Skip to content

Commit 39ca319

Browse files
dhruva-reddydhruva-reddy
committed
docs(static-variables): add prompt-injection threat model and trust tiers
Expands tools/static-variables-and-aliases.mdx with the security framing that customers building progressive-authentication flows need: - Lead with the naming distinction between function.parameters (LLM-facing JSON schema) and the top-level parameters array (server-merged, LLM-invisible). The dashboard surfaces both as similarly-named sections, which has bitten customers. - Document the full Liquid variable bag in three trust tiers: Tier 1 server-trusted (customer.*, phoneNumber.*, transport.*, call.*, assistant.*, time, assistantOverrides.variableValues set at call start), Tier 2 conversation-derived (messages, transcript, prompt -- not safe as a security boundary), Tier 3 LLM-derived (variableExtractionPlan aliases from non-trusted sources, handoff arguments, handoff schema extraction). - Five common failure modes with bad/good code pairs covering the patterns that defeat the security boundary (defining the trusted field in function.parameters; body-default leak; system-prompt forwarding; unsafe alias chains; mid-call bag mutation). - Worked example for caller-ID-based progressive authentication. - Tool-type support matrix, plus an explicit warning that legacy assistant.model.functions[] does NOT support static parameters. - Cross-link to /squads/passing-data-between-assistants for the three-approaches handoff guide; flag the squads guide's Approach 1 (function.parameters on handoff) as not-a-security-boundary for signaling-derived values. - Document the known limitation that destination.assistantOverrides .variableValues is not Liquid-resolved at handoff time. - Dashboard mental model: Parameters (JSON schema editor) vs Static Body Fields (key/value rows with Liquid). Surfaced by Mudflap asking how to do progressive auth without giving the LLM a path to forward a fake caller-ID. Skipped: workflow-extraction failure mode (workflows are deprecated). Skipped: test-writer / code-reviewer (docs-only PR, per write-pr rules).
1 parent 1882434 commit 39ca319

1 file changed

Lines changed: 277 additions & 14 deletions

File tree

0 commit comments

Comments
 (0)