{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:VD5RVSSKERXVY4OVRFAEQUCRGW","short_pith_number":"pith:VD5RVSSK","canonical_record":{"source":{"id":"2604.08304","kind":"arxiv","version":2},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-04-09T14:38:18Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"463da7c2692ecfacfb80d86ebacd66d69b2df86fe8c90e5916fdabbe86f17ed7","abstract_canon_sha256":"ca6c56f3d7611d3e55bfcad30e987946749fe8abf6113a18a3ac814469503e1e"},"schema_version":"1.0"},"canonical_sha256":"a8fb1aca4a246f5c71d5894048505135abddc54326082e000d67ce1744eb90a5","source":{"kind":"arxiv","id":"2604.08304","version":2},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2604.08304","created_at":"2026-05-28T02:04:47Z"},{"alias_kind":"arxiv_version","alias_value":"2604.08304v2","created_at":"2026-05-28T02:04:47Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2604.08304","created_at":"2026-05-28T02:04:47Z"},{"alias_kind":"pith_short_12","alias_value":"VD5RVSSKERXV","created_at":"2026-05-28T02:04:47Z"},{"alias_kind":"pith_short_16","alias_value":"VD5RVSSKERXVY4OV","created_at":"2026-05-28T02:04:47Z"},{"alias_kind":"pith_short_8","alias_value":"VD5RVSSK","created_at":"2026-05-28T02:04:47Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:VD5RVSSKERXVY4OVRFAEQUCRGW","target":"record","payload":{"canonical_record":{"source":{"id":"2604.08304","kind":"arxiv","version":2},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-04-09T14:38:18Z","cross_cats_sorted":["cs.AI"],"title_canon_sha256":"463da7c2692ecfacfb80d86ebacd66d69b2df86fe8c90e5916fdabbe86f17ed7","abstract_canon_sha256":"ca6c56f3d7611d3e55bfcad30e987946749fe8abf6113a18a3ac814469503e1e"},"schema_version":"1.0"},"canonical_sha256":"a8fb1aca4a246f5c71d5894048505135abddc54326082e000d67ce1744eb90a5","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-28T02:04:47.452109Z","signature_b64":"izHFhR7YDuOeIZiZ1OCF4yAWB23jr0eKGx5eVIQbjXDUyK2QmJ3yBAUDOmhLSX7HD+WsZCDVwlVrzNW+kbyfCA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"a8fb1aca4a246f5c71d5894048505135abddc54326082e000d67ce1744eb90a5","last_reissued_at":"2026-05-28T02:04:47.451359Z","signature_status":"signed_v1","first_computed_at":"2026-05-28T02:04:47.451359Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2604.08304","source_version":2,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-28T02:04:47Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"ML9kZO5kmgmU9xoEmtLRSZrpTbAZxNxJm5QR5G7DwuBlAYKlPcVjxzM6RAq7vUFQKts6bhsaIUwuloUuBzndCA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-28T15:49:17.356520Z"},"content_sha256":"7c010f564b93f6e04d9712060bebafc22daf654fad8721d21e54bb7c00f19a79","schema_version":"1.0","event_id":"sha256:7c010f564b93f6e04d9712060bebafc22daf654fad8721d21e54bb7c00f19a79"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:VD5RVSSKERXVY4OVRFAEQUCRGW","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Securing Retrieval-Augmented Generation: A Taxonomy of Attacks, Defenses, and Future Directions","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"Secure RAG is fundamentally about protecting the external knowledge-access pipeline rather than the language model alone.","cross_cats":["cs.AI"],"primary_cat":"cs.CR","authors_text":"Haoyang Li, Jason Chen Zhang, Lei Chen, Mingtao Zhang, Nicole Hu, Qing Li, Yongqi Zhang, Yuming Xu, Zhiyuan Wen, Zhuohan Ge","submitted_at":"2026-04-09T14:38:18Z","abstract_excerpt":"Retrieval-augmented generation (RAG) extends large language models (LLMs) with external knowledge, but this access path also introduces security risks that existing work often conflates with inherent LLM flaws. We frame secure RAG as securing external knowledge access and organize the literature with SLOT, a taxonomy along four axes: the attack Surface (S) where an adversary acts, the defense Layer (L) that controls the same point, the Objective (O) it breaks following the CIA properties, and the Target (T) it pursues, from a single known query (T1) to target-claim manipulation across a query "},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"We propose that secure RAG is fundamentally about the security of the external knowledge-access pipeline. We establish an operational boundary to separate inherent LLM flaws from RAG-introduced or RAG-amplified threats.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the proposed abstraction of the RAG workflow into six stages and the organization around three trust boundaries and four security surfaces comprehensively captures all RAG-specific threats without significant overlap or omission from the literature.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"This paper establishes a taxonomy of RAG security organized around six workflow stages, three trust boundaries, and four primary security surfaces, while reviewing attacks, defenses, and gaps in current protections.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Secure RAG is fundamentally about protecting the external knowledge-access pipeline rather than the language model alone.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"f42e18fd787abb3de1704aa4b03494eb7162d5783971ddcf1f43bed1c1599738"},"source":{"id":"2604.08304","kind":"arxiv","version":2},"verdict":{"id":"4c583b90-442f-447e-b1a2-6db29d47bf40","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-10T17:48:42.890085Z","strongest_claim":"We propose that secure RAG is fundamentally about the security of the external knowledge-access pipeline. We establish an operational boundary to separate inherent LLM flaws from RAG-introduced or RAG-amplified threats.","one_line_summary":"This paper establishes a taxonomy of RAG security organized around six workflow stages, three trust boundaries, and four primary security surfaces, while reviewing attacks, defenses, and gaps in current protections.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the proposed abstraction of the RAG workflow into six stages and the organization around three trust boundaries and four security surfaces comprehensively captures all RAG-specific threats without significant overlap or omission from the literature.","pith_extraction_headline":"Secure RAG is fundamentally about protecting the external knowledge-access pipeline rather than the language model alone."},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2604.08304/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":"4c583b90-442f-447e-b1a2-6db29d47bf40"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-28T02:04:47Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"7Gt5DnnvytQPNQH1siuvL7e2Goy9PJN4qheVAEVwa9mW241g6lR9dl9s5WfWHB/vwYcwy3AQ3dWC6cwD0hccAg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-28T15:49:17.357450Z"},"content_sha256":"7197a4ba06ac985c93dfd600cf70a5b7d1794ac461ba494294010c11cc6072af","schema_version":"1.0","event_id":"sha256:7197a4ba06ac985c93dfd600cf70a5b7d1794ac461ba494294010c11cc6072af"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/VD5RVSSKERXVY4OVRFAEQUCRGW/bundle.json","state_url":"https://pith.science/pith/VD5RVSSKERXVY4OVRFAEQUCRGW/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/VD5RVSSKERXVY4OVRFAEQUCRGW/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-05-28T15:49:17Z","links":{"resolver":"https://pith.science/pith/VD5RVSSKERXVY4OVRFAEQUCRGW","bundle":"https://pith.science/pith/VD5RVSSKERXVY4OVRFAEQUCRGW/bundle.json","state":"https://pith.science/pith/VD5RVSSKERXVY4OVRFAEQUCRGW/state.json","well_known_bundle":"https://pith.science/.well-known/pith/VD5RVSSKERXVY4OVRFAEQUCRGW/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:VD5RVSSKERXVY4OVRFAEQUCRGW","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"ca6c56f3d7611d3e55bfcad30e987946749fe8abf6113a18a3ac814469503e1e","cross_cats_sorted":["cs.AI"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-04-09T14:38:18Z","title_canon_sha256":"463da7c2692ecfacfb80d86ebacd66d69b2df86fe8c90e5916fdabbe86f17ed7"},"schema_version":"1.0","source":{"id":"2604.08304","kind":"arxiv","version":2}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2604.08304","created_at":"2026-05-28T02:04:47Z"},{"alias_kind":"arxiv_version","alias_value":"2604.08304v2","created_at":"2026-05-28T02:04:47Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2604.08304","created_at":"2026-05-28T02:04:47Z"},{"alias_kind":"pith_short_12","alias_value":"VD5RVSSKERXV","created_at":"2026-05-28T02:04:47Z"},{"alias_kind":"pith_short_16","alias_value":"VD5RVSSKERXVY4OV","created_at":"2026-05-28T02:04:47Z"},{"alias_kind":"pith_short_8","alias_value":"VD5RVSSK","created_at":"2026-05-28T02:04:47Z"}],"graph_snapshots":[{"event_id":"sha256:7197a4ba06ac985c93dfd600cf70a5b7d1794ac461ba494294010c11cc6072af","target":"graph","created_at":"2026-05-28T02:04:47Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"We propose that secure RAG is fundamentally about the security of the external knowledge-access pipeline. We establish an operational boundary to separate inherent LLM flaws from RAG-introduced or RAG-amplified threats."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That the proposed abstraction of the RAG workflow into six stages and the organization around three trust boundaries and four security surfaces comprehensively captures all RAG-specific threats without significant overlap or omission from the literature."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"This paper establishes a taxonomy of RAG security organized around six workflow stages, three trust boundaries, and four primary security surfaces, while reviewing attacks, defenses, and gaps in current protections."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"Secure RAG is fundamentally about protecting the external knowledge-access pipeline rather than the language model alone."}],"snapshot_sha256":"f42e18fd787abb3de1704aa4b03494eb7162d5783971ddcf1f43bed1c1599738"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2604.08304/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Retrieval-augmented generation (RAG) extends large language models (LLMs) with external knowledge, but this access path also introduces security risks that existing work often conflates with inherent LLM flaws. We frame secure RAG as securing external knowledge access and organize the literature with SLOT, a taxonomy along four axes: the attack Surface (S) where an adversary acts, the defense Layer (L) that controls the same point, the Objective (O) it breaks following the CIA properties, and the Target (T) it pursues, from a single known query (T1) to target-claim manipulation across a query ","authors_text":"Haoyang Li, Jason Chen Zhang, Lei Chen, Mingtao Zhang, Nicole Hu, Qing Li, Yongqi Zhang, Yuming Xu, Zhiyuan Wen, Zhuohan Ge","cross_cats":["cs.AI"],"headline":"Secure RAG is fundamentally about protecting the external knowledge-access pipeline rather than the language model alone.","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-04-09T14:38:18Z","title":"Securing Retrieval-Augmented Generation: A Taxonomy of Attacks, Defenses, and Future Directions"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2604.08304","kind":"arxiv","version":2},"verdict":{"created_at":"2026-05-10T17:48:42.890085Z","id":"4c583b90-442f-447e-b1a2-6db29d47bf40","model_set":{"reader":"grok-4.3"},"one_line_summary":"This paper establishes a taxonomy of RAG security organized around six workflow stages, three trust boundaries, and four primary security surfaces, while reviewing attacks, defenses, and gaps in current protections.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"Secure RAG is fundamentally about protecting the external knowledge-access pipeline rather than the language model alone.","strongest_claim":"We propose that secure RAG is fundamentally about the security of the external knowledge-access pipeline. We establish an operational boundary to separate inherent LLM flaws from RAG-introduced or RAG-amplified threats.","weakest_assumption":"That the proposed abstraction of the RAG workflow into six stages and the organization around three trust boundaries and four security surfaces comprehensively captures all RAG-specific threats without significant overlap or omission from the literature."}},"verdict_id":"4c583b90-442f-447e-b1a2-6db29d47bf40"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:7c010f564b93f6e04d9712060bebafc22daf654fad8721d21e54bb7c00f19a79","target":"record","created_at":"2026-05-28T02:04:47Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"ca6c56f3d7611d3e55bfcad30e987946749fe8abf6113a18a3ac814469503e1e","cross_cats_sorted":["cs.AI"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-04-09T14:38:18Z","title_canon_sha256":"463da7c2692ecfacfb80d86ebacd66d69b2df86fe8c90e5916fdabbe86f17ed7"},"schema_version":"1.0","source":{"id":"2604.08304","kind":"arxiv","version":2}},"canonical_sha256":"a8fb1aca4a246f5c71d5894048505135abddc54326082e000d67ce1744eb90a5","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"a8fb1aca4a246f5c71d5894048505135abddc54326082e000d67ce1744eb90a5","first_computed_at":"2026-05-28T02:04:47.451359Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-28T02:04:47.451359Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"izHFhR7YDuOeIZiZ1OCF4yAWB23jr0eKGx5eVIQbjXDUyK2QmJ3yBAUDOmhLSX7HD+WsZCDVwlVrzNW+kbyfCA==","signature_status":"signed_v1","signed_at":"2026-05-28T02:04:47.452109Z","signed_message":"canonical_sha256_bytes"},"source_id":"2604.08304","source_kind":"arxiv","source_version":2}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:7c010f564b93f6e04d9712060bebafc22daf654fad8721d21e54bb7c00f19a79","sha256:7197a4ba06ac985c93dfd600cf70a5b7d1794ac461ba494294010c11cc6072af"],"state_sha256":"08fce1318c07f43c9cbcfa9d73ef4ba1c6388fc7a9745ba255e9009e90443087"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"dpcvUIPcUzm4rgTtuzZXOVXPi4yMbXK4A02QjkXkCS8UrIsuqJaTRNPPwp0bVgFVuE5263Y2AkvRrwQ1/05CCw==","signed_message":"bundle_sha256_bytes","signed_at":"2026-05-28T15:49:17.361555Z","bundle_sha256":"127a5ffa5cbeda1dd6a1488c6e5fd17be23d47e22a765e201c40a3a3a7efcdbb"}}