Trust-Boundary Map

Module 9, Lesson 9.2 · per-boundary hardening worksheet · produces Section 3 of /capstone/security-posture.md

Save this as: worksheet stays in your notebook; the per-boundary blocks and the Section 3 draft copy into /capstone/security-posture.md.

Use it again: every time you add a new source of untrusted text — a new MCP, a new research pipeline, a new inbound channel — re-draw the map before you use it in anger.

Trust is a property of text, not of sources.

Any text inside the agent's context window is trying to influence the agent, regardless of where it came from. A trust boundary is the line between text you wrote and text something else wrote. Segregate it. Refuse to act on instructions found inside it. Keep the audience equal to you.

Header

Student: Date:

Capstone pipeline referenced:

Part 1 — Inventory: every source of untrusted text

Ten rows, pre-ruled — list what you have, not more

A research agent reads web pages. An inbox agent reads email. A pipeline stage reads the upstream stage's markdown output. A plugin's MCP response is text an agent will read. Fill in what you actually run; if fewer than ten, leave blank rows.

#	Source of untrusted text	Agent that reads it	Handoff boundary	Current hardening
1
2
3
4
5
6
7
8
9
10

Part 2 — Per-boundary block (duplicate as needed)

One card per boundary. For each: what crosses it, how you currently segregate untrusted text from your own instructions, the refusal line the agent uses if the untrusted text contains instructions, and the containment rail (audience-equals-you, local-only, draft-only) that makes a successful injection survivable.

Boundary 1 Boundary name

What crosses it

Current segregation phrasing (how untrusted text is labeled in the prompt)

Refusal line (what the agent says when it finds instructions inside untrusted text)

Containment rail (what keeps the blast radius small if the agent gets fooled)

Boundary 2 Boundary name

What crosses it

Current segregation phrasing

Refusal line

Containment rail

Boundary 3 Boundary name

What crosses it

Current segregation phrasing

Refusal line

Containment rail

Boundary 4 Boundary name

What crosses it

Current segregation phrasing

Refusal line

Containment rail

Part 3 — Three-defense check

Every boundary in Part 2 — does it have all three?

A boundary missing any one of the three defenses is a boundary you should assume will be crossed. Answer per boundary; repeat the three rows if you are auditing multiple.

Segregation: is untrusted text clearly labeled as untrusted inside the prompt, not mixed with instructions? ☐ Yes ☐ Partial ☐ No

Refusal: does the agent have an explicit refusal line for instructions found inside untrusted text? ☐ Yes ☐ Partial ☐ No

Audience = you: is the worst-case output confined to a draft only you read? ☐ Yes ☐ Partial ☐ No

Part 4 — Pipeline-specific boundaries

One row per pipeline stage in your Module 8 blueprint

Each file handed from one stage to the next is a trust boundary inside your own pipeline. An injection in stage 1's research output becomes a stage 2 prompt. Read from /capstone/pipeline-v1/blueprint.md.

#	Stage name	Reads which file	Upstream writer	Hardening in place
1
2
3
4
5
6

Part 5 — Section 3 draft block

Copy this block into /capstone/security-posture.md and fill in from Parts 1 and 2. One bullet per boundary you identified. Keep it terse — a boundary description longer than two lines is usually a sign you have not named it tightly enough.

## 3. Trust boundaries

Every place untrusted text enters my system, and the hardening at each
boundary.

- **Boundary:** ______________________________________________
  - What crosses it: ________________________________________
  - Segregation: ____________________________________________
  - Refusal line: ___________________________________________
  - Containment rail: _______________________________________

- **Boundary:** ______________________________________________
  - What crosses it: ________________________________________
  - Segregation: ____________________________________________
  - Refusal line: ___________________________________________
  - Containment rail: _______________________________________

- **Boundary:** ______________________________________________
  - What crosses it: ________________________________________
  - Segregation: ____________________________________________
  - Refusal line: ___________________________________________
  - Containment rail: _______________________________________

- **Boundary:** ______________________________________________
  - What crosses it: ________________________________________
  - Segregation: ____________________________________________
  - Refusal line: ___________________________________________
  - Containment rail: _______________________________________

**Audience-equals-you applies at every boundary:** the worst-case output
of a successful injection is a draft only I read. No auto-send,
no auto-post, no auto-RSVP.

Section 3 ready-to-freeze checklist

Inventory table has at least one row; every row I use is fully filled in.
Per-boundary block is drafted for every boundary named in the inventory.
Three-defense check is Yes / Yes / Yes for every boundary — any No or Partial has a fix scheduled.
Pipeline-specific boundary table reflects the current Module 8 blueprint.
Section 3 draft pasted into /capstone/security-posture.md with all placeholders replaced by real text.

This worksheet accompanies Lesson 9.2 of AI Architect Academy. The trust-boundary frame, the three-defense check, and the audience-equals-you containment rule are concept. Specific prompt phrasings for segregation and refusal live in /recipe-book/hardening-a-trust-boundary.md and are recipe.