Same topic, related formats. Practice these next.
Same topic, related formats. Practice these next.
Poisoning persists in long-lived context (memory, summaries) and influences many future turns; injection lives one call. Defend poisoning at write time, not assembly time.
Imagine a one-shot lie whispered in a meeting can be challenged on the spot and forgotten by tomorrow. A lie written into the official meeting minutes is read by everyone who opens those minutes next week, next month, next year, until someone notices and corrects the record. Prompt injection is the whisper; context poisoning is the lie in the minutes. The agent's persistent memory, its rolling conversation summary, its saved chat snippets, those are the minutes. Once a bad statement lands there, every future session that reads from those minutes inherits it. Stopping it requires guarding what gets written down, not just being careful about what gets said in the moment.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
7 minutes: the persistence-surface taxonomy, the two-step attack chain, write-time and lifecycle defenses, and the recovery path when poisoning is detected.
# Hardened memory write path
from pydantic import BaseModel, Field
from enum import Enum
class Source(str, Enum):
USER_STATED = 'user_stated'
AGENT_INFERRED = 'agent_inferred'
TOOL_DERIVED = 'tool_derived'
class MemoryEntry(BaseModel):
subject: str
predicate: str
object: str
source: Source
call_id: str
confidence: float = Field(ge=0, le=1)
ttl_days: int
INJECTION_PATTERNS = [
'ignore previous instructions', 'as an admin', 'forget that you cannot',
'system override', 'new instructions:', 'pretend you are'
]
def commit_memory(entry: MemoryEntry, store) -> bool:
# 1. Schema validation already enforced by Pydantic
# 2. Adversarial-pattern matching
text = f'{entry.subject} {entry.predicate} {entry.object}'.lower()
if any(p in text for p in INJECTION_PATTERNS):
log_security_event('memory_write_blocked', entry)
return False
# 3. Source-trust gating
if entry.source == Source.TOOL_DERIVED and entry.confidence < 0.7:
entry.ttl_days = min(entry.ttl_days, 1) # short TTL for low-trust
# 4. Provenance + commit
store.write(entry, provenance={'call_id': entry.call_id})
return TrueReal products, models, and research that use this idea.
What an interviewer would ask next. Try answering before peeking at the approach.
Red flags and common mistakes that signal junior thinking. Click to expand.
Treating poisoning as a flavor of injection and proposing the same defenses. Assembly-time delimiters do nothing for content already saved in memory.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.