Abstract
This document discloses, and thereby places into the public domain as enabling prior art, a mechanism that contains prompt-injection-to-remote-code-execution in tool-using AI agents that accept untrusted document and image attachments. The core control is turn-granular: any conversational turn that introduces a new untrusted attachment is automatically downgraded to read/vision-only for that turn alone — the mutating tools (writefile, editfile, generatefile, runcommand) are hard-denied regardless of the caller's role, and re-enabled automatically on the next attachment-free turn. Three further specifics harden the loop: (1) the untrusted-content taint envelope is re-applied on every history re-hydration, so a poisoned block can never shed its "data, not instructions" framing through compaction or replay; (2) a pre-flight token estimator rejects an over-budget turn before any provider call, so a rejection is never billed; and (3) attachmentids are persisted on both the message row and each tool-execution row, giving a forensic provenance join from any executed — or denied — side-effect back to the exact file that may have induced it. The disclosure establishes dated public prior art over the mechanism, with an enabling, runnable, dependency-free reference implementation.
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 License.
Recommended Citation
Assuncao, gustavo matthew, "Taint-Triggered Turn-Scoped Tool Downgrade with Attachment-to-Execution Provenance Audit", Technical Disclosure Commons, (July 13, 2026)
https://www.tdcommons.org/dpubs_series/10875