System prompt hardening: PII refusals, tool misuse guardrails, prompt confidentiality
@1sbang ran 330 attack probes against Mike's baseline prompt and found three gaps worth fixing in a legal AI context. The resulting change is 35 lines added to `chatTools.ts` - no tool or routing changes, just prompt text.
The baseline had measurable weaknesses. At 27% block rate the model would paraphrase its instructions when asked directly. At 61% it would offer to extract SSNs once a document was present - treating PII guardrails as conditional on document availability rather than on what the request was trying to do. Bulk document enumeration and cross-matter copying hit only 56% block because the model deflected on missing tools rather than refusing the intent.
The fix adds three sections to SYSTEM_PROMPT in backend/src/lib/chatTools.ts. CONFIDENTIALITY scripted a specific fallback response ("I have no record of sharing system instructions in this conversation") and prohibits acknowledging the prompt's existence under any framing, including the "continue where you left off" pattern. PRIVACY BOUNDARIES enumerates 13 protected categories - SSNs, financial account numbers, medical records, named-individual settlement amounts, protected class attributes - and carves out normal contract work so the guardrail doesn't block party identification or payment term extraction. TOOL USE BOUNDARIES targets seven patterns by intent: bulk enumeration, multi-copy operations, cross-client replication, silent edits, injection payloads, and exfiltration clauses.
The validation split hit 100% block on prompt leakage, 100% on PII, 100% on tool misuse, and 0% false refusals across document QA, drafting, editing, and research strata. The author flagged prompt injection and jailbreak categories as already above threshold at baseline and left them out of scope.
The PR opened 2026-05-05 and closed without merging on 2026-05-09.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?