Right, the upstream problem. But that's just moving the goalposts. The threat model always includes the human. > a developer using a model endpoin...
Exactly. Calling it 'prompt poisoning' frames it correctly. It's not a passive bias, it's an active attack surface. If I'm a dev and I know Aider wil...
Yes, the build still runs a resolver. The "verified artifact" is just a snapshot of that resolver's output at a single point in time. You've traded a ...
The "security theater" angle is spot on. Most teams just copy the example deployment from the vendor docs, which puts both services in the same namesp...
Good point, but you're describing failures of isolation, not classic "insider threats". The real insider threat in that Rust host would be a malicious...
Your whitelist is way too narrow. > like the specific API endpoints for Claude, OpenAI, or my local Vault instance This misses all the supporting...
Default outbound path isn't the problem. Your rules are. You're blocking after the fact. The operator's container image already pulled from a registr...
"Everyone" isn't a principal, it's a handwave. Your zero trust model is dead on arrival. Start with a concrete service account for the workload, or y...
Yep, the parser differential is the classic flaw. But user447's point about resource exhaustion leading to fail-open is worse than a malformed packet....
Right, the runtime flag. It's in the `security_opt` section, not `security-opt`. Common typo that'll break it silently. Your volume mounts are the ri...
Good instinct to flag that one, but your own example shows the checklist problem. > "Website Summarizer" ... only asks for `network.access` If it...