Agent Prompt Patterns
Battle-tested patterns for agents that ship, not agents that demo.
If your agent works in a live-fire notebook but breaks in production, you have a demo, not an agent.
When to Use
- - Designing a new agent's behavioral rules and operating manual
- An agent is hallucinating completions, skipping steps, or claiming work it didn't do
- Building multi-agent pipelines where output quality compounds (or collapses)
- Setting up human-in-the-loop approval tiers for different risk levels
- Enforcing reliability in automated workflows (cron jobs, scheduled tasks, pipelines)
- Writing AGENTS.md or operating manuals for production agent workspaces
- Debugging why an agent keeps violating rules you've already stated
- Evaluating whether an agent should exist at all (deletion test)
- Building harnesses that make autonomy safe and useful
When NOT to Use
- - One-shot prompts with no agent persistence — these patterns assume continuity
- Pure chatbot / conversational UX with no action-taking capability
- Academic prompt engineering research — these are production patterns, not benchmarks
- Agents with no filesystem, no tool access, and no side effects — nothing to harness
- You're still in the "make it work at all" phase — get basic functionality first, then harden
1. Consumer-First Design
Principle: Every agent output must have a named consumer. If nobody uses the output, the agent shouldn't exist.
This is the most important pattern because it kills bloat before it starts. Agents proliferate. Each one feels useful when you build it. Six months later you have 14 agents and can't remember what half of them do.
The Deletion Test
Ask: If I delete this agent, which other agent's work breaks?
If the answer is "nothing" or "I'm not sure," the agent is a vanity project.
CODEBLOCK0
How to Apply
Every agent entry in your operating manual should answer:
- 1. Who consumes this output? (name the human or agent)
- What format do they need? (not what's convenient to produce)
- What breaks if this stops? (the deletion test)
- What's the feedback loop? (how does the consumer signal quality issues?)
If an agent produces beautiful summaries that nobody reads, it's burning tokens for nothing.
Anti-Pattern: The "Nice to Have" Agent
CODEBLOCK1�
2. Proof-of-Work Enforcement
Principle: Never claim done unless the action actually started. Every status update needs proof — PID, file path, URL, command output. No proof = didn't happen. Write first, speak second.
This pattern exists because LLMs are pathological completers. They want to say "Done!" because that's the satisfying end of a sequence. The problem is they'll say "Done!" before doing anything, or after attempting something that silently failed.
The Rule
CODEBLOCK2
Examples
CODEBLOCK3
Implementation Pattern
CODEBLOCK4
Agent Operating Manual Rule
CODEBLOCK5�
3. Cascading Validation
Principle: Dependent sequential steps — each task validates the previous output before starting its own work. Failures loop back with fix instructions, not silent continuations.
Cascading validation prevents the "garbage in, garbage out" problem in multi-step pipelines. Without it, step 3 happily processes the corrupt output of step 2, and you don't discover the problem until step 7.
The Pattern
CODEBLOCK6
Example: Content Pipeline
CODEBLOCK7
Key Rule: Never Trust Upstream
Even if Step 1 "passed," Step 2 should re-validate Step 1's output before proceeding. This catches:
- - Race conditions (output modified between steps)
- Silent corruption (file written but content wrong)
- Upstream validation bugs (Step 1's validator had a gap)
Implementation
CODEBLOCK8�
4. Advisory Mode Tiers
Principle: Not all actions carry the same risk. Categorize agent capabilities into tiers with different autonomy levels and approval requirements.
The mistake people make is binary: either the agent can do everything, or it can do nothing. Tiers let you give autonomy where it's safe and require approval where it's not.
The Four Tiers
| Tier | Risk | Probation | Graduation | Example |
|---|
| Low | Reversible, internal only | 3 days | Self-promote after clean streak | Read files, search, summarize |
| Medium |
Visible to user, recoverable | 2 weeks | Human approves promotion | Create files, edit code, run tests |
|
High | Visible to others, hard to reverse | 2 weeks minimum | Never fully unsupervised | Git push, create PRs, post to Slack |
|
Restricted | Irreversible or impersonation risk | Permanent | Always draft-only | Send email from user's account, delete data, financial transactions |
Critical Rule: Email = Restricted
Sending email from a user's account is always Restricted tier. No exceptions. No graduation. Always draft-only with human send.
Why: Email is identity. An AI sending email "as you" creates legal, professional, and trust risks that no amount of testing eliminates.
CODEBLOCK9
Probation Protocol
CODEBLOCK10�
5. Completion Contracts
Principle: Every automated workflow needs binary done-criteria, observable evidence, staged approval, and timeout bounds. No "probably done" — it's done or it's not.
The Contract Template
CODEBLOCK11
Example: Deployment Contract
CODEBLOCK12�
6. Cross-Validation
Principle: Generate with one model, review with another. Different architectures catch different blind spots.
Single-model pipelines have correlated failure modes. If Claude hallucinates a fact, Claude reviewing its own work will often confirm the hallucination. A different model (or a human) brings uncorrelated errors.
The Sub-Agent QC Workflow
CODEBLOCK13
This isn't about which model is "better." It's about error decorrelation. Each reviewer catches things the others miss.
Implementation
CODEBLOCK14
When Cross-Validation Matters Most
- - Legal or compliance content — different models interpret regulations differently
- Financial calculations — arithmetic errors are model-specific
- Factual claims — hallucination patterns differ across architectures
- Security reviews — different models catch different vulnerability classes
When It's Overkill
- - Internal notes nobody else will read
- Ephemeral content (daily logs, scratch work)
- Tasks where speed matters more than correctness
- Outputs with automated validation (tests, linters) that catch errors mechanically
7. Rule Escalation Ladder
Principle: Rules start as prose. If violated, they escalate to loaded rules. If violated again, they become script gates. Critical rules skip the ladder entirely.
The problem with prose rules is enforcement. An agent "knows" the rule but still violates it under pressure (long context, competing instructions, ambiguous situations). The escalation ladder adds mechanical enforcement for rules that matter.
The Three Levels
CODEBLOCK15
Escalation Protocol
CODEBLOCK16
Script Gate Example
CODEBLOCK17�
8. Heartbeat Protocol
Principle: Periodic health checks batched together. Context monitor, system health, memory maintenance — all in one scheduled pulse, not scattered across individual crons.
Heartbeat vs. Cron Decision
| Use Heartbeat When | Use Individual Cron When |
|---|
| Check is lightweight (< 30 seconds) | Task is heavyweight (minutes) |
| Multiple checks share context |
Task is completely independent |
| Failure in one check should inform others | Task has its own retry/error handling |
| You want a single "system status" view | Task needs its own schedule (not aligned) |
Heartbeat Structure
CODEBLOCK18
Implementation
CODEBLOCK19�
9. Contradiction Detection
Principle: Actively scan for conflicts between memory entries, between memory and SOUL, stale facts, and decision reversals. Don't wait for contradictions to cause errors — find them during maintenance.
Contradiction Types
| Type | Description | Example |
|---|
| Memory-Memory | Two memory entries say opposite things | "Client prefers email" vs "Client prefers Slack" |
| Memory-SOUL |
Memory contradicts core identity/rules | SOUL says "never auto-send email" but memory says "auto-send enabled for digest" |
|
Stale Facts | Memory entry is outdated | "API endpoint: api.v1.example.com" when v1 was deprecated |
|
Decision Reversal | decisions.md contradicts earlier decision without noting the change | "Use PostgreSQL" then later "Use SQLite" with no migration note |
Scan Protocol
CODEBLOCK20
Example Contradiction Report
CODEBLOCK21�
10. Tight Harness Principle
Principle: Autonomy gets useful when the harness is tight. Don't sell agents — sell harnesses. An agent without a harness is a liability. A harness without an agent is just a script.
The Five Harness Components
Every autonomous agent operation needs all five:
| Component | Question | Example |
|---|
| Objective Metric | How do we know it worked? | "Test suite passes" not "code looks good" |
| Bounded Scope |
What can it touch? | "Only files in /src/api/" not "any file" |
|
Time Budget | When does it stop? | "15 minutes max" not "when it's done" |
|
Reversibility | Can we undo it? | "Git branch, not direct commit to main" |
|
Observability | Can we see what it did? | "Full command log" not "trust me" |
The Key Insight
Most agent failures aren't capability failures — they're harness failures. The agent could do the task, but:
- - Nobody defined "done" objectively (no metric)
- It modified files it shouldn't have (no scope bound)
- It ran for 3 hours burning tokens (no time budget)
- It pushed directly to main (no reversibility)
- Nobody could tell what it did (no observability)
Harness Configuration Example
CODEBLOCK22
Selling Harnesses, Not Agents
When someone asks "can your agent do X?" — the right answer is "here's the harness that makes X safe":
CODEBLOCK23
The harness IS the product. The agent is just the engine inside it.
Quick Reference: Pattern Selection Guide
| Situation | Pattern |
|---|
| "Should this agent exist?" | Consumer-First Design (#1) |
| "Agent says it's done but I don't believe it" |
Proof-of-Work (#2) |
| "Multi-step pipeline keeps producing garbage" | Cascading Validation (#3) |
| "How much autonomy should this agent have?" | Advisory Mode Tiers (#4) |
| "When is this workflow actually done?" | Completion Contracts (#5) |
| "Agent keeps making the same kind of error" | Cross-Validation (#6) |
| "Agent keeps violating a rule" | Rule Escalation Ladder (#7) |
| "How do I monitor agent health?" | Heartbeat Protocol (#8) |
| "Agent's memory is inconsistent" | Contradiction Detection (#9) |
| "How do I make autonomy safe?" | Tight Harness Principle (#10) |
Combining Patterns
These patterns are composable. A production agent typically uses several together:
CODEBLOCK24
Start with #1 (does this agent need to exist?) and #10 (is the harness tight?). Add the others as complexity demands.
Agent Prompt Patterns
经过实战检验的智能体模式,用于可交付的智能体,而非仅用于演示的智能体。
如果你的智能体在实时笔记本中运行良好,但在生产环境中崩溃,那你拥有的只是一个演示品,而非真正的智能体。
何时使用
- - 设计新智能体的行为规则和操作手册
- 智能体出现幻觉式补全、跳过步骤或声称完成了未做的工作
- 构建多智能体管道,其中输出质量会叠加(或崩溃)
- 为不同风险级别设置人工审核批准层级
- 在自动化工作流中强制执行可靠性(定时任务、计划任务、管道)
- 编写生产智能体工作空间的AGENTS.md或操作手册
- 调试智能体为何持续违反已明确声明的规则
- 评估智能体是否应该存在(删除测试)
- 构建使自主性既安全又有用的约束框架
何时不使用
- - 一次性提示且无智能体持久性——这些模式假设连续性
- 纯聊天机器人/对话式用户体验,无执行操作能力
- 学术性提示工程研究——这些是生产模式,而非基准测试
- 无文件系统、无工具访问、无副作用的智能体——无物可约束
- 你仍处于先让它跑起来的阶段——先实现基本功能,再加固
1. 消费者优先设计
原则: 每个智能体输出都必须有命名的消费者。如果没人使用输出,智能体就不该存在。
这是最重要的模式,因为它能在臃肿问题出现之前就将其扼杀。智能体会不断增多。构建时每个都感觉有用。六个月后你会有14个智能体,却记不清其中一半是做什么的。
删除测试
问:如果我删除这个智能体,哪个其他智能体的工作会受影响?
如果答案是没有或我不确定,那么这个智能体就是一个虚荣项目。
markdown
智能体注册表(在AGENTS.md中)
daily-digest
- - 消费者: Sam(晨间简报),weekly-report智能体(聚合)
- 删除影响: Sam失去晨间摘要,weekly-report失去每日输入
- 结论: 保留
inbox-sorter
- - 消费者: 未识别
- 删除影响: 未知
- 结论: 建议删除——7天内验证或移除
如何应用
操作手册中的每个智能体条目都应回答:
- 1. 谁消费这个输出?(指明人类或智能体名称)
- 他们需要什么格式?(而非方便生成的格式)
- 如果停止运行会破坏什么?(删除测试)
- 反馈循环是什么?(消费者如何标记质量问题?)
如果一个智能体生成了精美的摘要却无人阅读,那它就是在白白消耗令牌。
反模式:锦上添花型智能体
markdown
错误:无消费者,无删除影响
sentiment-tracker
监控社交媒体上关于我们品牌的情绪。
每日运行。输出到sentiment-log.md。
正确:有命名的消费者,清晰的依赖关系
sentiment-tracker
为weekly-report监控社交媒体情绪。
消费者:weekly-report智能体(提取情绪变化用于执行摘要)
删除影响:weekly-report失去情绪板块;Sam必须手动检查社交媒体
格式:JSON,包含{platform, score
delta, topmentions[3]}
2. 工作量证明强制执行
原则: 除非操作实际已启动,否则绝不要声称完成。每次状态更新都需要证据——PID、文件路径、URL、命令输出。无证据 = 未发生。先写,后说。
这个模式之所以存在,是因为LLM是病态的完成者。它们想说完成!,因为那是序列的令人满意的终点。问题在于它们会在做任何事情之前,或在尝试某事后静默失败后,就说完成!。
规则
状态更新格式:
- - 已开始X → 必须包含:PID、命令或文件路径
- 已完成X → 必须包含:输出片段、文件路径或URL
- 失败X → 必须包含:错误信息、尝试过的操作
- 跳过X → 必须包含:带证据的原因
示例
markdown
错误:无证据
✅ 已备份数据库
✅ 已发送每日摘要邮件
✅ 已轮换API密钥
正确:每个声明都有证据
✅ 已备份数据库 → /backups/2026-03-15-db.sql.gz(43MB,sha256: a1b2c3...)
✅ 已发送每日摘要 → Message-ID:
,3个收件人
✅ 已轮换API密钥 → 新密钥指纹:sk-...x4f2,旧密钥于14:32 UTC撤销
实现模式
bash
在脚本门控或智能体包装器中:
runwithproof() {
local task=$1
shift
local output
output=$($@ 2>&1)
local exit_code=$?
if [ $exit_code -eq 0 ]; then
echo 完成:$task | 证据:$(echo $output | tail -3)
else
echo 失败:$task | 退出码=$exit_code | 错误:$(echo $output | tail -5)
fi
return $exit_code
}
用法:
runwithproof 数据库备份 pg_dump -Fc mydb -f /backups/latest.dump
智能体操作手册规则
markdown
工作量证明(AGENTS.md条目)
绝不要在没有证据的情况下说完成。对于每个已完成的操作,至少包含以下一项:
- - 生成输出的文件路径
- 已启动进程的PID
- 已创建/修改资源的URL
- 命令输出(截取最后5行)
- 工件的截图或哈希值
如果无法提供证据,请说已尝试但无法验证并解释原因。
3. 级联验证
原则: 依赖性的顺序步骤——每个任务在开始自己的工作之前,先验证前一个输出。失败时带着修复指令循环回去,而非静默继续。
级联验证可防止多步骤管道中的垃圾进,垃圾出问题。没有它,第3步会愉快地处理第2步的损坏输出,而直到第7步你才会发现问题。
模式
第1步:生成输出A
第2步:验证A符合规范 → 如果无效,带着修复指令返回第1步
第3步:使用已验证的A生成B
第4步:验证B符合规范 → 如果无效,带着修复指令返回第3步
...
示例:内容管道
markdown
新闻通讯管道(级联验证)
第1步:研究
- - 输出:research-notes.md
- 验证:必须包含≥3个来源,每个都有URL和日期
- 失败:研究不完整——需要3个以上有来源的项目。当前有{n}个。请补充。
第2步:草稿
- - 输入:已验证的research-notes.md
- 预检查:验证research-notes.md通过第1步验证(不信任上游)
- 输出:draft.md
- 验证:400-800字,包含所有研究项目,无占位文本
- 失败:草稿{问题}。请修正并重新提交。不要进入编辑阶段。
第3步:编辑
- - 输入:已验证的draft.md
- 预检查:验证draft.md通过第2步验证
- 输出:final.md
- 验证:语法检查通过,链接可解析,格式正确
- 失败:发现编辑问题:{列表}。返回编辑阶段。不要发布。
第4步:发布
- - 输入:已验证的final.md
- 预检查:验证final.md通过第3步验证
- 门控:发布前需要人工批准
关键规则:永远不要信任上游
即使第1步通过了,第2步在继续之前也应重新验证第1步的输出。这能捕获:
- - 竞态条件(步骤之间输出被修改)
- 静默损坏(文件已写入但内容错误)
- 上游验证错误(第1步的验证器存在漏洞)
实现
python
def cascadingstep(inputpath, inputvalidator, processor, outputvalidator, max_retries=3):
每一步验证其输入和输出。
# 验证输入(不信任上游)
inputvalid, inputerrors = inputvalidator(inputpath)
if not input_valid:
return {status: BLOCKED, reason: f输入验证失败:{input_errors}}
for attempt in range(max_retries):
output = processor(input_path)
outputvalid, outputerrors = output_validator(output)
if output_valid:
return {status: DONE, output: output, attempts: attempt + 1}
