# AIP007 — missing-input-boundaries
**Category:** security **Severity:** warning
## What
Flags single-brace Python-style interpolations (`{variable}`) in system prompts without XML delimiter wrapping.
## Why it matters
Single braces are ambiguous to models — they might be mistaken for template syntax or misunderstood as part of the instruction context. XML tags provide unambiguous boundaries.
## Example
```
Answer: {query}
```
Without tags, the model may not isolate the interpolated value from instructions.
## Fix
Wrap in `<user_input>…</user_input>`:
```
Answer: <user_input>{query}</user_input>
```
## Autofix
This rule includes a safe autofix that wraps the interpolation in `<user_input>` tags.