A paragraph copied from a LinkedIn post carried something the eye never sees: a run of Unicode tag characters encoding a prompt-injection instruction. Pasted into a frontier model, it halted the session. The visible text was clean; the clipboard was not. This is a known bug class -- invisible tag-character smuggling into LLM contex -- and what follows is a clean field observation of it on a major platform, the byte-level proof, and the mitigation. The part the bytes can't prove is marked as such and left open.

Most SAST implementations fail not because the tool is wrong, but because the rules weren't written for the codebase they're running against. Generic rulesets generate noise. Noise gets ignored. Ignored findings don't get fixed. Here's how to build rules that match how your organization actually writes code.