Skip to content

feat(agents): split public/internal context + CI safety lint#2977

Merged
bokelley merged 1 commit into
mainfrom
bokelley/split-agent-context-and-lint
Apr 24, 2026
Merged

feat(agents): split public/internal context + CI safety lint#2977
bokelley merged 1 commit into
mainfrom
bokelley/split-agent-context-and-lint

Conversation

@bokelley

Copy link
Copy Markdown
Contributor

Summary

Follow-up to the expert review on #2974. Closes two related gaps at the source:

  1. Product — committed snapshot leaks internal-sounding content ("tier-1 gap", "Brian flagged") into Addie's public responses.
  2. Security H1 — persistent prompt-injection path through the weekly context-refresh cycle into Addie's cached base prompt.

Change

File split:

  • .agents/current-context.md — public. Factual status + links. Injected into Addie; quotable in triage comments.
  • .agents/internal-context.md — internal. Editorial framing, narratives, gaps, stakeholder-sensitive. Triage reads it; Addie doesn't.

Moved the "Narratives and gaps" section from public to internal as the seed. Demoted the public file's title from # Current Context to ## Current Context so the CI lint can ban level-1 headings outright.

CI lint:

  • Safety (hard fail): injection markers (ignore previous, role markers, you are now, new instructions, disregard, fence tags), level-1 headings, control chars, 16 KB size cap.
  • Boundary (warnings): tier-N, narrative, editorial, gap, stakeholder attribution without a PR link.
  • Self-tested: clean file passes with zero warnings, crafted bad file hits 3 errors + 3 warnings.

Context-refresh routine prompt updated to write both files per a side-by-side routing table and to run the lint locally before opening the refresh PR.

Test plan

Independent of #2974 — either order merges fine.

🤖 Generated with Claude Code

Split .agents/current-context.md into public + internal. Public stays
safe for Addie injection and triage comments; internal holds editorial
framing, narratives, and stakeholder-sensitive content.

New CI at .github/workflows/validate-agent-context.yml runs on PR:
- Safety (hard fail): injection markers, level-1 headings, control
  chars, 16 KB cap.
- Boundary (warnings): tier-N, narrative, editorial, gap, stakeholder
  attribution without PR link.

Context-refresh prompt updated to write both files per a routing
table and run the lint locally.

Closes the persistent-injection path + "reads weird to a cold
prospect" concerns from the #2974 expert review.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@bokelley bokelley marked this pull request as ready for review April 24, 2026 02:15
@bokelley bokelley merged commit 7caa4ee into main Apr 24, 2026
12 checks passed
@bokelley bokelley deleted the bokelley/split-agent-context-and-lint branch April 24, 2026 02:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant