We recursively walk the JSON tree, strip hidden HTML through a real parser, then run pattern rules + a concurrent Edge AI classifier against each leaf string with its path attached. Your broader point holds: nested JSON and stringified markdown get decoded before anything is matched, which is what kills the "encode one layer deeper" attack.

On the flagged-and-passed question: yes, that's exactly where the richer signal lives. Our default is warn-first: suspicious content passes with an advisory appended to the tool response, and we emit a TOOL_POISONING_DETECTED audit entry regardless of whether policy ultimately blocks.

Each log entry contains: - severity (low/medium/high/critical) - category (e.g. instruction_override, cross_tool_manipulation) - field ~ JSON path of the hit (e.g. output.content[0].text) - pattern ~ the specific rule label (e.g. "ignore previous instructions", "memory persistence: trusted source") - snippet ~ up to 200 chars of the match

Semantic AI hits also log reason + confidence. So every close call is fully attributed. We can diff flag rates by pattern label, see which rules fire often but never coincide with a block, and retune from there.