Series draft — Part 14 of 15 in Hardened Agentic Stack. Outline only; expand before un-drafting.
Phase 5: Human-in-the-Loop — Defense in Depth
The Problem
Prompt injection via READMEs, bug reports, or telemetry still steers tool use.
The Infrastructure Fix
Instruction filter / scrubber before the reasoning phase; ATR still enforces tool calls.
The Architecture Pattern
Sanitized Input Layer — external data is untrusted until extracted as data, not instructions.
Planned sections
- The “Oh No” moment — concrete incident or near-miss that makes the risk visceral.
- ClawQL context — how this control protects a high-privilege local/edge agent.
- Technical how-to — concrete configs, policies, or snippets a builder can apply.
- Safety check — what “trusted enough” looks like once this layer is in place.
Key visuals
- Untrusted source → scrubber → reasoner → Panguard
Source modules (docs.clawql.com)
- mcp-runtime-enforcement-panguard-atr
- input-validation-protocol-hardening
- memory-context-poisoning-prevention
- owasp-agentic-top-10-mitigations
Rule of Three (keep on publish)
| Layer | Takeaway |
|---|---|
| Problem | Prompt injection via READMEs, bug reports, or telemetry still steers tool use. |
| Infrastructure fix | Instruction filter / scrubber before the reasoning phase; ATR still enforces tool calls. |
| Architecture pattern | Sanitized Input Layer — external data is untrusted until extracted as data, not instructions. |