Prompt engineering, system prompts, document-skills, and SCIENTIA
This page records research findings on prompt engineering and system-prompt design, and maps them onto Vox systems: continuation prompts, ARS skills, documentation extraction, and SCIENTIA publication flows.
It is research guidance, not a shipped contract. Contract and policy surfaces remain in contracts/, CI gates, and crate-level SSOT documentation.
Executive summary
- Prompt quality depends more on layered instruction architecture than on one large prompt.
- Skills-as-documents is now an industry-standard pattern; Vox can reuse this pattern with existing ARS trust and sandbox controls.
- Document ingestion and retrieval increase indirect prompt-injection risk and require explicit trust boundaries.
- SCIENTIA automation must preserve human accountability for claims, ethics, and venue disclosures.
- Legacy submission ecosystems (journal portals, arXiv workflows, DOI metadata channels) require explicit AI-use disclosure and citation integrity checks.
What external guidance converges on
Layered instruction design
- OpenAI recommends clear role separation and explicit instructions, with strong emphasis on structured prompting and eval-driven iteration (OpenAI prompt engineering, OpenAI reasoning best practices).
- Anthropic recommends strict structure, tagged sections, and context management as a first-class engineering concern (Anthropic system prompts, Claude prompt best practices, effective context engineering).
- Google guidance similarly treats system instructions as durable policy context and emphasizes instruction ordering and explicit constraints (Vertex system instructions, Gemini prompting strategies).
Long-context behavior and recency
Long-context studies and vendor practice show strong positional bias in model attention. In practical terms, this supports keeping durable policy short and relocating session-critical behavioral reinforcement near the active context edge (for example continuation prompts and machine-verifiable gates).
References: Lost-in-the-middle summary, Found in the Middle paper index, arXiv:2406.02536.
Skills-as-documents and progressive disclosure
External ecosystems now package reusable agent capabilities as markdown plus front matter:
- Cursor Skills use
SKILL.mdwith metadata and project/user discovery paths (Cursor skills docs). - Anthropic Agent Skills use metadata + markdown body + optional progressive resource loading (Agent skills overview, skill best practices).
This aligns with Vox SKILL.md concepts documented in Vox Skill Marketplace. It also aligns with ARS support for SkillKind::Document and trust-aware runtime policies in vox-skills.
Prompt security and untrusted document flows
Threat model
- OWASP ranks prompt injection as a top LLM risk family, including direct and indirect attacks (OWASP LLM01:2025).
- Indirect prompt injection in retrieval-heavy systems means untrusted document text can alter behavior if treated as instruction rather than data (Rag 'n Roll, MSRC indirect prompt injection defenses).
Implication for Vox document workflows
When using skills, docs, or publication metadata as context, default posture should be:
- trusted instructions are explicit, versioned, and bounded,
- retrieved documents are treated as untrusted data until validated,
- policy and quality gates remain outside model free-form output.
SCIENTIA and legacy publication implications
SCIENTIA publication automation already encodes hard boundaries for fabricated or undisclosed AI use in SCIENTIA publication automation SSOT and companion publication readiness docs.
External publication policy direction is consistent:
| Policy source | Practical implication for Vox SCIENTIA |
|---|---|
| COPE AI tools position | AI cannot be an author; humans remain accountable. |
| ICMJE AI use by authors | Disclosure in submission workflow and manuscript body is expected. |
| WAME revised recommendations | Tool/version/method disclosure and author responsibility. |
| Nature AI policy | Disclosure requirements and stricter controls on generated media. |
| Elsevier journal AI policy | Mandatory disclosure and human verification of references/claims. |
| arXiv AI tool policy | Significant AI use disclosure; authors own all content quality. |
| IEEE AI text guidance | Disclosure in article sections and strict accountability. |
| BMJ AI use policy | Natural-person authorship and explicit usage disclosure. |
| JAMA reporting guidance | Structured reporting of tool details and usage surface. |
| Crossref metadata requirements | Metadata completeness and provenance remain mandatory. |
| Zenodo software metadata guidance | Deposit metadata integrity (CITATION.cff, .zenodo.json) is operationally important. |
Legacy systems
Legacy systems in this context means journal web portals, email-driven editorial pipelines, and manually mediated archive submissions. These systems still require human attestation, policy-aware disclosures, and rigorous citation checks. Prompt libraries and document-skills can accelerate preparation, but cannot replace accountable authorship workflows.
Integration guidance for Vox
flowchart TB
subgraph instructionLayers [InstructionLayers]
agentsRules[AGENTS_md_And_Overlays]
continuationPrompt[ContinuationPrompt]
arsSkills[ARSSkills_DocumentKind]
docsCorpus[DocsFrontmatter_And_Body]
end
subgraph enforcementLayers [EnforcementLayers]
ciGates[CIAndTOESTUB]
socrates[SocratesEvidenceAndRisk]
preflight[PublicationPreflightAndWorthiness]
end
instructionLayers --> modelOutput[ModelOutput]
modelOutput --> enforcementLayers
docsCorpus --> mensPairs[MensDocsPairs]
Near-term, low-risk moves
- Publish venue-specific document-skills (for disclosure templates, checklist transforms, and metadata hygiene) using existing ARS trust boundaries.
- Keep policy gates deterministic and machine-checkable (
publication_preflight, Socrates evidence checks, CI contracts). - Add explicit disclosure fields in publication metadata pathways where needed, while preserving current SSOT ownership.
Research-to-implementation boundaries
- Do not treat citation or readership projections as hard publish gates by default.
- Do not allow free-form model outputs to bypass digest-bound approvals or preflight findings.
- Do not mark policy claims as shipped until linked code paths and contracts exist.
Related Vox sources
- Continuation Prompt Engineering
- Documentation governance
- ADR 002 — Diataxis documentation architecture
- SCIENTIA publication automation SSOT
- SCIENTIA publication readiness audit
- Vox Skill Marketplace
Bibliography (external)
- https://developers.openai.com/api/docs/guides/prompt-engineering/
- https://developers.openai.com/api/docs/guides/reasoning-best-practices
- https://docs.anthropic.com/en/docs/system-prompts
- https://www.claude.com/blog/best-practices-for-prompt-engineering
- https://www.anthropic.com/engineering/effective-context-engineering-for-ai-agents
- https://docs.cloud.google.com/vertex-ai/generative-ai/docs/learn/prompts/system-instructions
- https://ai.google.dev/gemini-api/docs/prompting-strategies
- https://genai.owasp.org/llmrisk/llm01-prompt-injection/
- https://arxiv.org/html/2408.05025v1
- https://msrc.microsoft.com/blog/2025/07/how-microsoft-defends-against-indirect-prompt-injection-attacks
- https://publicationethics.org/guidance/cope-position/authorship-and-ai-tools
- https://www.icmje.org/recommendations/browse/artificial-intelligence/ai-use-by-authors.html
- https://www.wame.org/news-details.php?nid=40
- http://www.npg.nature.com/nature-portfolio/editorial-policies/ai
- https://www.elsevier.com/en-gb/about/policies-and-standards/generative-ai-policies-for-journals
- https://blog.arxiv.org/2023/01/31/arxiv-announces-new-policy-on-chatgpt-and-similar-tools/
- https://open.ieee.org/author-guidelines-for-artificial-intelligence-ai-generated-text
- https://authors.bmj.com/policies/ai-use/
- https://jamanetwork.com/journals/jama/fullarticle/2816213
- https://www.crossref.org/documentation/schema-library/required-recommended-elements/
- https://help.zenodo.org/docs/github/describe-software/