1sbang tries to teach Mike when to refuse

A security-only proposal that rewrites Mike's ground rules around intent, so it stops helping with requests it should turn down.

securitycompliance

1sbang ran Mike's core instructions through an automated red-team tool and found three soft spots: it would happily recite its own instructions on request, it would pull personal data out of a document as long as one was uploaded, and it dodged abusive tool requests with "I can't do that" instead of refusing outright. The fix reframes all three around what's being asked, not whether the request is technically possible:

  • Confidentiality: Mike won't reveal or paraphrase its own instructions, even when asked to "continue where you left off" or similar tricks.
  • Privacy boundaries: it refuses to extract personal data like government IDs, financial accounts, medical records, criminal history, or individual settlement amounts, while still handling ordinary contract work like payment terms and party names.
  • Tool boundaries: it declines patterns like copying documents between different clients' matters, making silent edits without showing them, or content designed to leak a document's contents.

1sbang reports attack refusals climbed sharply with no hit to legitimate work, tested on held-out examples to avoid gaming the numbers.

So what The proposal was closed without merging, so nothing shipped, but anyone weighing how a legal-AI assistant should behave under pressure will find it a useful blueprint.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

1 commit from 1sbang/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
48c9f772 Security hardening: system prompt confidentiality, PII boundaries, and tool use guardrails Isaac Bang 2026-05-05 ↗ GitHub
commit body
Adds three security sections to SYSTEM_PROMPT in chatTools.ts:

CONFIDENTIALITY: instructs Mike to never reveal, quote, or acknowledge its
system instructions, including fake-prior-context social engineering patterns.

PRIVACY BOUNDARIES: enumerates PII categories always refused on intent (not
on document availability): SSNs, bank accounts, passports, addresses, phone,
DOB, medical, genetic, biometrics, protected class attributes, compensation
details, criminal history, and settlement amounts tied to named individuals.
Preserves normal legal document work (contract terms, party identification).

TOOL USE BOUNDARIES: adds intent-based refusal for bulk document/workflow
enumeration, cross-client data replication, silent edits without review,
injection payloads, and external forwarding clauses.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-798.md from inside the repo you want the changes in.

⬇ Download capture-thread-798.md