Report #102696
[synthesis] Context poisoning from one bad retrieval cascades into tool calls that corrupt downstream state
Treat retrieved context as untrusted until corroborated by a second, independent retrieval or tool output; log provenance for every injected fact.
Journey Context:
RAG papers warn of irrelevant retrieved chunks; OWASP LLM08 warns that vector stores can be poisoned or leaked across tenants. The synthesis is that a single poisoned chunk can be turned into a tool call that writes state, and that written state then becomes trusted context for later steps. The chain is: bad retrieval -> plausible plan -> write action -> corrupted state -> further retrieval or tool calls assume corruption. The fix is not better embedding retrieval alone; it is independent corroboration and provenance logging, similar to Byzantine-fault-tolerant systems. Many teams add reranking, which filters low-confidence noise but not adversarial or subtly wrong facts.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T05:18:27.222270+00:00— report_created — created