MVP failure modes

3 min readReferenceUpdated 2026-05-19

What you'll find here

The MVP hardening posture and the specific boundaries that hold under adversarial input — prompt injection, secrets, tool calls, timeouts, persistence, and recovery.

Fail-closed by default.

The runtime preserves enough state to recover or review a failed run without silently promoting uncertain work to durable facts.

MVP boundaries

Supported

in scope

One release-acceptance workflow · deterministic provider-backed OpenAI & Anthropic execution · local case files · receipts · handoffs · memory proposals · work graphs.

Not required

out of scope

Live provider calls · broad daemon operation · dashboards · direct durable memory writes.

Prompt injection

Hostile text is input, not authority.

User text, repository text, documentation, and memory facts can contain hostile instructions. Prompt compilation keeps those inputs inside task or context sections and always renders the policy envelope, denied capabilities, grants, context omissions, and stop conditions.

Secrets

Persisted payloads are validated before writing to the local store. Secret-shaped values in keys or strings are rejected or redacted at persistence and receipt boundaries. Public documentation checks also block secrets, private paths, and private task names from Docusaurus content.

Tool calls and side effects

Missing grants block side effects

Immutable docs require approval

Unsupported capabilities fail closed

Receipts cover shell · file · memory · GitHub writes

Timeouts, retries, budgets

Network clients

Expose timeout configuration · bounded by default.

Provider adapters

Classify retryable throttling and transient failures · no hidden live retries.

Routing

Blocks exhausted or mismatched budget/quota status.

Agent loops

Enforce max-iteration limits and persist an interrupted run at the limit.

Persisted payloads

Validate twice.

The SQLite store validates every registered contract payload before persistence and rejects unknown schemas, wrong versions, extra fields, and unredacted secret material. CI exercises persisted demo artifacts by reading them back through the contract registry and revalidating their JSON payloads.

Recovery expectations

When a run blocks or fails:

1. Review the case file, receipts, handoff, run state, and memory proposals before retrying.
2. Do not convert assumptions, stale risks, or omitted context into facts without new evidence.

What's next

ReferenceExit disciplineThe checklist that turns failure into reviewable state.ReferenceRedactionThe boundary that keeps secrets out of receipts.ReadLimitationsThe honest current-vs-deferred boundary.