Papers
Topics
Authors
Recent
Search
2000 character limit reached

Cross-Phase Context Injection

Updated 4 July 2026
  • Cross-Phase Context Injection is a pattern where context created in one phase is reintroduced in later phases, influencing system behavior and inference.
  • It is employed for performance enhancement in multi-agent designs and long-context LLMs while also presenting risks like context poisoning and adversarial manipulation.
  • Empirical studies report significant tradeoffs and vulnerabilities measured through metrics such as ASR, correlation coefficients, and inference speedups.

Cross-Phase Context Injection denotes a family of mechanisms in which contextual material introduced in one phase of a system is consumed in a later phase and alters downstream behavior. Across recent research, the term is operationalized in substantially different technical settings: multi-agent software design passes artifacts from a seed team to a transfer team; multi-app LLM platforms allow one app to write into a shared session context later consulted by another app; agentic systems persist memories, files, plans, or tool outputs across turns and sessions; vision-language attacks inject target semantics into visual and textual conditioning streams; and architectural systems such as contextual ASR, long-context LLMs, and cross-domain motion models deliberately inject compact or retrieved context into later computation for performance gains (Vigraham, 5 May 2026, Wang et al., 30 May 2026, Xie et al., 3 Jun 2026, Yang et al., 2024, Wu et al., 2024, Han et al., 5 Mar 2026, Liu et al., 14 Aug 2025).

1. Scope and domain-specific meanings

The literature does not use Cross-Phase Context Injection as a single standardized formalism. Instead, it names a recurring pattern: context is created, transformed, or persisted in one phase, then reincorporated in a later phase where it changes search, inference, execution, or interpretation. In multi-agent design exploration, the injected object is a prior team’s transcript, topology, design doc, anti-pattern list, code, or even an unrelated technical document. In LLM security, it is a shared chat message, memory entry, tool description, file-backed instruction, or task plan. In multimodal learning and systems design, it can be a target token, a phrase shortlist, a soft anchor, or compressed key/value states. In parser-centric security, it is tainted input that forces a later parsing phase to reinterpret data as code or as a different language (Vigraham, 5 May 2026, Wang et al., 30 May 2026, Weng et al., 5 May 2026, Xie et al., 3 Jun 2026, Yang et al., 2024, Wu et al., 2024, Liu et al., 14 Aug 2025, Kalantari et al., 2022).

Setting Injected context Later phase affected
Multi-agent design Transcript, topology, design doc, anti-patterns, code, irrelevant document Transfer-team design exploration
Multi-app and agentic LLM systems Shared chat messages, tool returns, memory entries, plans, files, tool metadata Later turns, other apps, future sessions, tool dispatch
Multimodal and architectural systems Visual/textual perturbations, phrase sets, soft anchors, compressed KV states Decoding, recognition, motion prediction, long-context inference
Parser and command interpretation Tainted bytes that trigger context switches HTML, CSS, JavaScript, Shell interpretation

This suggests that Cross-Phase Context Injection is best understood as a relational property of a pipeline rather than as a single algorithm. The central question is whether later computation should trust, fuse, ignore, or explicitly audit context that originated elsewhere.

2. Productive uses in system design and model conditioning

Several works use cross-phase injection as a performance mechanism rather than a threat model. In multi-agent design exploration, a seed team produces artifacts and a transfer team receives one artifact type appended to its prompt. The study covers 10 software design problems, 7 context-injection conditions, and over 2,700 runs using 5 Claude Sonnet 4 agents in SA mode. The result is a crossover effect rather than a monotone benefit: anti-patterns increased rate limiter coverage from 0.033 to 0.700, while transcripts reduced Kubernetes operator coverage from 0.475 to 0.256; the direction of effect is predicted by baseline exploration without context, with r0.82r \approx -0.82 and p<0.001p < 0.001 (Vigraham, 5 May 2026).

In non-streaming ASR, Deferred NAM restructures contextual biasing into lightweight phrase selection/filtering, deferred context encoding, and context application via cross attention. The expensive ContextEncoder is applied only after a global Top-KK selection step, which yields a speedup of up to 16.1 times, enables biasing to scale to 20K phrases with a maximum pre-decoding delay under 33ms, and achieves up to a 37.5% relative WER reduction over the baseline without the losses and lightweight phrase selection pass (Wu et al., 2024).

In long-context LLMs, self-injection is used to bridge a compression phase and a decoding phase. SharedLLM stacks two short-context LLMs derived from the same underlying layers: the lower model compresses long inputs into compact, multi-grained representations, and the upper model consumes them through cross-attention only at the lowest layers. Despite being trained on sequences of only 8K tokens, the model generalizes to inputs exceeding 128K tokens and yields notable inference speedups of 2×2\times over streaming and 3×3\times over encoder-decoder architectures (Han et al., 5 Mar 2026).

In cross-domain 3D human motion modeling, HiC treats context as a hard prompt [Pin,Pgt][P_{in}, P_{gt}], a learned soft anchor $U^\*$, and unified pose/mesh tensors. The same layer-wise injection operator is used at training and inference, and empirical gains over PiC are reported across AMASS and 3DPW, including Pose Estimation MPJPE from 32.65 to 24.96 on AMASS and Pose In-Between from 36.15 to 23.00 on 3DPW (Liu et al., 14 Aug 2025).

A related inference-time use appears in embedding debiasing. Context injection is implemented as short instruction-like templates specifying neutral, debiasing, or affirmative framing, and the resulting embeddings are compared across variants. The retrieval algorithm based on paired affirmative queries and dynamic kk retrieved all 15 relevant chunks while excluding the unrelated ones in the toy RAG-style experiment (Uriot, 2024).

3. Security-centric and adversarial formulations

The most explicit security formulation appears in multi-app LLM platforms. ChatGPT Apps share one conversation and one LLM context, modeled as a persistent, flat, untagged data store of messages and tool inputs/outputs. Cross-app context poisoning exploits first-party write channels into that shared context, especially sendFollowUpMessage; undocumented parameters systemPrompt and isVisible elevate writes to system priority and suppress them from the UI. The paper evaluates six current ChatGPT models and reports that all six models were vulnerable to both conditional and imperative payload styles (Wang et al., 30 May 2026).

In agentic systems, context-aware prompt injection is defined over dynamic carriers such as tool returns, retrieved documents, memory entries, installed skills, and inter-agent messages. AgentLure spans four agentic domains, six attack surfaces, and eight attack vectors over 320 samples. ARGUS responds with provenance-aware decision auditing via an Influence-Provenance Graph, and reduces attack success rate to 3.8% while preserving 87.5% task utility (Weng et al., 5 May 2026).

Cross-session stored prompt injection extends the threat across session boundaries. The formal system model writes adversarial content into persistent context P\mathcal{P}, after which later context construction reincorporates it through working memory, archival memory, tool-visible state, or file-backed context such as MEMORY.md, USER.md, SOUL.md, and AGENTS.md. The paper reports end-to-end SPI success rates of 42.0% for GLM-5.1, 32.1% for GPT-5-mini, and 40.7% for MiniMax-M2.7, with fact manipulation reaching AR=100%AR = 100\% across models once incorporated (Xie et al., 3 Jun 2026).

Autonomous web agents expose a closely related variant through memory corruption and plan injection. For Browser-use and Agent-E, the attacker perturbs p<0.001p < 0.0010 or p<0.001p < 0.0011, so malicious state persists across interpretation, planning, memory updates, and browser action execution. With Sandwich + Secure defenses, prompt injection success drops sharply, but a single plan injection at the initial planning stage still succeeds at 46% for Agent-E and up to 63% for Browser-use; in privacy tasks on Agent-E’s benchmark, context-chained injections reach 53.3% versus 35.6% for task-aligned injections, a 17.7% increase (Patlan et al., 18 Jun 2025).

Older parser-centric work frames the same phenomenon at the level of language interpretation. Context-Auditor treats XSS, scriptless CSS/HTML injection, and command injection as tainted-byte-induced context switches in HTML, CSS, JavaScript, or Shell parsing; in its evaluation it detected 100% of 242 reflected XSS exploits and 100% of 25 Chrome-compatible scriptless exploits from the PortSwigger cheat-sheet. In quantum multi-programming, the injected object is not a message but co-location-dependent crosstalk sustained across trials: Zero Knowledge Tampering Attacks alter victim program outputs in 40% of cases on commercial systems because the attacker remains in a fixed execution context across phases of the victim’s run (Kalantari et al., 2022, Kumar et al., 9 Apr 2025).

4. Mechanisms and formal models

A recurrent mechanism is persistent context accumulation. In ARGUS, the execution context at step p<0.001p < 0.0012 is p<0.001p < 0.0013, and the agent action is p<0.001p < 0.0014. In stored prompt injection, the agent input is formalized as

p<0.001p < 0.0015

In web-agent plan injection, the context state evolves as

p<0.001p < 0.0016

and the planner-specific form is p<0.001p < 0.0017. These formulations share a common implication: once untrusted or prior context enters the state, later actions are conditioned on it unless the architecture supplies provenance or explicit mediation (Weng et al., 5 May 2026, Xie et al., 3 Jun 2026, Patlan et al., 18 Jun 2025).

A second mechanism is regime-dependent anchoring or disruption. In multi-agent design exploration, artifacts can disrupt natural convergence driven by training-data priors, but they do not override induced convergence imposed by explicit instructions. Under prompt-induced constraints, the baseline-direction correlation that held across natural tasks collapses to p<0.001p < 0.0018; this is the basis for the paper’s distinction between natural convergence and induced convergence (Vigraham, 5 May 2026).

A third mechanism is joint representation-space steering. In the Contextual-Injection Attack for VLMs, the attack optimizes both pixel-space and embedding-space perturbations so that the decoder’s next-token distribution favors a target token: p<0.001p < 0.0019 The attack jointly manipulates KK0 and KK1, thereby shifting both visual context and textual context toward the same target semantics across prompts (Yang et al., 2024).

Architectural systems implement analogous but non-adversarial fusion operators. HiC encodes query and prompt branches as

KK2

and injects prompt context at every depth via

KK3

SharedLLM instead transfers compressed lower-model key/value states to an upper model only at the lowest layers, a design the paper terms self-injection (Liu et al., 14 Aug 2025, Han et al., 5 Mar 2026).

Parser-centric security makes the mechanism explicit as a state transition. Context-Auditor models parsing with a two-way pushdown automaton and flags cases where tainted input forces transitions such as HTML KK4 JavaScript, HTML KK5 CSS, JS Quoted Literal KK6 Statement End, or Shell Operand KK7 Operator. This formulation isolates Cross-Phase Context Injection as an unintended change in the active parsing context caused by attacker-controlled bytes (Kalantari et al., 2022).

5. Evaluation paradigms and diagnostic variables

The measurement of cross-phase injection varies sharply by domain. In multi-agent design, the primary metric is tradeoff coverage, computed from evaluator inspection of the full team deliberation and tested with Welch’s KK8-test and Cohen’s KK9. The paper reports 2×2\times0 for the correlation between baseline no-context coverage and best artifact effect, 2×2\times1 for average artifact delta, and 2×2\times2 for transcript-specific correlation (Vigraham, 5 May 2026).

Security papers favor stage-wise attack metrics. ARGUS reports Attack Success Rate, Worst-vector ASR, Utility, Refusal Rate, and Effective Defense Score

2×2\times3

Stored prompt injection decomposes success into write, incorporation, and activation: 2×2\times4 with

2×2\times5

This decomposition is important because write success and later activation are empirically decoupled (Weng et al., 5 May 2026, Xie et al., 3 Jun 2026).

Multimodal and retrieval-oriented work uses task-specific proxies for transfer. CIA evaluates cross-prompt success rate, probability change, and logit margin, and on BLIP2 reports overall success rates of 0.370 for Single-P, 0.471 for Multi-P, 0.675 for CroPA, and 0.835 for CIA. The embedding-debiasing study measures AUC of learned concept directions, correlation with human labels, and WEAT-style binomial statistics; it reports Pearson 2×2\times6 for AUC versus MTEB rank, 2×2\times7 for geometry-based bias correlation versus rank, 2×2\times8 for WEAT/binomial neutral 2×2\times9 versus rank, and 3×3\times0 for agreement between geometry and WEAT signals (Yang et al., 2024, Uriot, 2024).

Systems work often evaluates latency, throughput, or distributional consistency. Deferred NAM reports 8.7 ms total latency at 3K phrases and 32.3 ms at 20K phrases for D3 with 3×3\times1. QONTEXTS compares per-context output distributions using Hellinger distance, with empirical thresholds of 3×3\times2 for similar and 3×3\times3 for dissimilar, and under default parameters 3×3\times4, 3×3\times5, 3×3\times6, 3×3\times7 gives 3×3\times8 and 3×3\times9 (Wu et al., 2024, Kumar et al., 9 Apr 2025).

6. Mitigation strategies, design principles, and limitations

A consistent lesson is that cross-phase context injection should be conditional rather than universal. In multi-agent design exploration, one no-context trial is proposed as a cheap diagnostic. The operational policy is explicit: if [Pin,Pgt][P_{in}, P_{gt}]0, prioritize anti-patterns and consider transcripts or irrelevant context; if [Pin,Pgt][P_{in}, P_{gt}]1, consider topology or anti-patterns; if [Pin,Pgt][P_{in}, P_{gt}]2, do not inject relevant artifacts; and if prompts are prescriptive, reduce prompt pressure rather than expecting artifacts to restore exploration (Vigraham, 5 May 2026).

In shared-context LLM platforms, the recommended remedy is architectural isolation rather than incremental patching. Proposed changes include per-app context isolation, message provenance or origin labels, capability boundaries with user-consented cross-app permissions, visibility guarantees for app-originated follow-ups, and removal of undocumented amplifiers such as systemPrompt and isVisible. The paper’s central claim is that the shared context that enables cross-app composition is the same flat namespace that enables cross-app poisoning (Wang et al., 30 May 2026).

For agentic systems, provenance and memory hygiene are the dominant defensive themes. ARGUS enforces provenance-aware decision auditing with span-level segmentation, argument grounding, invariant checking, and entailment verification. Stored prompt injection work recommends sanitization and validation at write time, retrieval-time filtering, provenance tracking, signed instruction files, state isolation, and load-time policy enforcement in the context construction function [Pin,Pgt][P_{in}, P_{gt}]3. Web-agent plan-injection results further motivate hardened server-side memory and plan stores, strict ACLs, tamper-evident logs, and explicit user authorization for plan steps that request sensitive data or send data to external domains (Weng et al., 5 May 2026, Xie et al., 3 Jun 2026, Patlan et al., 18 Jun 2025).

Other domains expose domain-specific mitigations. QONTEXTS counters fixed-context crosstalk by Multi-Programming with Frequent Context Switching and Hold-Out detection, improving resilience by three orders of magnitude and fidelity by [Pin,Pgt][P_{in}, P_{gt}]4 on average while preserving [Pin,Pgt][P_{in}, P_{gt}]5 throughput. Context-Auditor adopts a conservative policy that tainted bytes should not trigger context switches in the parser, and blocks responses or shell commands when such transitions occur. In embedding retrieval, the dynamic [Pin,Pgt][P_{in}, P_{gt}]6 algorithm based on paired affirmative queries is proposed because debiasing context often fails to reach neutrality: the study states that no model achieved [Pin,Pgt][P_{in}, P_{gt}]7 under debiasing (Kumar et al., 9 Apr 2025, Kalantari et al., 2022, Uriot, 2024).

Several misconceptions are directly challenged by this body of work. “More context is better” is contradicted by the crossover effect in multi-agent design. “Prompt defenses are sufficient” is contradicted by plan injection, stored prompt injection, and shared-context poisoning. “Low measured bias implies fairness” is rejected by the embedding study, which cautions that low AUC in LLM encoders likely reflects failure to capture subtle relational structure rather than genuinely unbiased embeddings. At the same time, the surveyed results are scoped: the conditional injection policy in design exploration is specific to divergent design phases rather than convergent coding phases, stored prompt injection results depend on current agentic persistence mechanisms, and many security defenses still rely on probabilistic LLM judgments or incomplete provenance (Vigraham, 5 May 2026, Uriot, 2024, Xie et al., 3 Jun 2026).

Taken together, the literature presents Cross-Phase Context Injection as a unifying systems pattern with two opposed faces. In constructive settings it reallocates computation, improves retrieval or transfer, and conditions later inference on compressed, selected, or retrieved context. In adversarial settings it exploits persistence, flat namespaces, parser transitions, or memory corruption to make later phases act on earlier contamination. The central technical problem is therefore not merely how to inject context, but how to govern when context should cross phase boundaries, in what representation, under what provenance guarantees, and with what diagnostic or auditing controls.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Cross-Phase Context Injection.