Skip to content

feat: add Iteration 3e for memory security and integrity (OWASP ASI06)#5

Merged
krokoko merged 1 commit intomainfrom
feature/memory-security-roadmap
Apr 2, 2026
Merged

feat: add Iteration 3e for memory security and integrity (OWASP ASI06)#5
krokoko merged 1 commit intomainfrom
feature/memory-security-roadmap

Conversation

@theagenticguy
Copy link
Copy Markdown
Contributor

@theagenticguy theagenticguy commented Apr 2, 2026

Summary

Adds a new roadmap iteration (3e) and updates design documents to address memory poisoning — classified as OWASP ASI06 (Memory & Context Poisoning) in the 2026 Top 10 for Agentic Applications. Based on a deep research report covering 33 sources (academic papers, CVE disclosures, OWASP standards, and industry analyses).

Changes across 3 files (docs only, no code changes):

  • ROADMAP.md — New Iteration 3e with 4 implementation phases (input hardening → trust-aware retrieval → detection & response → advanced protections), addressing 9 identified memory-layer security gaps
  • MEMORY.md — New "Memory Security Analysis" section: full threat taxonomy (intentional + emergent corruption), 9-gap table with severity ratings, 6-layer defense architecture diagram, existing mitigations catalog, academic references
  • SECURITY.md — OWASP ASI06 classification, expanded attack vectors (MINJA, GitHub issue injection, experience grafting, RAG poisoning, emergent self-corruption), 6-layer defense requirements, updated Known Limitations

Key findings from research

  1. MINJA achieves 95%+ injection success against undefended agent memory (query-only, no direct access needed)
  2. Emergent self-corruption (hallucination crystallization, feedback loops) is equally dangerous — no attacker signature
  3. Defense requires 6 layers working together; no single control is sufficient
  4. The platform has strong network security but 9 memory-layer gaps — most critically, loadMemoryContext() injects retrieved memory without any validation

9 identified gaps

# Gap Severity
1 No memory content validation in loadMemoryContext() Critical
2 No source provenance tracking on memory entries Critical
3 GitHub issue content injected without trust differentiation Critical
4 No trust scoring at retrieval High
5 No memory integrity checking (hashing/signatures) High
6 No anomaly detection on memory patterns High
7 No memory rollback capability High
8 No write-ahead validation (guardian pattern) Medium
9 No circuit breaker for behavioral anomalies Medium

4-phase implementation roadmap

  • Phase 1 — Input hardening: content sanitization, GitHub issue filtering, provenance metadata, SHA-256 integrity hashing
  • Phase 2 — Trust-aware retrieval: trust scoring, temporal decay TTLs, memory validation Lambda
  • Phase 3 — Detection & response: CloudWatch anomaly detection, circuit breaker, quarantine API, snapshot rollback
  • Phase 4 — Advanced protections: guardian model, cross-task drift detection, Merkle tree provenance, MINJA/AgentPoison red teaming

Test plan

  • Verify ROADMAP.md renders correctly with new Iteration 3e section and updated summary
  • Verify MEMORY.md threat taxonomy tables, gap analysis table, and defense architecture diagram render correctly
  • Verify SECURITY.md expanded attack vectors and updated Known Limitations are consistent with MEMORY.md
  • Verify cross-references between ROADMAP.md ↔ MEMORY.md ↔ SECURITY.md resolve correctly
  • Confirm no breaking changes to existing content (docs-only PR)

@theagenticguy
Add Iteration 3e: Memory security and integrity
d6abf1a 
Address OWASP ASI06 (Memory & Context Poisoning) with a 4-phase
implementation plan based on deep research (33 sources).

ROADMAP.md:
- Add Iteration 3e between 3d and 4 with 4 phases:
  Phase 1 (input hardening), Phase 2 (trust-aware retrieval),
  Phase 3 (detection and response), Phase 4 (advanced protections)
- Update summary section with 3e entry

MEMORY.md:
- Add Memory Security Analysis section with full threat taxonomy
  (intentional and emergent corruption vectors)
- Document 9 identified gaps with severity ratings
- Define 6-layer defense architecture
- Catalog existing partial mitigations
- Add academic and industry references

SECURITY.md:
- Add OWASP ASI06 classification and context
- Expand attack vectors beyond PR review comments (MINJA,
  GitHub issue injection, experience grafting, RAG poisoning,
  emergent self-corruption)
- Document 6-layer defense architecture requirements
- Update Known Limitations with memory security gaps
@theagenticguy theagenticguy requested a review from a team as a code owner April 2, 2026 19:50
@theagenticguy theagenticguy changed the title Add Iteration 3e: Memory security and integrity (OWASP ASI06) docs: Memory security and integrity Apr 2, 2026
@theagenticguy theagenticguy changed the title docs: Memory security and integrity docs: add Iteration 3e for memory security and integrity (OWASP ASI06) Apr 2, 2026
@theagenticguy theagenticguy changed the title docs: add Iteration 3e for memory security and integrity (OWASP ASI06) feat: add Iteration 3e for memory security and integrity (OWASP ASI06) Apr 2, 2026
@krokoko krokoko merged commit af6dafe into main Apr 2, 2026
7 of 12 checks passed
@theagenticguy
Copy link
Copy Markdown
Contributor Author

theagenticguy commented Apr 2, 2026

CI Note: The build job is failing due to a transient GitHub API rate limit (403) when mise tries to install trivy@0.69.2. This is unrelated to the docs-only changes in this PR — main branch builds pass fine. Re-running to clear the flake.

@krokoko krokoko deleted the feature/memory-security-roadmap branch April 6, 2026 23:07
@leandrodamascena leandrodamascena mentioned this pull request Apr 12, 2026
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krokoko krokoko krokoko approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@theagenticguy @krokoko