_id": "MC-05-01",
364
+ "family_key": "identity_context_hijack",
365
+ "family_name": "Identity and persona context hijack",
366
+ "pattern_name": "Stored admin identity claim",
367
+ "entry_kind": "memory_context_threat_pattern",
368
+ "summary": "Persistent state changes who the agent believes it serves or what role it currently holds.",
369
+ "surface_kind": "identity_state",
370
+ "default_controls": [
371
+ "identity assertions from trusted sources only",
372
+ "fresh delegation checks",
373
+ "recipient re-resolution",
374
+ "memory integrity baselines"
375
+ ],
376
+ "source_ids": [
377
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
378
+ "SRC_OWASP_AGENTIC_TOP10_2026",
379
+ "SRC_NIST_CAISI_RFI_2026"
380
+ ],
381
+ "credibility": "high",
382
+ "last_verified": "2026-03-28"
383
+ },
384
+ {
385
+ "pattern_id": "MC-05-02",
386
+ "family_key": "identity_context_hijack",
387
+ "family_name": "Identity and persona context hijack",
388
+ "pattern_name": "Memory says attacker is trusted owner",
389
+ "entry_kind": "memory_context_threat_pattern",
390
+ "summary": "Persistent state changes who the agent believes it serves or what role it currently holds.",
391
+ "surface_kind": "identity_state",
392
+ "default_controls": [
393
+ "identity assertions from trusted sources only",
394
+ "fresh delegation checks",
395
+ "recipient re-resolution",
396
+ "memory integrity baselines"
397
+ ],
398
+ "source_ids": [
399
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
400
+ "SRC_OWASP_AGENTIC_TOP10_2026",
401
+ "SRC_NIST_CAISI_RFI_2026"
402
+ ],
403
+ "credibility": "high",
404
+ "last_verified": "2026-03-28"
405
+ },
406
+ {
407
+ "pattern_id": "MC-05-03",
408
+ "family_key": "identity_context_hijack",
409
+ "family_name": "Identity and persona context hijack",
410
+ "pattern_name": "Persistent delegation without fresh consent",
411
+ "entry_kind": "memory_context_threat_pattern",
412
+ "summary": "Persistent state changes who the agent believes it serves or what role it currently holds.",
413
+ "surface_kind": "identity_state",
414
+ "default_controls": [
415
+ "identity assertions from trusted sources only",
416
+ "fresh delegation checks",
417
+ "recipient re-resolution",
418
+ "memory integrity baselines"
419
+ ],
420
+ "source_ids": [
421
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
422
+ "SRC_OWASP_AGENTIC_TOP10_2026",
423
+ "SRC_NIST_CAISI_RFI_2026"
424
+ ],
425
+ "credibility": "high",
426
+ "last_verified": "2026-03-28"
427
+ },
428
+ {
429
+ "pattern_id": "MC-05-04",
430
+ "family_key": "identity_context_hijack",
431
+ "family_name": "Identity and persona context hijack",
432
+ "pattern_name": "Contact/recipient identity poisoned in memory",
433
+ "entry_kind": "memory_context_threat_pattern",
434
+ "summary": "Persistent state changes who the agent believes it serves or what role it currently holds.",
435
+ "surface_kind": "identity_state",
436
+ "default_controls": [
437
+ "identity assertions from trusted sources only",
438
+ "fresh delegation checks",
439
+ "recipient re-resolution",
440
+ "memory integrity baselines"
441
+ ],
442
+ "source_ids": [
443
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
444
+ "SRC_OWASP_AGENTIC_TOP10_2026",
445
+ "SRC_NIST_CAISI_RFI_2026"
446
+ ],
447
+ "credibility": "high",
448
+ "last_verified": "2026-03-28"
449
+ },
450
+ {
451
+ "pattern_id": "MC-06-01",
452
+ "family_key": "rag_single_doc_poisoning",
453
+ "family_name": "Single-document RAG poisoning",
454
+ "pattern_name": "One poisoned document outranks benign corpus",
455
+ "entry_kind": "memory_context_threat_pattern",
456
+ "summary": "A small number of poisoned documents dominate retrieval and future reasoning.",
457
+ "surface_kind": "rag",
458
+ "default_controls": [
459
+ "retrieval provenance",
460
+ "cross-document corroboration",
461
+ "poison-response detector",
462
+ "document trust tiers"
463
+ ],
464
+ "source_ids": [
465
+ "SRC_ONE_SHOT_DOMINANCE_EMNLP_2025",
466
+ "SRC_REVPRAG_EMNLP_2025",
467
+ "SRC_OWASP_PI_CHEATSHEET_2026"
468
+ ],
469
+ "credibility": "high",
470
+ "last_verified": "2026-03-28"
471
+ },
472
+ {
473
+ "pattern_id": "MC-06-02",
474
+ "family_key": "rag_single_doc_poisoning",
475
+ "family_name": "Single-document RAG poisoning",
476
+ "pattern_name": "Poisoned document used in multi-hop answer",
477
+ "entry_kind": "memory_context_threat_pattern",
478
+ "summary": "A small number of poisoned documents dominate retrieval and future reasoning.",
479
+ "surface_kind": "rag",
480
+ "default_controls": [
481
+ "retrieval provenance",
482
+ "cross-document corroboration",
483
+ "poison-response detector",
484
+ "document trust tiers"
485
+ ],
486
+ "source_ids": [
487
+ "SRC_ONE_SHOT_DOMINANCE_EMNLP_2025",
488
+ "SRC_REVPRAG_EMNLP_2025",
489
+ "SRC_OWASP_PI_CHEATSHEET_2026"
490
+ ],
491
+ "credibility": "high",
492
+ "last_verified": "2026-03-28"
493
+ },
494
+ {
495
+ "pattern_id": "MC-06-03",
496
+ "family_key": "rag_single_doc_poisoning",
497
+ "family_name": "Single-document RAG poisoning",
498
+ "pattern_name": "Citation-snippet poisoning",
499
+ "entry_kind": "memory_context_threat_pattern",
500
+ "summary": "A small number of poisoned documents dominate retrieval and future reasoning.",
501
+ "surface_kind": "rag",
502
+ "default_controls": [
503
+ "retrieval provenance",
504
+ "cross-document corroboration",
505
+ "poison-response detector",
506
+ "document trust tiers"
507
+ ],
508
+ "source_ids": [
509
+ "SRC_ONE_SHOT_DOMINANCE_EMNLP_2025",
510
+ "SRC_REVPRAG_EMNLP_2025",
511
+ "SRC_OWASP_PI_CHEATSHEET_2026"
512
+ ],
513
+ "credibility": "high",
514
+ "last_verified": "2026-03-28"
515
+ },
516
+ {
517
+ "pattern_id": "MC-06-04",
518
+ "family_key": "rag_single_doc_poisoning",
519
+ "family_name": "Single-document RAG poisoning",
520
+ "pattern_name": "Document crafted to survive retrieval filters",
521
+ "entry_kind": "memory_context_threat_pattern",
522
+ "summary": "A small number of poisoned documents dominate retrieval and future reasoning.",
523
+ "surface_kind": "rag",
524
+ "default_controls": [
525
+ "retrieval provenance",
526
+ "cross-document corroboration",
527
+ "poison-response detector",
528
+ "document trust tiers"
529
+ ],
530
+ "source_ids": [
531
+ "SRC_ONE_SHOT_DOMINANCE_EMNLP_2025",
532
+ "SRC_REVPRAG_EMNLP_2025",
533
+ "SRC_OWASP_PI_CHEATSHEET_2026"
534
+ ],
535
+ "credibility": "high",
536
+ "last_verified": "2026-03-28"
537
+ },
538
+ {
539
+ "pattern_id": "MC-07-01",
540
+ "family_key": "vector_or_cache_poisoning",
541
+ "family_name": "Vector store and semantic cache poisoning",
542
+ "pattern_name": "Vector index poisoned by external ingestion",
543
+ "entry_kind": "memory_context_threat_pattern",
544
+ "summary": "Stored retrieval index or cache entries serve attacker-crafted content to later users or tasks.",
545
+ "surface_kind": "vector_store",
546
+ "default_controls": [
547
+ "cache partitioning",
548
+ "tenant isolation",
549
+ "signed ingestion pipeline",
550
+ "cache poisoning detectors"
551
+ ],
552
+ "source_ids": [
553
+ "SRC_OWASP_AGENTIC_TOP10_2026",
554
+ "SRC_NIST_CAISI_RFI_2026",
555
+ "SRC_REVPRAG_EMNLP_2025"
556
+ ],
557
+ "credibility": "high",
558
+ "last_verified": "2026-03-28"
559
+ },
560
+ {
561
+ "pattern_id": "MC-07-02",
562
+ "family_key": "vector_or_cache_poisoning",
563
+ "family_name": "Vector store and semantic cache poisoning",
564
+ "pattern_name": "Semantic cache entry reused across users",
565
+ "entry_kind": "memory_context_threat_pattern",
566
+ "summary": "Stored retrieval index or cache entries serve attacker-crafted content to later users or tasks.",
567
+ "surface_kind": "semantic_cache",
568
+ "default_controls": [
569
+ "cache partitioning",
570
+ "tenant isolation",
571
+ "signed ingestion pipeline",
572
+ "cache poisoning detectors"
573
+ ],
574
+ "source_ids": [
575
+ "SRC_OWASP_AGENTIC_TOP10_2026",
576
+ "SRC_NIST_CAISI_RFI_2026",
577
+ "SRC_REVPRAG_EMNLP_2025"
578
+ ],
579
+ "credibility": "high",
580
+ "last_verified": "2026-03-28"
581
+ },
582
+ {
583
+ "pattern_id": "MC-07-03",
584
+ "family_key": "vector_or_cache_poisoning",
585
+ "family_name": "Vector store and semantic cache poisoning",
586
+ "pattern_name": "Cache returns attacker-authored response",
587
+ "entry_kind": "memory_context_threat_pattern",
588
+ "summary": "Stored retrieval index or cache entries serve attacker-crafted content to later users or tasks.",
589
+ "surface_kind": "semantic_cache",
590
+ "default_controls": [
591
+ "cache partitioning",
592
+ "tenant isolation",
593
+ "signed ingestion pipeline",
594
+ "cache poisoning detectors"
595
+ ],
596
+ "source_ids": [
597
+ "SRC_OWASP_AGENTIC_TOP10_2026",
598
+ "SRC_NIST_CAISI_RFI_2026",
599
+ "SRC_REVPRAG_EMNLP_2025"
600
+ ],
601
+ "credibility": "high",
602
+ "last_verified": "2026-03-28"
603
+ },
604
+ {
605
+ "pattern_id": "MC-07-04",
606
+ "family_key": "vector_or_cache_poisoning",
607
+ "family_name": "Vector store and semantic cache poisoning",
608
+ "pattern_name": "Embedding collision or prompt-like entry",
609
+ "entry_kind": "memory_context_threat_pattern",
610
+ "summary": "Stored retrieval index or cache entries serve attacker-crafted content to later users or tasks.",
611
+ "surface_kind": "vector_store",
612
+ "default_controls": [
613
+ "cache partitioning",
614
+ "tenant isolation",
615
+ "signed ingestion pipeline",
616
+ "cache poisoning detectors"
617
+ ],
618
+ "source_ids": [
619
+ "SRC_OWASP_AGENTIC_TOP10_2026",
620
+ "SRC_NIST_CAISI_RFI_2026",
621
+ "SRC_REVPRAG_EMNLP_2025"
622
+ ],
623
+ "credibility": "high",
624
+ "last_verified": "2026-03-28"
625
+ },
626
+ {
627
+ "pattern_id": "MC-08-01",
628
+ "family_key": "session_seeded_codewords",
629
+ "family_name": "Session-seeded coded language",
630
+ "pattern_name": "Safe-sounding codeword maps to secret action",
631
+ "entry_kind": "memory_context_threat_pattern",
632
+ "summary": "Attackers establish innocuous shorthand or codewords that later unlock unsafe behaviors.",
633
+ "surface_kind": "memory_read",
634
+ "default_controls": [
635
+ "approval tokens out-of-band",
636
+ "memory heuristics for coded approvals",
637
+ "veto suspicious shorthand",
638
+ "bind approvals to structured IDs"
639
+ ],
640
+ "source_ids": [
641
+ "SRC_OWASP_PI_CHEATSHEET_2026",
642
+ "SRC_NIST_HIJACK_EVAL_2025",
643
+ "SRC_TOPICATTACK_EMNLP_2025"
644
+ ],
645
+ "credibility": "high",
646
+ "last_verified": "2026-03-28"
647
+ },
648
+ {
649
+ "pattern_id": "MC-08-02",
650
+ "family_key": "session_seeded_codewords",
651
+ "family_name": "Session-seeded coded language",
652
+ "pattern_name": "Project alias used to bypass policy",
653
+ "entry_kind": "memory_context_threat_pattern",
654
+ "summary": "Attackers establish innocuous shorthand or codewords that later unlock unsafe behaviors.",
655
+ "surface_kind": "memory_read",
656
+ "default_controls": [
657
+ "approval tokens out-of-band",
658
+ "memory heuristics for coded approvals",
659
+ "veto suspicious shorthand",
660
+ "bind approvals to structured IDs"
661
+ ],
662
+ "source_ids": [
663
+ "SRC_OWASP_PI_CHEATSHEET_2026",
664
+ "SRC_NIST_HIJACK_EVAL_2025",
665
+ "SRC_TOPICATTACK_EMNLP_2025"
666
+ ],
667
+ "credibility": "high",
668
+ "last_verified": "2026-03-28"
669
+ },
670
+ {
671
+ "pattern_id": "MC-08-03",
672
+ "family_key": "session_seeded_codewords",
673
+ "family_name": "Session-seeded coded language",
674
+ "pattern_name": "Phrase later interpreted as approval token",
675
+ "entry_kind": "memory_context_threat_pattern",
676
+ "summary": "Attackers establish innocuous shorthand or codewords that later unlock unsafe behaviors.",
677
+ "surface_kind": "memory_read",
678
+ "default_controls": [
679
+ "approval tokens out-of-band",
680
+ "memory heuristics for coded approvals",
681
+ "veto suspicious shorthand",
682
+ "bind approvals to structured IDs"
683
+ ],
684
+ "source_ids": [
685
+ "SRC_OWASP_PI_CHEATSHEET_2026",
686
+ "SRC_NIST_HIJACK_EVAL_2025",
687
+ "SRC_TOPICATTACK_EMNLP_2025"
688
+ ],
689
+ "credibility": "high",
690
+ "last_verified": "2026-03-28"
691
+ },
692
+ {
693
+ "pattern_id": "MC-08-04",
694
+ "family_key": "session_seeded_codewords",
695
+ "family_name": "Session-seeded coded language",
696
+ "pattern_name": "Encoded shorthand for recipient or sink",
697
+ "entry_kind": "memory_context_threat_pattern",
698
+ "summary": "Attackers establish innocuous shorthand or codewords that later unlock unsafe behaviors.",
699
+ "surface_kind": "memory_read",
700
+ "default_controls": [
701
+ "approval tokens out-of-band",
702
+ "memory heuristics for coded approvals",
703
+ "veto suspicious shorthand",
704
+ "bind approvals to structured IDs"
705
+ ],
706
+ "source_ids": [
707
+ "SRC_OWASP_PI_CHEATSHEET_2026",
708
+ "SRC_NIST_HIJACK_EVAL_2025",
709
+ "SRC_TOPICATTACK_EMNLP_2025"
710
+ ],
711
+ "credibility": "high",
712
+ "last_verified": "2026-03-28"
713
+ },
714
+ {
715
+ "pattern_id": "MC-09-01",
716
+ "family_key": "memory_rollback_evasion",
717
+ "family_name": "Rollback evasion and forensic loss",
718
+ "pattern_name": "Write without snapshot",
719
+ "entry_kind": "memory_context_threat_pattern",
720
+ "summary": "Persistent state changes evade rollback, snapshotting, or attribution, making incident recovery difficult.",
721
+ "surface_kind": "memory_write",
722
+ "default_controls": [
723
+ "append-only memory journal",
724
+ "hash baselines",
725
+ "snapshot before commit",
726
+ "forensic export hooks"
727
+ ],
728
+ "source_ids": [
729
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
730
+ "SRC_NCSC_PROMPT_INJECTION_2025",
731
+ "SRC_OWASP_AGENTIC_TOP10_2026"
732
+ ],
733
+ "credibility": "high",
734
+ "last_verified": "2026-03-28"
735
+ },
736
+ {
737
+ "pattern_id": "MC-09-02",
738
+ "family_key": "memory_rollback_evasion",
739
+ "family_name": "Rollback evasion and forensic loss",
740
+ "pattern_name": "Tamper with baseline hash or snapshot chain",
741
+ "entry_kind": "memory_context_threat_pattern",
742
+ "summary": "Persistent state changes evade rollback, snapshotting, or attribution, making incident recovery difficult.",
743
+ "surface_kind": "memory_write",
744
+ "default_controls": [
745
+ "append-only memory journal",
746
+ "hash baselines",
747
+ "snapshot before commit",
748
+ "forensic export hooks"
749
+ ],
750
+ "source_ids": [
751
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
752
+ "SRC_NCSC_PROMPT_INJECTION_2025",
753
+ "SRC_OWASP_AGENTIC_TOP10_2026"
754
+ ],
755
+ "credibility": "high",
756
+ "last_verified": "2026-03-28"
757
+ },
758
+ {
759
+ "pattern_id": "MC-09-03",
760
+ "family_key": "memory_rollback_evasion",
761
+ "family_name": "Rollback evasion and forensic loss",
762
+ "pattern_name": "Rapid rewrite after detection",
763
+ "entry_kind": "memory_context_threat_pattern",
764
+ "summary": "Persistent state changes evade rollback, snapshotting, or attribution, making incident recovery difficult.",
765
+ "surface_kind": "memory_write",
766
+ "default_controls": [
767
+ "append-only memory journal",
768
+ "hash baselines",
769
+ "snapshot before commit",
770
+ "forensic export hooks"
771
+ ],
772
+ "source_ids": [
773
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
774
+ "SRC_NCSC_PROMPT_INJECTION_2025",
775
+ "SRC_OWASP_AGENTIC_TOP10_2026"
776
+ ],
777
+ "credibility": "high",
778
+ "last_verified": "2026-03-28"
779
+ },
780
+ {
781
+ "pattern_id": "MC-09-04",
782
+ "family_key": "memory_rollback_evasion",
783
+ "family_name": "Rollback evasion and forensic loss",
784
+ "pattern_name": "Cross-store inconsistency after rollback",
785
+ "entry_kind": "memory_context_threat_pattern",
786
+ "summary": "Persistent state changes evade rollback, snapshotting, or attribution, making incident recovery difficult.",
787
+ "surface_kind": "memory_recovery",
788
+ "default_controls": [
789
+ "append-only memory journal",
790
+ "hash baselines",
791
+ "snapshot before commit",
792
+ "forensic export hooks"
793
+ ],
794
+ "source_ids": [
795
+ "SRC_OWASP_AGENT_MEMORY_GUARD_2026",
796
+ "SRC_NCSC_PROMPT_INJECTION_2025",
797
+ "SRC_OWASP_AGENTIC_TOP10_2026"
798
+ ],
799
+ "credibility": "high",
800
+ "last_verified": "2026-03-28"
801
+ }
802
+ ]
803
+ }