Skip to content

feat(agentbuilder): harden generated skill prompt boundaries#577

Open
Alan-TheGentleman wants to merge 1 commit into
mainfrom
feat/agentbuilder-prompt-boundaries
Open

feat(agentbuilder): harden generated skill prompt boundaries#577
Alan-TheGentleman wants to merge 1 commit into
mainfrom
feat/agentbuilder-prompt-boundaries

Conversation

@Alan-TheGentleman
Copy link
Copy Markdown
Contributor

@Alan-TheGentleman Alan-TheGentleman commented May 19, 2026

🔗 Linked Issue

Closes #576

🏷️ PR Type

What kind of change does this PR introduce?

  • type:bug — Bug fix (non-breaking change that fixes an issue)
  • type:feature — New feature (non-breaking change that adds functionality)
  • type:docs — Documentation only
  • type:refactor — Code refactoring (no functional changes)
  • type:chore — Build, CI, or tooling changes
  • type:breaking-change — Breaking change (fix or feature that changes existing behavior)

📝 Summary

This PR pilots XML-like prompt boundaries in the custom agent builder. It wraps volatile prompt payloads in explicit tags while preserving the generated artifact contract: the model must still output raw SKILL.md Markdown.

What this gains:

  • clearer separation between system-level generation instructions and dynamic payloads,
  • less accidental blending between user requests, SDD context, and authoritative prompt instructions,
  • testable prompt boundaries for future prompt-composition changes,
  • delimiter-breakout hardening for values that contain closing tags like </user_request>.

This does not convert skills, docs, installer assets, or SDD assets away from Markdown.

📂 Changes

File / Area What Changed
internal/agentbuilder/prompt.go Wraps installed-agent context, SDD context, and user request in XML-like tags. Escapes dynamic values with html.EscapeString.
internal/agentbuilder/prompt_test.go Updates prompt-composition tests for wrapper presence/absence, raw SKILL.md output preservation, and delimiter-breakout cases.

🧪 Test Plan

Unit Tests

go test ./internal/agentbuilder
go test ./...
go vet ./...

E2E Tests (Docker required)

cd e2e && ./docker-test.sh
  • Unit tests pass (go test ./...)
  • E2E tests pass (cd e2e && ./docker-test.sh)
  • Manually tested locally

E2E was not run because this is a focused prompt-composition change with package and full Go test coverage.

🤖 Automated Checks

The following checks run automatically on this PR:

Check Status Description
Check PR Cognitive Load PR should stay within 400 changed lines (additions + deletions) or use size:exception
Check Issue Reference PR body must contain Closes/Fixes/Resolves #N
Check Issue Has status:approved Linked issue must have been approved before work began
Check PR Has type:* Label Exactly one type:* label must be applied
Unit Tests go test ./... must pass
E2E Tests cd e2e && ./docker-test.sh must pass

✅ Contributor Checklist

  • PR is linked to an issue with status:approved
  • PR stays within 400 changed lines, or I have requested/obtained maintainer-applied size:exception with rationale documented
  • I have added the appropriate type:* label to this PR
  • Unit tests pass (go test ./...)
  • E2E tests pass (cd e2e && ./docker-test.sh)
  • I have updated documentation if necessary
  • My commits follow Conventional Commits format
  • My commits do not include Co-Authored-By trailers

💬 Notes for Reviewers

The important boundary is intentionally narrow: XML-like tags are for volatile prompt payloads only. SKILL.md remains Markdown because it is the durable human-authored and agent-consumed source of truth.

This hardens delimiter breakout, not prompt injection generally. User-controlled text can still contain persuasive instructions inside <user_request>, but it can no longer close that wrapper and appear as a separate authoritative section.

Copilot AI review requested due to automatic review settings May 19, 2026 09:30
@Alan-TheGentleman Alan-TheGentleman added the type:feature New feature label May 19, 2026
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the internal/agentbuilder skill-generation prompt composition by introducing explicit XML-like wrappers around volatile/dynamic prompt payloads and escaping dynamic values to prevent wrapper delimiter breakout, while preserving the contract that the model must output raw SKILL.md Markdown.

Changes:

  • Wrap installed-agent context, SDD context, and the user request in <installed_agents>, <sdd_context>, and <user_request> tags.
  • Escape dynamic values via html.EscapeString to prevent </...> delimiter breakout from user/config-provided content.
  • Update and extend unit tests to assert wrapper presence/absence and verify breakout-hardening behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
internal/agentbuilder/prompt.go Adds XML-like wrappers around volatile prompt sections and escapes dynamic values.
internal/agentbuilder/prompt_test.go Updates prompt composition assertions and adds delimiter-breakout regression tests.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

type:feature New feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(agentbuilder): harden generated skill prompt boundaries

2 participants

@Alan-TheGentleman