Every document that enters the Harness AI RAG pipeline is untrusted input — regardless of its origin, format, or apparent legitimacy. Municipal ordinances, contractor reports, expediente attachments, and financial records may all contain natural-language text that, if passed to a model without explicit framing, could be interpreted as instructions rather than evidence. This is not a theoretical risk: institutional documents are submitted by external parties, and any party with write access to a watched directory or document intake queue can craft content designed to hijack the model’s behavior. The controls on this page are the non-negotiable baseline for every agent in Harness AI that consumes document content.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/joseluis-dev/harness-ai/llms.txt
Use this file to discover all available pages before exploring further.
Mandatory System Prompt Block
Every agent that reads from the RAG pipeline — or that processes document content in any form — must include the following block verbatim in its system prompt. This text is extracted directly from the canonical SPEC and must not be paraphrased, summarized, or modified in any way.Derived Rules
The mandatory system prompt block is accompanied by a set of operational rules that the retrieval system, the agent runtime, and the audit infrastructure must enforce:Explicit Document Delimiters
Retrieved text must always be wrapped in explicit structural delimiters before being passed to the model. The required format is:This framing makes the boundary between instruction context and document data unambiguous to both the model and any downstream parser. The
id attribute must match the document_id from the document registry for auditability.No Actions Derived from Document Content
The model must not execute any action whose authorization originates from a document. All executable actions — approvals, rejections, queries, notifications, write operations — must pass through the canonical flow:A document may provide evidence that informs a human decision, but it may never be the direct source of an action instruction that bypasses this flow.
Command-Mimicking Pattern Filtering
Before any chunk is delivered to the model, the retrieval system filters its content against a pattern list that identifies text designed to mimic harness commands. Patterns such as
/aprobar, /rechazar, and similar command-syntax strings are flagged. Chunks that match these patterns are either sanitized or excluded from the retrieval result before reaching the model context.Prompt Injection Detection and Audit Logging
Any detected prompt injection attempt — whether caught at the filter layer or identified post-hoc through model behavior analysis — is recorded as a structured audit event:This event is written to the audit log before any further action is taken. The document and chunk identifiers allow the security team to trace the origin of the injection attempt and take action against the source document.
Retrieval System Marks Chunks as Untrusted
The retrieval system attaches
untrusted=true to every chunk it returns, regardless of the document’s provenance or trust level. Agents must treat this flag as immutable: a chunk returned with untrusted=true can be cited as evidence but cannot be used to authorize, trigger, or parameterize any action.Agents Where This Policy Applies
document_rag_agent
The primary document retrieval and analysis agent. This agent is the most direct consumer of RAG chunks and must include the mandatory system prompt block in every invocation.
expediente_review_graph
The LangGraph-based workflow for reviewing administrative expedientes. Document chunks from attached files enter this graph and must be treated as untrusted throughout all graph nodes.
Any Agent Consuming RAG
Any specialized or future agent that calls the retrieval system, embeds document chunks in its context, or processes the output of
mcp-document-registry inherits this policy without exception.