Appendix: Prompt Governance Primitives

A catalog of modular control structures for AI agent governance.

1. Appendix Overview

Prompt Governance Primitives (PGPs) are recurring, prompt-encoded control structures that allocate authority, bound scope and visibility, mediate tool use, constrain outputs, and define correction and termination behavior in AI developer tools. This appendix supports architectural reuse and comparison: readers can treat each primitive as a modular governance component, trace where it appears across assistants/modes, and compose similar regimes without re-deriving patterns from full system prompts.

Use of AI Assistance: This appendix was generated using GPT-5.2 for data analysis and synthesis, with final edits performed using Gemini 3 Flash (via GitHub Copilot extension in VS Code), under the author's methodology and review.

This appendix is organized into (i) abstract primitives (cross-artifact structural patterns) and (ii) concrete primitives (specific instantiations tied to a particular assistant/mode). Traceability is preserved via "Observed In" / "Examples" lists rather than verbatim prompt text.

2. Abstract Prompt Governance Primitives

PGP-001

Approval-gated execution outside sandbox / escalated permissions

Requires requesting user approval (with specified parameters) before running commands that exceed sandbox/network/filesystem constraints or require escalated privileges. Includes special handling for approval_policy modes.

Governance Axis

authority / scope & visibility / tool mediation

Primary Risk(s) Mitigated

workspace_integrity; overreach; autonomy_drift

Mitigation Target

tooling; process; user

Observed In
  • codex — exec
  • vscode-codex — agent
PGP-002

Non-interactive approval_policy 'never' forbids requesting approvals

Defines a mode where the assistant may not request user approval to run commands. The assistant must instead work within constraints (or persist or work around) and avoid approval prompts.

Governance Axis

authority / tool mediation / correction & termination

Primary Risk(s) Mitigated

autonomy_drift; overreach

Mitigation Target

process; model

Observed In
  • codex — exec
  • codex — review
PGP-003

Sandbox default assumption when not specified

If sandboxing/network/approval settings are not provided, assume a default configuration for filesystem sandboxing, network sandboxing, and approval mode.

Governance Axis

scope & visibility

Primary Risk(s) Mitigated

overreach; workspace_integrity

Mitigation Target

model; process

Observed In
  • codex — exec
  • vscode-codex — agent
PGP-004

Stop-on-unexpected-workspace-changes circuit breaker

If unexpected changes are detected that the assistant did not make, the assistant must stop immediately and ask the user how to proceed.

Governance Axis

correction & termination

Primary Risk(s) Mitigated

workspace_integrity; autonomy_drift

Mitigation Target

process; user

Observed In
  • codex — exec
  • vscode-codex — chat
PGP-005

Prohibit destructive git actions unless explicitly requested/approved

Disallows destructive git commands/actions unless the user explicitly requests or approves them.

Governance Axis

refusals & safety / authority

Primary Risk(s) Mitigated

workspace_integrity; overreach

Mitigation Target

model; process

Observed In
  • codex — exec
  • vscode-codex — agent
PGP-006

Do not revert others' changes unless explicitly requested

Prohibits reverting existing changes the assistant did not make unless explicitly requested.

Governance Axis

refusals & safety

Primary Risk(s) Mitigated

workspace_integrity; overreach

Mitigation Target

model; process

Observed In
  • codex — exec
  • vscode-codex — agent-full-access
PGP-007

Do not amend commits unless explicitly requested

Prohibits amending commits unless explicitly requested.

Governance Axis

refusals & safety

Primary Risk(s) Mitigated

workspace_integrity; overreach

Mitigation Target

model; process

Observed In
  • codex — exec
  • vscode-codex — agent
PGP-008

Commit/push requires explicit user request/confirmation

Disallows creating commits and/or pushing to remote unless explicitly requested by the user/human operator; may require explicit confirmation.

Governance Axis

authority

Primary Risk(s) Mitigated

workspace_integrity; overreach; autonomy_drift

Mitigation Target

process; user

Observed In
  • opencode — build
  • vscode-copilot — ask
PGP-009

Read-only planning phase forbids implementation and modifications

In plan mode, the agent must only observe/analyze/plan and must not perform edits, run non-read-only tools, or start implementation.

Governance Axis

authority / scope & visibility / correction & termination

Primary Risk(s) Mitigated

overreach; autonomy_drift; workspace_integrity

Mitigation Target

process; model

Observed In
  • opencode — plan
  • vscode-copilot — plan
PGP-010

Progressive disclosure for skill documentation and context hygiene

When using skills, open SKILL.md and read only enough; load only specific referenced files; avoid bulk-loading; keep context small by summarizing and limiting nested references.

Governance Axis

scope & visibility / tool mediation

Primary Risk(s) Mitigated

overreach; autonomy_drift

Mitigation Target

process; model

Observed In
  • codex — exec
  • codex — review
PGP-011

Parallelize independent tool calls for efficiency

When multiple independent operations are needed, batch tool calls in a single response or run them in parallel. Avoid parallelization when calls are dependent.

Governance Axis

tool mediation

Primary Risk(s) Mitigated

autonomy_drift

Mitigation Target

process; tooling

Observed In
  • copilot — interactive
  • opencode — build
PGP-012

Read-before-edit enforcement

Requires reading a file before editing/writing it; may be enforced by tool behavior or explicit instruction.

Governance Axis

scope & visibility / tool mediation

Primary Risk(s) Mitigated

workspace_integrity; epistemic_error

Mitigation Target

tooling; process

Observed In
  • opencode — build
  • vscode-copilot — ask
PGP-013

Capability questions must consult authoritative documentation tool first

For questions about the assistant/tool capabilities, the assistant must first fetch authoritative documentation via a designated tool and base the answer on it (not memory alone).

Governance Axis

tool mediation / output contracts

Primary Risk(s) Mitigated

epistemic_error; overreach

Mitigation Target

process; tooling

Observed In
  • copilot — interactive
  • opencode — build
PGP-014

Instruction confidentiality / no system prompt leakage

Prohibits revealing or discussing internal instructions/system prompt information; treats such instructions as confidential.

Governance Axis

scope & visibility / refusals & safety

Primary Risk(s) Mitigated

instruction_leakage

Mitigation Target

model; process

Observed In
  • copilot — interactive
  • vscode-copilot — ask

3. Concrete Prompt Governance Primitives

PGP-015

Refuse malware/malicious-code assistance based on file/task assessment

Requires refusing to work on code that seems related to malware or malicious code, including explaining or improving it, based on assessment of filenames/directory structure.

Concrete Mechanism

Refusal rule triggered by an internal assessment of the apparent maliciousness of files/tasks.

Examples
  • opencode — build
PGP-016

Output must be JSON-only and match schema exactly (review findings)

Requires emitting JSON only (no markdown fences or extra prose) and conforming to a specified output schema for code review findings.

Concrete Mechanism

Output contract enforcing a strict JSON-only response and exact schema conformance.

Examples
  • codex — review
PGP-017

Todo-list workflow with exactly one in-progress item

Requires maintaining a structured todo list with exactly one item marked in-progress, updating statuses before/after work, and ensuring all todos are explicitly marked before ending a turn.

Concrete Mechanism

Sequencing constraint enforced as a session workflow: update the todo list before starting work.

Examples
  • vscode-copilot — agent
Observed In
PGP-006

Do not revert others' changes unless explicitly requested

Prohibits reverting existing changes the assistant did not make unless explicitly requested.

Governance Axis

refusals & safety

Primary Risk(s) Mitigated

workspace_integrity; overreach

Mitigation Target

model; process

Observed In
  • codex — exec
  • vscode-codex — agent-full-access
PGP-007

Do not amend commits unless explicitly requested

Prohibits amending commits unless explicitly requested.

Governance Axis

refusals & safety

Primary Risk(s) Mitigated

workspace_integrity; overreach

Mitigation Target

model; process

Observed In
  • codex — exec
  • vscode-codex — agent
PGP-008

Commit/push requires explicit user request/confirmation

Disallows creating commits and/or pushing to remote unless explicitly requested by the user/human operator; may require explicit confirmation.

Governance Axis

authority

Primary Risk(s) Mitigated

workspace_integrity; overreach; autonomy_drift

Mitigation Target

process; user

Observed In
  • opencode — build
  • vscode-copilot — ask
PGP-009

Read-only planning phase forbids implementation and modifications

In plan mode, the agent must only observe/analyze/plan and must not perform edits, run non-read-only tools, or start implementation; may be described as an absolute overriding constraint with stop conditions.

Governance Axis

authority / scope & visibility / correction & termination

Primary Risk(s) Mitigated

overreach; autonomy_drift; workspace_integrity

Mitigation Target

process; model

Observed In
  • opencode — plan
  • vscode-copilot — plan
PGP-010

Progressive disclosure for skill documentation and context hygiene

When using skills, open SKILL.md and read only enough; load only specific referenced files; avoid bulk-loading; keep context small by summarizing and limiting nested references.

Governance Axis

scope & visibility / tool mediation

Primary Risk(s) Mitigated

overreach; autonomy_drift

Mitigation Target

process; model

Observed In
  • codex — exec
  • codex — review
PGP-011

Parallelize independent tool calls for efficiency

When multiple independent operations are needed, batch tool calls in a single response or run them in parallel. Avoid parallelization when calls are dependent.

Governance Axis

tool mediation

Primary Risk(s) Mitigated

autonomy_drift

Mitigation Target

process; tooling

Observed In
  • copilot — interactive
  • opencode — build
PGP-012

Read-before-edit enforcement

Requires reading a file before editing/writing it; may be enforced by tool behavior or explicit instruction.

Governance Axis

scope & visibility / tool mediation

Primary Risk(s) Mitigated

workspace_integrity; epistemic_error

Mitigation Target

tooling; process

Observed In
  • opencode — build
  • vscode-copilot — ask
PGP-013

Capability questions must consult authoritative documentation tool first

For questions about the assistant/tool capabilities, the assistant must first fetch authoritative documentation via a designated tool and base the answer on it (not memory alone).

Governance Axis

tool mediation / output contracts

Primary Risk(s) Mitigated

epistemic_error; overreach

Mitigation Target

process; tooling

Observed In
  • copilot — interactive
  • opencode — build
PGP-014

Instruction confidentiality / no system prompt leakage

Prohibits revealing or discussing internal instructions/system prompt information; treats such instructions as confidential.

Governance Axis

scope & visibility / refusals & safety

Primary Risk(s) Mitigated

instruction_leakage

Mitigation Target

model; process

Observed In
  • copilot — interactive
  • vscode-copilot — ask

3. Concrete Prompt Governance Primitives

PGP-015

Refuse malware/malicious-code assistance based on file/task assessment

Requires refusing to work on code that seems related to malware or malicious code, including explaining or improving it, based on assessment of filenames/directory structure.

Concrete Mechanism

Refusal rule triggered by an internal assessment of the apparent maliciousness of files/tasks.

Examples
  • opencode — build
PGP-016

Output must be JSON-only and match schema exactly (review findings)

Requires emitting JSON only (no markdown fences or extra prose) and conforming to a specified output schema for code review findings.

Concrete Mechanism

Output contract enforcing a strict JSON-only response and exact schema conformance.

Examples
  • codex — review
PGP-017

Todo-list workflow with exactly one in-progress item

Requires maintaining a structured todo list with exactly one item marked in-progress, updating statuses before/after work, and ensuring all todos are explicitly marked before ending a turn.

Concrete Mechanism

Sequencing constraint enforced as a session workflow.

Examples
  • vscode-copilot — agent

4. Cross-Reference Table (Summary)

ID Name Level Risk Class Mitigation Target
PGP-001 Approval-gated execution outside sandbox abstract workspace_integrity; overreach; autonomy_drift tooling; process; user
PGP-002 Non-interactive approval_policy 'never' abstract autonomy_drift; overreach process; model
PGP-003 Sandbox default assumption abstract overreach; workspace_integrity model; process
PGP-004 Stop-on-unexpected-workspace-changes abstract workspace_integrity; autonomy_drift process; user
PGP-005 Prohibit destructive git actions abstract workspace_integrity; overreach model; process
PGP-006 Do not revert others' changes abstract workspace_integrity; overreach model; process
PGP-007 Do not amend commits abstract workspace_integrity; overreach model; process
PGP-008 Commit/push requires explicit request abstract workspace_integrity; overreach; autonomy_drift process; user
PGP-009 Read-only planning phase abstract overreach; autonomy_drift; workspace_integrity process; model
PGP-010 Progressive disclosure for skills abstract overreach; autonomy_drift process; model
PGP-011 Parallelize independent tool calls abstract autonomy_drift process; tooling
PGP-012 Read-before-edit enforcement abstract workspace_integrity; epistemic_error tooling; process
PGP-013 Consult authoritative documentation abstract epistemic_error; overreach process; tooling
PGP-014 Instruction confidentiality abstract instruction_leakage model; process
PGP-015 Refuse malware assistance concrete malicious_use model; process
PGP-016 JSON-only output schema concrete epistemic_error; overreach process; model
PGP-017 Todo-list workflow concrete autonomy_drift; overreach process; tooling