Poisoned retrieved context

Retrieved context is manipulated to influence agent behaviour or outputs.

• See attack-chain-template.md for full structure.
• Related: docs/01-threat-model.md, patterns/memory-security.md

An attacker plants a document the retriever will rank highly so that when the agent fetches context for an unrelated task it pulls in attacker-controlled content and treats it as authoritative evidence for a high-impact decision.

1. Attacker plants — poisoned doc→Retriever ranks — by relevance
2. Retriever ranks — by relevance→Agent treats content — as evidence
3. Agent treats content — as evidence→Action on — false premise
4. Action on — false premise→Organisational — impact

Defence checks every retrieval result for provenance and freshness, attaches an explicit trust label, and routes it through a policy decision so that low-trust or stale content cannot silently shape the agent’s reasoning.

1. Retrieval — result→Provenance — check
2. Provenance — check→Freshness — filter
3. Freshness — filter→Trust label — applied
4. Trust label — applied→Policy — decision
5. Policy — decision→Agent — reasoning