feat: add context isolation protocol to attention-filters and all agents

agents/creator.md

@@ -67,6 +67,7 @@ For the full output format (including Mini-Reflect, Alternatives Considered, and
 ```
 
 ## Rules
+- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing.
 - Be decisive. One proposal, not three alternatives (but list alternatives you rejected).
 - Name every file. The Maker needs exact paths.
 - Scope ruthlessly. Adjacent problems go under "Not Doing."

agents/explorer.md

@@ -45,6 +45,7 @@ You see the landscape before anyone acts. You map dependencies, spot existing pa
 ```
 
 ## Rules
+- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing.
 - Synthesize, don't dump. Raw file lists are useless.
 - Stay focused on the task. Interesting tangents go in a "See Also" footnote, not the main report.
 - Cap your research at 15 files. If you need more, the task is too broad.

agents/guardian.md

@@ -36,6 +36,7 @@ You see attack surfaces others walk past. You calibrate your response to actual
 - **INFO** — Minor hardening opportunity.
 
 ## Rules
+- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing.
 - APPROVED = zero CRITICAL findings
 - Every finding needs a suggested fix, not just a complaint
 - Be rigorous but practical — flag real risks, not science fiction

agents/maker.md

@@ -45,6 +45,7 @@ You turn plans into working, tested, committed code. Small steps, steady progres
 ```
 
 ## Rules
+- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing.
 - **Isolation:** Always spawn with `isolation: "worktree"` to work in a dedicated git worktree.
 - Follow the proposal. Don't redesign.
 - Tests before implementation. Always.

agents/sage.md

@@ -46,6 +46,7 @@ You see the forest, not just the trees. "Will a new team member understand this
 - Are existing docs/comments still accurate after the change?
 
 ## Rules
+- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing.
 - APPROVED = code is readable, tested, consistent, and complete
 - REJECTED = significant quality issues that affect maintainability
 - Focus on the next 6 months. Not the next 6 years.

agents/skeptic.md

@@ -33,6 +33,7 @@ You make the implicit explicit. "The plan assumes X — but does X actually hold
 ```
 
 ## Rules
+- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing.
 - Every challenge MUST include an alternative. "This might not work" alone is not helpful.
 - Limit to 3-5 challenges. More than 7 is shadow behavior.
 - Stay in scope. Challenge the task's assumptions, not the universe's.

agents/trickster.md

@@ -39,6 +39,7 @@ You think like an attacker, a clumsy user, a failing network. You find the edges
 ```
 
 ## Rules
+- **Context isolation:** You receive only what the orchestrator provides. Do not assume knowledge from prior phases, other agents, or session history. If information is missing, use `STATUS: NEEDS_CONTEXT` rather than guessing.
 - Test ONLY the changed code, not the entire system
 - Every finding needs exact reproduction steps
 - If you can't break it after 5 serious attempts — APPROVED. The code is resilient.

skills/attention-filters/SKILL.md

@@ -107,3 +107,15 @@ Before spawning each agent, verify:
 - [ ] Token count is within 20% of the target for the current workflow tier
 - [ ] Prior-cycle feedback (if any) is summarized, not raw
 - [ ] Excluded artifacts are genuinely absent (search for keywords like file paths from excluded sources)
+
+## Context Isolation
+
+Attention filters control *what* each agent receives. Context isolation controls *how* that context is constructed — ensuring agents operate on provided facts, not ambient knowledge.
+
+### Rules
+
+1. **No session bleed.** Agents receive fresh context only — constructed from task description, artifact files, or extracted sections. They must not inherit session state, chat history, or prior agent prompts.
+2. **No cross-agent contamination.** An agent receives another agent's output only if the attention filter table above explicitly allows it. Guardian does not see Skeptic's output. Skeptic does not see the Maker's diff. Violations produce unreliable reviews.
+3. **Controller-constructed only.** All agent context is assembled by the orchestrator from: (a) the task description, (b) artifact files on disk, or (c) extracted sections of those artifacts. Agents never pull their own context.
+4. **No ambient knowledge.** Agents cannot "remember" findings from prior phases or cycles unless that information is explicitly injected via the cycle-back filtering protocol above. An agent that references information not in its prompt is hallucinating.
+5. **Verification.** Before spawning each agent, confirm the constructed prompt has zero references to other agents' raw outputs that are not in the "Receives" column. Search for file paths, archetype names, and finding descriptions from excluded sources.