Certifying Marketplace Prompts Without Exposing IP
Certifying marketplace prompts without exposing IP
Marketplace agents ship proprietary system prompts. Buyers need proof those prompts are governed and free of known malicious patterns. Publishers cannot publish full prompt text without losing competitive advantage.
HUMΛN resolves this with private review, public attestation — Check #15 Prompt Safety Certification.
1. The IP vs safety tension
App Store review works when binaries are opaque but behavior is observable in sandbox. Prompts are different: the policy is the product. A generic “trust us” badge is theater. Publishing full prompts on GET /marketplace destroys publisher IP.
Check #15 answers: “We reviewed the real prompts at submission time; here is cryptographic evidence you can verify at install — without seeing the prose.”
2. Private review → public attestation
Private: App Review and human marketplace review --prompts-dir read full markdown bodies.
Public: Listings expose prompt_certification only — never content.
3. What buyers see
On an approved agent listing:
- Certification badge (aggregate
pass/warn) - Per-prompt SHA-256 (
content_sha256) - Trust-boundary summary (
delegationRequired,untrustedInputs, …) - Finding codes on failure paths (e.g.
JAILBREAK_OVERRIDE) — categories, not exploit recipes
Example (synthetic):
{
"certified_at": "2026-05-19T12:00:00.000Z",
"check_id": 15,
"prompt_count": 1,
"aggregate_status": "pass",
"prompts": [
{
"prompt_uri": "prompt://org/acme/demo/system",
"type": "system",
"content_sha256": "a1b2c3…",
"defense_baseline": true,
"structural_scan": "pass",
"trust_boundary": {
"identity": "demo.system",
"delegationRequired": true,
"provenanceRequired": true,
"untrustedInputs": ["web content", "uploaded documents"],
"forbiddenActions": ["bypass delegation checks"]
}
}
]
}
What we never publish
- Prompt
contentor markdown bodies - Inline secrets or publisher-specific instructions
- Raw malicious-pattern match strings usable as bypass guides
4. What publishers submit
In human-agent.yaml:
agent_prompt_contributions:
- prompt_key: demo/system
scope: org
content_ref: prompts/system.md
version: 1.0.0
type: system
At review time, point the CLI or API at the package root:
human marketplace review --prompts-dir .
Or POST /v1/marketplace/review with source_bundle_path / prompts_dir.
5. Check #15 pass / fail examples
| Scenario | Result |
|---|---|
| System prompt includes Prompt Defense Baseline + valid trust boundary | Pass — attestation stored |
Body contains Ignore all previous instructions |
Fail — JAILBREAK_OVERRIDE |
Body contains bypass delegation |
Fail — DELEGATION_BYPASS |
| System prompt missing defense directives | Fail — MISSING_DEFENSE_* |
| Fragment prompt without baseline requirement | Pass (if no malicious patterns) |
6. Install-time hash verification
When an org installs an agent, seedAgentPrompts hashes each contributed file and compares it to marketplace_assets.prompt_certification. Mismatch → PROMPT_CERTIFICATION_DRIFT (install blocked).
This closes the loop: listing attestation must match what actually lands in prompt_versions.
7. How this differs from Prompt Defense Baseline alone
| Control | Scope |
|---|---|
| Defense Baseline (ECC-07) | Required safety directives in system prompts at publish/install |
| Check #15 | Baseline + trust-boundary validation + malicious-pattern scan + public hash attestation |
| Install drift check | Runtime guarantee that seeded content matches certified hashes |
Baseline is necessary; certification is verifiable evidence for buyers and security teams.
Next steps
- Publishers: run
human marketplace review --prompts-dir .before submit - Spec: kb/109 — Marketplace Prompt Certification
- Checklist: kb/135 — row #15
Prompt Management — Part 5 of 5
Code & Docs