Valid JSON is only the first gate. A model can return syntactically correct fields with unknown source IDs, impossible probabilities, contradictory statuses, or injected instructions copied from a document. Treat the response as hostile input and validate syntax, schema, semantics, and authorization separately.
First cap response bytes and parsing time. Parse exactly one JSON value; do not extract a tempting object from surrounding prose. Validate against a versioned JSON Schema with additionalProperties: false, string length limits, array limits, enums, and required fields. Keep raw response bytes and validation errors under a retention policy, redacting provider secrets.
Then apply semantic rules. All source IDs must belong to the packet. Supporting and contradicting sets cannot contain the same ID without an explicit explanation. READY_FOR_HUMAN_REVIEW requires at least one support ID and completed missing-information field. Confidence categories must be from the allowed enum. Text copied from evidence is data, never an instruction.
Finally apply authorization: validated research JSON can create a review record, not a paper fill. Only a separate human-approved case can reach paper strategy evaluation. This protects the system even when model validation passes perfectly.
Build a quarantine path for failures. Store case ID, hashes, error codes, and sanitized diagnostic excerpts. Do not “repair” malformed output with regex or silently add missing fields. A controlled retry may restate validation errors once, but both attempts remain recorded and the case abstains if validation still fails.
Fuzz the parser with nested arrays, duplicate JSON keys, Unicode controls, very large integers, NaN-like strings, nulls, and deeply nested objects. Configure the loader to reject duplicate keys when possible and apply depth/count bounds before semantic work. Log error codes rather than the entire hostile payload. The same malicious fixture must produce the same safe failure during replay.
🇵🇰 Pakistan Angle
Multilingual text must remain valid UTF-8 and length-limited by characters and bytes. Preserve Urdu correctly and test right-to-left text in reports. Do not loosen schemas because Roman Urdu spelling varies; place free text in a bounded note while keeping decisions as fixed enums.
Hands-On Exercise
Create eight adversarial outputs: prose-wrapped JSON, extra key, unknown source ID, huge string, duplicate IDs, conflicting status, prompt injection inside evidence, and valid abstention. Run them through four gates and produce an error-code matrix. Only the final valid case may create a review request.
Completion Rubric
- Size, syntax, schema, semantic, and authorization gates are distinct.
- Extra fields and unknown IDs fail closed.
- Evidence text cannot change system instructions.
- Failed output is quarantined, never silently repaired.
- Valid JSON still cannot initiate any fill.
Sources
- JSON Schema validation specification
- OWASP prompt injection prevention
- Python JSON decoder documentation
Key takeaway: Structure is necessary but insufficient; trusted behavior requires semantic checks and a separate authorization boundary.