A research + models release: the empirical paper, two purpose-trained origin-aware classifiers, and the Proving Ground harness behind them.
📄 Paper
Cross-Platform Transferability of Prompt Injection Attacks: Universal Attack Surfaces and an Origin-Aware Defense — under paper/ (self-contained LaTeX; build with pdflatex/bibtex or tectonic).
- 2,363 adversarial sessions across 16 model/harness combinations on 5 platforms (from a 17,643-attack pool).
- Preregistered & rejected: a permission-gated CLI was more vulnerable than a flat agent harness (40.8% vs 10.2%, +30.65 pp, p < 1e-6) — harness design shapes outcomes but does not dominate model alignment.
- Vulnerability falls with scale but never to zero (4B models 48–95%; frontier 8–10%).
- A leakage-audited, origin-aware DeBERTa-v3-large reaches 9-class macro F1 0.938 at 0.48% FPR; deployed as middleware it drives effective attacks 12.40% → 0.00% (n=10,774).
- A token ablation shows the defense is origin-aware yet robust: the deployed MiniLM scanner uses the origin tag while the large model is content-driven/invariant; neither performs origin routing.
🤖 Models (Hugging Face, MIT)
Carlosian/hermes-katana-17— DeBERTa-v3-large, 9-class origin-aware classifier (macro F1 0.938, 0.48% FPR).Carlosian/hermes-katana-90— distilled MiniLM-L6 CPU scanner (macro F1 0.931, ~90 MB).
Download via the artifact CLI: katana artifacts download v17_large / v17_minilm (commit-pinned, integrity-verified).
🔧 Toolkit
- Package version → 3.1.0.
- Registered the v17 models in the artifact registry; v15 runtime scanners unchanged.
- Proving Ground
.fp.jsonldouble-count fixed; verified compatible with the latest Hermes Agent.
See CHANGELOG.md for the full list.