Hidden instruction document ingestion

Instructions are hidden in ingested documents, causing the agent to act unexpectedly.

• See attack-chain-template.md for full structure.
• Related: docs/01-threat-model.md, patterns/secure-agent-runtime.md

An attacker conceals directives inside a document — in metadata, comments, or invisible text — so when retrieval ranks it highly the agent ingests it and treats the embedded instructions as control rather than evidence, overriding policy or invoking tools the user never asked for.

1. Document with — hidden instructions→Embedding — and ranking
2. Embedding — and ranking→High-rank — retrieval
3. High-rank — retrieval→Agent treats — text as control
4. Agent treats — text as control→Policy override / — unintended tool call

Defence checks provenance and freshness at ingestion, scans for instruction-shaped content, enforces instruction-data separation in the agent’s context, and runs every action through a policy decision and runtime guardrail so embedded directives cannot quietly become commands.

1. 1Provenance and freshness — check at ingestion
2. 2Instruction-shape — anomaly detection
3. 3Instruction-data — separation in context
4. 4Policy decision — before action
5. 5Runtime guardrail — on drift from approved task