The Security Budget of Code-LLM Prompt Hardening: Provable Limits Under Pass-Only Acceptance

Abstract

We give a quantitative impossibility result for pass-only prompt hardening of code LLMs. For any deterministic prompt filter h and a registered family of finite executable-equivalence task variables Yexec, the shared filtered-prompt channel (h(p);h( p)) is lower-bounded by a worst-Y Fano floor; on HumanEval and MBPP the universal pass-only floor evaluates to Fop 0.84 and 1.20 nats at η=0.05 task-collapse tolerance, and the identity row realizes Fid 1.67 and 1.80 nats. An estimator-invariance corollary lifts the floor to any deterministic embedding pipeline; a dataset-agnostic corollary states the floor in visible-spec entropy and is empirically witnessed by 164/164 HumanEval+ and 224/224 MBPP+ V(p)-invariance. We operationalize the floor as the Tri-Audit Protocol, a two-axis reporting protocol that separates a prompt-side deductive registry attribute (Shannon nats on the visible-spec representation) from a model-side empirical proxy (KSG-1 primary, MINE secondary, on hidden states). A constrained best-of-family search over deterministic and guarded learned filters on CodeLlama-7B, Qwen2.5-Coder-7B/1.5B and DeepSeek-Coder-6.7B at n=164 yields the Cross-Model Tri-Audit Invariance: of twenty-eight pass-preserving rows, twelve antecedent-preserving deterministic rows fail proxy-axis leakage reduction on every backbone with sign-invariant positive deviations, twelve antecedent-changed-of-record learned-canonicalizer rows fail proxy-axis leakage on every backbone, and four antecedent-violating rows are reported as registered-family collapse; no filter produces a shared Tri-pass on a nine-cell gate-sensitivity sweep. Pass@1 alone cannot certify code-LLM prompt hardening.