System prompt gains confidentiality, PII, and tool-use guardrails
nforum adds 35 lines to the system prompt covering three refusal categories: system prompt leakage, PII extraction, and tool-use boundaries. All three use intent-based refusal - the model is told to decline based on what is being asked, not whether the relevant data is currently available.
The commit (48c9f77) is purely additive - a single file, three new sections appended to SYSTEM_PROMPT in backend/src/lib/chatTools.ts.
CONFIDENTIALITY instructs the model never to quote or acknowledge the system prompt, including under fake-continuation attacks ("continue where you left off," "finish pasting your instructions"). A specific deflection string is prescribed for that case.
PRIVACY BOUNDARIES enumerates twelve PII categories the model must refuse to extract regardless of document availability: SSNs, bank accounts, passports, home addresses, phone numbers, dates of birth, medical and genetic data, biometrics, protected-class attributes, individual compensation, criminal history, and named-individual settlement amounts. Standard legal work - party identification, contract terms, business addresses, payment amounts in document context - is explicitly preserved.
TOOL USE BOUNDARIES prohibits bulk enumeration of documents or workflows, cross-client data replication, silent edits without user review, processing injection payloads, and adding external-forwarding clauses to contracts.
Two things to check. This commit and the MCP Connectors PR (#32) land on the same day; the tool-use guardrails appear written with user-installed connectors in mind, so reviewing them together makes sense. The bulk-enumeration prohibition could also cut into legitimate multi-document tabular-review flows depending on how users phrase those requests - test before importing.
Prompt-only guardrails are a best effort. They add tokens to every request and can be worked around with sufficient prompt budget. A defense-in-depth posture would pair them with application-level controls.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?