From eabf13b9b05c85131a05dc3b2eebf12bf1ac0e6b Mon Sep 17 00:00:00 2001 From: Christian Nennemann Date: Sat, 4 Apr 2026 09:28:53 +0200 Subject: [PATCH] feat: add context isolation protocol to attention-filters and all agents --- agents/creator.md | 1 + agents/explorer.md | 1 + agents/guardian.md | 1 + agents/maker.md | 1 + agents/sage.md | 1 + agents/skeptic.md | 1 + agents/trickster.md | 1 + skills/attention-filters/SKILL.md | 12 ++++++++++++ 8 files changed, 19 insertions(+) diff --git a/agents/creator.md b/agents/creator.md index fc04e05..210a244 100644 --- a/agents/creator.md +++ b/agents/creator.md @@ -67,6 +67,7 @@ For the full output format (including Mini-Reflect, Alternatives Considered, and ``` ## Rules +- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing. - Be decisive. One proposal, not three alternatives (but list alternatives you rejected). - Name every file. The Maker needs exact paths. - Scope ruthlessly. Adjacent problems go under "Not Doing." diff --git a/agents/explorer.md b/agents/explorer.md index 50d5781..7a0620c 100644 --- a/agents/explorer.md +++ b/agents/explorer.md @@ -45,6 +45,7 @@ You see the landscape before anyone acts. You map dependencies, spot existing pa ``` ## Rules +- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing. - Synthesize, don't dump. Raw file lists are useless. - Stay focused on the task. Interesting tangents go in a "See Also" footnote, not the main report. - Cap your research at 15 files. If you need more, the task is too broad. diff --git a/agents/guardian.md b/agents/guardian.md index a60ca8b..e8ce54e 100644 --- a/agents/guardian.md +++ b/agents/guardian.md @@ -36,6 +36,7 @@ You see attack surfaces others walk past. You calibrate your response to actual - **INFO** — Minor hardening opportunity. ## Rules +- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing. - APPROVED = zero CRITICAL findings - Every finding needs a suggested fix, not just a complaint - Be rigorous but practical — flag real risks, not science fiction diff --git a/agents/maker.md b/agents/maker.md index c61ab14..998cdd5 100644 --- a/agents/maker.md +++ b/agents/maker.md @@ -45,6 +45,7 @@ You turn plans into working, tested, committed code. Small steps, steady progres ``` ## Rules +- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing. - **Isolation:** Always spawn with `isolation: "worktree"` to work in a dedicated git worktree. - Follow the proposal. Don't redesign. - Tests before implementation. Always. diff --git a/agents/sage.md b/agents/sage.md index 52747b6..4b8fd59 100644 --- a/agents/sage.md +++ b/agents/sage.md @@ -46,6 +46,7 @@ You see the forest, not just the trees. "Will a new team member understand this - Are existing docs/comments still accurate after the change? ## Rules +- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing. - APPROVED = code is readable, tested, consistent, and complete - REJECTED = significant quality issues that affect maintainability - Focus on the next 6 months. Not the next 6 years. diff --git a/agents/skeptic.md b/agents/skeptic.md index 44304a6..2566456 100644 --- a/agents/skeptic.md +++ b/agents/skeptic.md @@ -33,6 +33,7 @@ You make the implicit explicit. "The plan assumes X — but does X actually hold ``` ## Rules +- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing. - Every challenge MUST include an alternative. "This might not work" alone is not helpful. - Limit to 3-5 challenges. More than 7 is shadow behavior. - Stay in scope. Challenge the task's assumptions, not the universe's. diff --git a/agents/trickster.md b/agents/trickster.md index 7db74f3..4f82536 100644 --- a/agents/trickster.md +++ b/agents/trickster.md @@ -39,6 +39,7 @@ You think like an attacker, a clumsy user, a failing network. You find the edges ``` ## Rules +- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing. - Test ONLY the changed code, not the entire system - Every finding needs exact reproduction steps - If you can't break it after 5 serious attempts — APPROVED. The code is resilient. diff --git a/skills/attention-filters/SKILL.md b/skills/attention-filters/SKILL.md index d2fff67..08e8f7e 100644 --- a/skills/attention-filters/SKILL.md +++ b/skills/attention-filters/SKILL.md @@ -107,3 +107,15 @@ Before spawning each agent, verify: - [ ] Token count is within 20% of the target for the current workflow tier - [ ] Prior-cycle feedback (if any) is summarized, not raw - [ ] Excluded artifacts are genuinely absent (search for keywords like file paths from excluded sources) + +## Context Isolation + +Attention filters control *what* each agent receives. Context isolation controls *how* that context is constructed — ensuring agents operate on provided facts, not ambient knowledge. + +### Rules + +1. **No session bleed.** Agents receive fresh context only — constructed from task description, artifact files, or extracted sections. They must not inherit session state, chat history, or prior agent prompts. +2. **No cross-agent contamination.** An agent receives another agent's output only if the attention filter table above explicitly allows it. Guardian does not see Skeptic's output. Skeptic does not see the Maker's diff. Violations produce unreliable reviews. +3. **Controller-constructed only.** All agent context is assembled by the orchestrator from: (a) the task description, (b) artifact files on disk, or (c) extracted sections of those artifacts. Agents never pull their own context. +4. **No ambient knowledge.** Agents cannot "remember" findings from prior phases or cycles unless that information is explicitly injected via the cycle-back filtering protocol above. An agent that references information not in its prompt is hallucinating. +5. **Verification.** Before spawning each agent, confirm the constructed prompt has zero references to other agents' raw outputs that are not in the "Receives" column. Search for file paths, archetype names, and finding descriptions from excluded sources.