Untrusted Content Isolation #1195
Description
Defense-in-depth against indirect prompt injection across all external data sources.
Zeph processes data from web scraping, MCP servers, A2A agents, tool results, and memory retrieval — all of which may contain adversarial instructions. This epic implements multi-layered isolation: content sanitization with spotlighting, quarantined summarization, exfiltration guards, and TUI visibility.
Research: .local/plan/untrusted-content-isolation.md
Phase 1: Core Infrastructure
- [SEC-1.1] TrustLevel enum and ContentSource model #1196 — TrustLevel enum and ContentSource model
- [SEC-1.2] ContentSanitizer with injection pattern detection #1197 — ContentSanitizer with injection pattern detection
- [SEC-1.3] Content isolation config section #1198 — Content isolation config section
- [SEC-1.4] ContextBuilder sanitizer integration #1199 — ContextBuilder sanitizer integration
Phase 2: Source-Specific Integration
- [SEC-2.1] Tool result sanitization boundary #1200 — Tool result sanitization boundary
- [SEC-2.2] MCP response sanitization boundary #1201 — MCP response sanitization boundary
- [SEC-2.3] A2A message sanitization boundary #1202 — A2A message sanitization boundary
- [SEC-2.4] Memory retrieval sanitization boundary #1203 — Memory retrieval sanitization boundary
Phase 3: Quarantined Summarizer
- [SEC-3.1] QuarantinedSummarizer for high-risk sources #1204 — QuarantinedSummarizer for high-risk sources (Dual LLM pattern)
Phase 4: Exfiltration Guards
- [SEC-4.1] Markdown image exfiltration guard #1205 — Markdown image exfiltration guard
- [SEC-4.2] Tool call argument validation guard #1206 — Tool call argument validation guard
- [SEC-4.3] Memory write poisoning guard #1207 — Memory write poisoning guard
Phase 5: UI Integration
- [SEC-5.1] TUI security indicators and event log #1208 — TUI security indicators and event log
- [SEC-5.2] CLI security event reporting #1209 — CLI security event reporting
References
- Design Patterns for Securing LLM Agents (arXiv 2506.08837)
- Anthropic Prompt Injection Defenses
- Microsoft Indirect Prompt Injection Defense
- OWASP LLM Prompt Injection Prevention
- Simon Willison: The Lethal Trifecta
- CaMeL: Google DeepMind Taint Tracking
Cross-Epic Dependencies (with #1222 Graph Memory)
| Security Epic | Graph Memory | Relationship |
|---|---|---|
| #1207 (memory write poisoning) | #1225 (extraction write) | Graph extraction is a new write path into memory — guard must cover GraphStore writes |
| #1203 (memory retrieval sanitization) | #1226 (graph retrieval) | graph_recall() is a new read path — sanitizer must cover graph facts |
| #1204 (quarantined summarizer) | #1228 (community summaries) | Shared pattern: isolated LLM call — first implemented sets the abstraction |