Prompt-Injection Hardening
What this guide covers
Stigmem treats recalled facts as data, not instructions. The node enforces the protocol-side boundary, but operators still choose the adapters and models that consume recalled content. This guide captures the current alpha hardening posture while ADR-015 certification work continues.
Trust boundaryโ
Current operator guidanceโ
Narrowest scopes
Use the narrowest read and write scopes that satisfy the agent's task.
No instruction:write
Do not grant unless the agent is explicitly responsible for authoring instruction facts.
Channel-separated adapters
Prefer adapters that consume channel-separated recall output directly.
Treat models as uncertified
Until public ADR-015 results exist in data/conformance/adversarial/results/index.json.
Document accepted risk
For cross-organization federation workloads using an uncertified model.
Running the offline harnessโ
The offline harness validates the corpus, result schema, and tier calculation:
uv run python scripts/run_adversarial_conformance.py
This does not certify a live model.
It is a local readiness check for the framework used by
provider-backed certification runs. When you are ready to test a
live model, use --provider openai, --provider anthropic, or
--provider ollama with the credential configuration described in
the model-certification page. Treat the generated JSON as evidence
for review, not as an automatic project certification.
When live certifications landโ
Re-run certification when the corpus version changes or when a provider changes the model version used in production. Published certified and provisional results also expire after 90 days unless a newer reviewed result replaces them.