Skip to main content

Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Status: shipped — Stage 1 in shadow mode. Floors are computed and enforced on the envelope update path; they will gate enforcement once Stage 1 advances.

Baseline Floors

The behavioral envelope adapts via EWMA — old patterns decay, new patterns become baseline. This is a feature for legitimate behavioral evolution. But it’s also an attack surface: an attacker who slowly shifts an agent’s behavior over weeks can poison the envelope until the dangerous behavior becomes “normal.” Baseline floors are the anti-poisoning layer. They define minimum thresholds that the agent’s own learning can never lower.

How Floors Work

Floors live on Gate 3 (not the fingerprint), so EWMA updates can’t erode them: 
Normal envelope evolution:
  Agent starts doing send → EWMA adapts → send becomes baseline → no more signals
  ✓ This is correct behavior

Envelope poisoning attempt:
  Attacker slowly introduces auth→send → EWMA adapts → auth→send in envelope
  BUT: DepthFloor[CapSend] = 2 → send at depth > 2 ALWAYS fires
  ✗ Floor catches what the envelope missed

Three Floor Types

DepthFloor

Per-capability maximum safe nesting depth. Capabilities at deeper levels always fire.
DefaultWhat It Catches
CapExecute depth > 3Sub-agents 4+ levels deep executing code (prompt injection chains)
CapSend depth > 2Sub-agents 3+ levels deep making outbound calls (jailbreak exfiltration)

FlowFloor

Per-transition minimum scrutiny level. If a session has significant flow in a cell AND the agent’s baseline is below the floor, it’s flagged regardless of envelope. Default: all zeros (deferred to BI Service fleet-calibrated tightening).

ResourceCrossingFloor

Per-transition minimum resource boundary crossings that always warrant scrutiny. Default: all zeros (novel crossings already caught by existing flow divergence).

Floor Tightening (Never Relaxing)

When the BI Service or global tier pushes floor updates, the TightenFloors() function ensures floors can only get stricter:
  • DepthFloor: lower non-zero value wins (shallower = stricter)
  • FlowFloor: higher value wins (more scrutiny)
  • ResourceCrossingFloor: lower non-zero value wins (fewer crossings to trigger)
  • Zero is treated as “unset” — never overwrites an existing floor
A compromised BI channel cannot relax floors to disable detection.

Integration

Floor violations produce standard signals (floor:depth_violation, floor:resource_crossing_violation) that flow through the same corroboration and enforcement logic as everything else. No special cases in the pipeline.