Memory poisoning

Malicious input corrupts agent memory, leading to unsafe or unintended actions.

• See attack-chain-template.md for full structure.
• Related: docs/01-threat-model.md, patterns/memory-security.md

An attacker manipulates input during one session so a poisoned fact is committed to long-term memory; in a later, unrelated session the agent retrieves it as trusted state and lets it shape decisions the attacker is no longer present to make.

• [*] --> UntrustedWrite : Manipulated — input arrives
• UntrustedWrite --> StoredAsTrusted : No classification — at write
• StoredAsTrusted --> RetrievedAsState : Future task — reads memory
• RetrievedAsState --> InfluencesAction : Treated as — agent fact
• InfluencesAction --> [*]

Defence classifies and tags every write with provenance and expiry, blocks instruction-shaped content from entering memory, and re-checks freshness and trust on every read so that no untrusted fact silently becomes durable agent state.

1. Memory store→Write-side — controls
2. Memory store→Read-side — controls
3. Write-side — controls→Classification — before write
4. Write-side — controls→Provenance and — expiry tags
5. Write-side — controls→Anomaly detection on — instruction-shaped content
6. Read-side — controls→Freshness — filter
7. Read-side — controls→Instruction-data — separation in memory
8. Read-side — controls→Logging of — influential reads