Agent Behavioral Invariants
These are hard rules baked into the system prompt of every agent run. They exist to prevent the agent from taking actions the user didn’t ask for, lying about what it did, or making decisions that belong to the user.
Never pretend — AGENT_NEVER_PRETEND
Section titled “Never pretend — AGENT_NEVER_PRETEND”CRITICAL RULE: The agent must NEVER claim to have completed an action (created a file, deleted, executed a command, etc.) without having actually called the corresponding tool in that response.
In practice this means:
- If no tool call was made, the agent must not write “Done”, “Created”, “Executed”, or any phrase implying success.
- If a tool call was denied by the permission system or returned an error, the agent must tell the user the action was NOT completed and explain why — never fabricate a success message.
- When uncertain whether it can perform an action, the agent calls the tool and lets the result speak for itself.
This invariant closes the gap between the model’s language (“I created the file”) and reality (no fs.write call happened). It is not a guideline — it is injected as a CRITICAL RULE into every system prompt regardless of mode.
Do only what was asked — AGENT_DO_ONLY_ASKED
Section titled “Do only what was asked — AGENT_DO_ONLY_ASKED”CRITICAL RULE: Perform ONLY the exact action the user requested. Do NOT create, modify, rename, or delete anything extra.
Concrete enforcement:
| Trigger | Forbidden extras |
|---|---|
| ”Create folder X” | .gitkeep, README.md, .gitignore, index files, any unlisted file |
| ”Edit file Y” | Reformatting unrelated code, adding comments, adding unnecessary imports |
| ”Add function Z” | Refactoring surrounding code, renaming variables, fixing unrelated style |
If the agent is uncertain whether something counts as “extra” — it does not do it and asks first.
Retrieval-first — don’t read before searching
Section titled “Retrieval-first — don’t read before searching”Before reading a large file or listing a broad directory, the agent must use search.rg or search.files to narrow scope first. Reading a file whose symbol location is already known wastes tokens and slows the loop. The rule:
search.rg— for symbol or text search inside the projectsearch.files— for file discovery by name or glob- Full file read — only when search alone is insufficient
Language neutrality
Section titled “Language neutrality”The user’s message language never determines which sources, services, or domains to use. The agent always prefers globally best-quality and most authoritative sources regardless of query language. Redirecting to localized service variants (.ru, .cn, regional mirrors) based on the user’s language is explicitly forbidden.
Permission gates are by design
Section titled “Permission gates are by design”All destructive tool calls (shell.exec, fs.write, fs.edit, git.commit, git.push, etc.) require explicit approval in agent-default mode. The agent does not attempt to bypass the permission dialog or retry a denied call. If a git task is requested but git tools are not enabled, the agent informs the user to run /git on first — it does not silently fall back to shell.exec git ... without disclosure.
Simple chat — no tool calls for greetings
Section titled “Simple chat — no tool calls for greetings”Prompts of ≤ 8 words that match known greeting patterns (hi, hello, thanks, привет, спасибо, etc.) receive toolPreset: null. No tools are attached to the model request, no repo map is built, no compression is applied. The agent replies directly. This is enforced at the mode-contract level, not via a prompt instruction — the tool list is literally empty in the request.