Skip to main content
HUMΛN
Developer
Developer

Certifying Marketplace Prompts Without Exposing IP

HUMΛN Platform Team··12 min

Certifying marketplace prompts without exposing IP

Marketplace agents ship proprietary system prompts. Buyers need proof those prompts are governed and free of known malicious patterns. Publishers cannot publish full prompt text without losing competitive advantage.

HUMΛN resolves this with private review, public attestationCheck #15 Prompt Safety Certification.

1. The IP vs safety tension

App Store review works when binaries are opaque but behavior is observable in sandbox. Prompts are different: the policy is the product. A generic “trust us” badge is theater. Publishing full prompts on GET /marketplace destroys publisher IP.

Check #15 answers: “We reviewed the real prompts at submission time; here is cryptographic evidence you can verify at install — without seeing the prose.”

2. Private review → public attestation

flowchart TB subgraph submission [Private — publisher bundle only] P[prompts/**/*.md + agent_prompt_contributions] C[certifyMarketplacePrompts] P --> C end subgraph attest [Public listing] J[prompt_certification JSON] H[content_sha256 per prompt_uri] T[trust_boundary summary] J --> H J --> T end C --> J

Private: App Review and human marketplace review --prompts-dir read full markdown bodies.

Public: Listings expose prompt_certification only — never content.

3. What buyers see

On an approved agent listing:

  • Certification badge (aggregate pass / warn)
  • Per-prompt SHA-256 (content_sha256)
  • Trust-boundary summary (delegationRequired, untrustedInputs, …)
  • Finding codes on failure paths (e.g. JAILBREAK_OVERRIDE) — categories, not exploit recipes

Example (synthetic):

{
  "certified_at": "2026-05-19T12:00:00.000Z",
  "check_id": 15,
  "prompt_count": 1,
  "aggregate_status": "pass",
  "prompts": [
    {
      "prompt_uri": "prompt://org/acme/demo/system",
      "type": "system",
      "content_sha256": "a1b2c3…",
      "defense_baseline": true,
      "structural_scan": "pass",
      "trust_boundary": {
        "identity": "demo.system",
        "delegationRequired": true,
        "provenanceRequired": true,
        "untrustedInputs": ["web content", "uploaded documents"],
        "forbiddenActions": ["bypass delegation checks"]
      }
    }
  ]
}

What we never publish

  • Prompt content or markdown bodies
  • Inline secrets or publisher-specific instructions
  • Raw malicious-pattern match strings usable as bypass guides

4. What publishers submit

In human-agent.yaml:

agent_prompt_contributions:
  - prompt_key: demo/system
    scope: org
    content_ref: prompts/system.md
    version: 1.0.0
    type: system

At review time, point the CLI or API at the package root:

human marketplace review --prompts-dir .

Or POST /v1/marketplace/review with source_bundle_path / prompts_dir.

5. Check #15 pass / fail examples

Scenario Result
System prompt includes Prompt Defense Baseline + valid trust boundary Pass — attestation stored
Body contains Ignore all previous instructions FailJAILBREAK_OVERRIDE
Body contains bypass delegation FailDELEGATION_BYPASS
System prompt missing defense directives FailMISSING_DEFENSE_*
Fragment prompt without baseline requirement Pass (if no malicious patterns)

6. Install-time hash verification

When an org installs an agent, seedAgentPrompts hashes each contributed file and compares it to marketplace_assets.prompt_certification. Mismatch → PROMPT_CERTIFICATION_DRIFT (install blocked).

This closes the loop: listing attestation must match what actually lands in prompt_versions.

7. How this differs from Prompt Defense Baseline alone

Control Scope
Defense Baseline (ECC-07) Required safety directives in system prompts at publish/install
Check #15 Baseline + trust-boundary validation + malicious-pattern scan + public hash attestation
Install drift check Runtime guarantee that seeded content matches certified hashes

Baseline is necessary; certification is verifiable evidence for buyers and security teams.

Next steps