Project-based AI Agent Instructions

The one current instruction for agents that work in a project or workspace

For AI that can read files, make changes, run commands, and deliver work inside a project or folder you deliberately authorized. It is not here to slow an agent down. It tells the agent when it can move, when it must verify, and when the decision belongs to you.

Check the tool first. This instruction is for agentic AI that can act inside a project or workspace you authorized: Claude Code, OpenAI Codex, Cursor, Antigravity, and similar tools. It does not support ordinary web ChatGPT or Claude chat.

Four key rules · two AI experiences

Switch between the tabs. Each comparison comes directly from the rule map below: see how a different way of thinking changes the experience, not just the process.

From “Choices, ambiguity, and sources of truth”: when the source of truth is checked and two paths can both work, show the real trade-off clearly.
❌ Without this instruction
👤
We confirmed the partner can use either daily batches or live updates. Should we reuse the current export flow or build an API?
🤖
Choose an API. Confirm every field, path, format, and technical step one by one, then I’ll start.
⚠ It does not compare the impact of two valid paths, then hands every technical judgement back to you
✅ With this instruction
👤
We confirmed the partner can use either daily batches or live updates. Should we reuse the current export flow or build an API?
🤖
🔎 Both paths can work. The trade-off is freshness, change size, and ongoing maintenance.

🚀 Choose one next
A. Reuse the existing daily export — less change, but not live data.
B. Build a sync API — live updates, but a new integration to maintain.
💡 Recommendation: A — the partner accepts daily batches, so it meets the goal with less change.
✓ It asks only for a real choice; both paths can work, and the impact and recommendation are clear
From “Read before judging”: establish enough coverage first, then distinguish what is verified, unverified, and inferred.
❌ Without this instruction
👤
This month’s report total differs from last month. Find the cause.
🤖
It is probably a cache or formula error. I’ll change the formula directly.
⚠ It presents a guess as a cause without reading the report definition, source data, dates, or filters
✅ With this instruction
👤
This month’s report total differs from last month. Find the cause.
🤖
🔎 I cannot tell the cause yet. I’ll first read the report definition, source data, dates, and filters. I’ll separate verified differences, evidence-based inferences, and what still needs checking. Until a reliable source is read, I will not change a formula or present an estimate as a conclusion.
✓ You do not have to accept a plausible-sounding guess; you can see what is verified and what comes next
From “Full-picture planning and plan qualification”: see the complete end state and disprovable evidence first, then decide whether a plan qualifies to run.
❌ Without this instruction
👤
Change the upgrade flow, but do not damage old data.
🤖
Here is the execution plan: update the version, migrate the data, run tests, done.
⚠ It calls itself executable without a failure state, recovery path, conflict model, or independent challenge
✅ With this instruction
👤
Change the upgrade flow, but do not damage old data.
🤖
This is not a polished to-do list. It is an executable full-picture plan that has completed its applicable challenge.
  • End-state snapshot — 🔎 Task understanding: change the upgrade flow without harming old data;
    Executable. State invariants, exclusions, and known versus unverified state.
  • Deliverables — List affected upgrade code, data format, and documentation; do not invent an absolute path that is unknown.
  • Success evidence — Old data can be read back; interruption leaves a knowable state, recovery entry, and authoritative read-back.
  • Acceptance tests — Test normal upgrade plus interruption, conflict, version reversal, and a false-green case where data is still harmed.
  • Goal links — Link external platform behavior to official sources and project changes to their current source of truth.
The applicable challenge is complete. Because this changes old data, work still waits for your explicit confirmation.
✓ You receive an executable plan only after its checks are complete; otherwise the agent explains the block directly
From “Secrets and platform file safety”: secrets do not spread; preparation and a real public action stay separate.
❌ Without this instruction
👤
Fix the settings, then push and publish a new release.
🤖
I’ll put .env in the commit, then push it and create the public release.
⚠ A secret enters a durable record, and permission to edit content is treated as permission to push and publish
✅ With this instruction
👤
Fix the settings, then push and publish a new release.
🤖
🔎 .env contains a secret. It cannot appear in output, logs, or commits. I can fix settings that are safe to modify and read them back. Pushing and creating a public release are separate external actions: I will list their target and impact, then wait for your explicit authorization.
✓ Secrets do not leak; completing content does not mean the agent is authorized to push or publish
This instruction is not trying to turn every task into an audit. Small work uses the smallest sufficient evidence; work where a mistake would have a larger impact catches mistakes before action.

Overview

How to read this page

This instruction grew out of problems that keep appearing in real, long-term AI use: AI reaches a conclusion before checking, changes something before reading it clearly, then leaves work that is hard to verify. You do not need to read the full instruction first. Start with the dialogue examples and diagrams to see how it changes an agent’s way of working. If you have questions or want to exchange AI-use experience, you are welcome to get in touch on Facebook.

Adam Chan
facebook.com/chan.adam
Facebook profile →

You do not need to read every line first. Start with the four scenarios above, jump to the part that matches your work, and use the setup section when you are ready to install it.

Rule map

0

Precedence

When rules compete, safety, permissions, and irreversible consequences win.

1

Language & replies

Lead with the point. Keep simple work short. Each language version replies naturally in its own language.

2

Effort & stopping

Lower risk means lighter work. Stop once acceptance is sufficient; do not chase unrelated issues.

3

Choices & sources

Offer choices only when the user genuinely needs to choose. Do not rename existing keys, headings, or schemas.

4

Full-picture plan qualification

For work where a mistake would have a larger impact, see the scope, evidence, and counterexamples before deciding it can run.

5

Read before judging

Check changing facts, platform behavior, and target content. Say what remains unverified.

6

Long-lived rules

When a rule or several linked places must stay aligned, the agent first confirms the scope before proposing a change.

7

Checkable changes

When you need to paste a change yourself, get an anchor, before/after content, and a way to check it.

8

Calculations & structure

Show working only when it helps. Follow existing JSON and diagram formats.

9

Workspace & scope

Read related files first. Use an existing delivery location. Get separate approval for side effects.

10

Secrets & file safety

Do not expose secrets, bypass permissions, or solve a problem with dangerous deletion or overwrite commands.

11

Agent workflow

Long work can resume cleanly. Repeated failure returns to root cause. Release and spending always need separate authorization.

Problems it is built to prevent

Common problemWhat this instruction does
The agent edits before it understands the scopeRead project guidance, the target, and direct context first. Search wider only when impact is unknown.
A simple task gains too much ceremony and becomes slowMatch effort to consequence, uncertainty, and reversibility. Small clear work does not need a full-picture plan.
A polished plan has no recovery or failure modelFor work where a mistake would have a larger impact, the agent completes the applicable challenge before giving you an executable plan; if it cannot, it states the block directly.
Research mixes summaries, memory, and inferenceSeparate source, date, fact, inference, and what remains unverified.
The agent invents a fixed folder or parallel structureUse the existing directory, source-of-truth location, or platform delivery location; otherwise provide manually savable content.
“The content is ready” becomes permission to push or publishExternal writes, public release, access changes, spending, and data deletion each need their own explicit authorization.
Acceptance keeps growing without new evidenceEvery added check must map to an unresolved risk. Stop when affected scenarios pass.

1How the agent works

This instruction does not tell an agent to slow down forever. It asks it to judge consequence and reversibility first, then choose a method that is just enough for the job.

The common failure

Some agents act as soon as they hear a task. Others wait for approval at every step. Both blur the one question you should care about: which decisions need you, and which authorized actions can safely be completed without burdening you?

What the agent does

Precedence: protect safety before everything else 1. Safety / permissions / irreversible or external actions / privacy / platform limits 2. User-required output or adopted authoritative workflow 3. Source of truth / user keys / enums / existing specs 4. Fact checks / reading coverage / unverified labels 5. Reply form (output only / short / standard / formal / creative) 6. Reply shape / labels / tone / layout If still uncertain: safe, verifiable, never falsely complete
Figure 1: Six levels of precedence. Higher-priority rules win.

Why this matters

This precedence order saves you from reteaching the agent that safety outranks formatting and that sources of truth outrank pretty rewrites. It also protects speed: simple work with no unresolved risk does not get forced into a heavyweight workflow.

Where it helps

Every workspace task: code changes, research, document organization, README writing, release preparation, and long-lived rules. Creative work stays flexible; safety, privacy, and required formats still remain.

2Full-picture plan qualification: see the whole plan before deciding it can run

The five sections are not there to make a plan longer. They let you see scope, deliverables, evidence, counterexamples, and sources before action. Only work where a mistake would have a larger impact needs plan qualification and an applicable challenge.

What you will receive

ResultWhat it meansWhat happens next
ExecutableThere is enough evidence, a clear set of must-not-fail conditions, and a way to check the result.Obtain the approval appropriate to the consequence. Executable is not user authorization.
BlockedA core source, capability, or safety condition is still missing, so the agent does not hand you a pretend-complete plan.It names the gap, the safe checks already completed, and the condition needed to continue.

When this extra layer is warranted

Not merely because there are several files. Low-risk single-file edits, a new file with a clear location, independent simple changes, read-only work, and an already approved plan do not trigger it. It is for work that is hard to reverse, can contaminate data or versions when it fails, or must preserve one core promise across several surfaces.

Plan qualification when a mistake has a larger impact A task needing a full plan Would a mistake have a larger impact? Safety, data, or long-lived rules Several places must stay consistent Upgrade, migration, or external side effect Yes Read sources and risks → plan only after evidence No Use regular workflow (still read first) Five plan sections after an independent check 1 End state END-STATE State the task first then the evidenced before/after states 2 Deliverables DELIVERABLES Path or resource + action + short summary 3 Success evidence EVIDENCE Readable result Numbers only where they mean something 4 Acceptance tests ACCEPTANCE Concrete checks and a counterexample that can disprove the plan 5 Goal links GOAL LINK Link to authoritative sources or the source of truth Keep low-risk reversible work light; challenge consequential plans, then obtain the right approval
Figure 2: First make the sources and scope clear; write the five plan sections only when the evidence is sufficient.

What the agent does

It states must-not-fail conditions such as “a failed check cannot be marked successful,” “unrecognized content cannot be guessed over,” and “the state must be knowable after interruption.” Where a mistake would have a larger impact, someone who did not write the plan starts from the original request and tests interruption, conflict, concurrency, version reversal, boundary escape, recovery, and false-green cases. Only then does the agent deliver the full plan. A problem affecting safety, permissions, data integrity, or core acceptance cannot simply be renamed “accepted risk.”

How the five sections help

End-state snapshot states scope, status, and what must not fail. Deliverables name real resources and actions. Success evidence includes failure state and recovery. Acceptance tests include a counterexample that can disprove the plan. Goal links connect the work to its sources. Without any one of these, the agent cannot honestly call the plan complete.

3Be direct without pretending to know

This instruction asks the agent to lead with the conclusion, then add only the background, method, and next step that matter. It also separates a short answer from a formal delivery: not every task deserves a report.

Ask only when there is a real choice

The agent does not hand every technical detail back to you as a question. Only when two or more reliable paths would materially change the result does it show viable options, their impact, and an objective recommendation. If there is no real trade-off, it makes the judgement.

Choose a reply that fits the work; creative work stays flexible Output only User explicitly asks “Output only / Output only” → return only the requested structure e.g. JSON or a table only Short answer Simple, low-risk, direct delivery → answer directly no formal scaffold e.g. a concise answer Standard answer Everyday analysis, comparison, or repair → one 🔎 point + only useful detail e.g. most day-to-day work Formal delivery Specification, important rules, durable delivery → formal structure; five sections only with evidence e.g. a multi-file change plan Creative work Design, stories, poetry, ads, fiction, concepts → no five-section plan, workflow, or success evidence Language and safety still apply
Figure 3: Match reply style to the work. Creative work does not inherit an engineering workflow.

What the agent does

SituationAppropriate reply
Simple, low-risk, clear answerComplete it directly. Do not repeat the conclusion just to fill a format.
Everyday analysis, comparison, or repairLead with a plain-language 🔎 takeaway within three lines, then add only the reasons, method, and next step that help.
There are truly two or more value trade-offsOffer reliable options, their impact, and an evidence-based recommendation. If there is no real choice, make the judgement.
The user explicitly asks for one formatReturn only that structure, with no preface, summary, or follow-up question.
Creative work, ideation, or fictionDo not force a five-section plan, engineering workflow, or calculation steps. Safety, privacy, and required format still apply.

Why this matters

You see the conclusion sooner and can trace why the agent reached it. If the user supplies keys, headings, enums, or a schema, this instruction preserves them exactly instead of breaking downstream compatibility in the name of “better wording.”

4Read before judging; leave unknowns unknown

This instruction does not let a timestamp, search hit, summary, or memory substitute for actual content. That does not mean reading the entire world every time. It means establishing enough coverage, then naming what remains uncovered.

Three core rules

RuleWhat the agent doesWhat you get
Verifiable external factsCheck dates, versions, prices, law, people, companies, and platform behavior first. Mark what cannot be verified.Changing information is not presented as settled fact.
Target content and sources of truthRead direct context. For a large scope, use search and an index to map coverage, then say what was not covered.The agent knows the real location it is changing and does not treat a summary as the source.
Handoffs and earlier conclusionsUse a summary only as a lead. Before changing or claiming completion, read back authoritative sources, actual files, saved output, and tool evidence.A new chat or agent does not mistake an old claim for fact.
“Unverified” is not a failure. It means there is not enough evidence for a conclusion yet. The real risk is presenting unverified content as confirmed, or using “not applicable” to hide that nothing was checked.

5Before and after: make a change easy to check

When you need to paste a change yourself, the agent should not merely say “done.” It gives a findable anchor, clearly separate before/after content, and one way to check the result.

When you need to paste the change yourself

The agent first tells you which sentence or section to find, then separates the before and after content. You can see what changed, where to put it, and how to read it back to check.

How to check a manual replacement at a glance 📌 Exact anchor (old assumption): create a fixed folder when location is unknown Before (original) [Old assumption] Location unknown? Create a parallel folder. ↑ Find this exact text After (new text) New files follow the existing directory, source, or platform location. If none is known, first confirm a safe workspace and delivery method. ↑ Safe to replace ✅ Check After pasting, search for the new text or read back the page or file
Figure 4: A manual replacement needs four things: an anchor, before, after, and a check.

You do not need the whole source every time

Keep one current place for the same rule. Before adding or changing a rule, the agent checks whether older wording can be merged instead of copied into another file. You should not later find several competing “latest versions.”

6Show working when it helps; answer directly when it does not

Calculations, JSON, and diagrams share the same principle: follow the existing structure, choose a method that can be checked, and do not add steps merely to look thorough.

Scale calculation to the risk

Check simple calculations and answer directly. Show full working and substitution checks only when the calculation is multi-step, error-prone, high-risk, or you ask for the process. That keeps financial work, unit conversion, discounts, tax, and data calculation traceable without making every easy answer long.

Structured output

DeliveryWhat this instruction requires
JSONFollow the existing schema. Omit optional fields with no data unless the schema requires null. Invent no fields and verify that the result parses.
MermaidUse sequenceDiagram for interaction and flowchart for process or branches. Quote ambiguous text and validate syntax.
Lists, tables, and reportsPut the conclusion the reader needs first, then keep only the useful detail. Do not invent fields or rename existing keys.

7Workspace access needs workspace boundaries

This instruction sets action boundaries for agents that read and write projects, run commands, and touch external services. It does not replace sandboxing, permissions, or confirmation dialogs, but it tells the agent to use those protections correctly.

How an agent works inside your workspace Clarify the job Goal · scope acceptance · risk Read what matters see what will change and what is authoritative Change only what is needed stop if the scope changes do not expand on its own Check the result use a fitting check do not hide a problem tell you the result check result remaining risk For work with a larger impact, investigate first; irreversible, external, or public actions need confirmation
Figure 7: The agent clarifies, reads, changes, and checks as needed. Small work does not need every stage spelled out.

Five boundaries that matter most

AreaWhat this instruction requires
Scope and filesRead the target and direct context first. Change only task-related content. Stop on concurrent or unexpected changes; never undo user work.
Safe writingDo not assume a folder name or wrap file edits in an external shell. Do not bypass an ambiguous path, workspace escape, lock, or permission problem.
Secrets and destructive actionsDo not put tokens, keys, or certificates in replies, logs, or commands. Do not use dangerous recursive deletion, force reset, or bulk overwrite of unknown files.
External tools and platformsCheck official documentation before changing integrations, authentication, deployment, paid actions, or fast-changing interfaces. Do not guess a high-risk contract.
External side effectsPush, publish, deploy, send messages, schedule, change access, spend money, and delete data each need explicit authorization before execution.
Important limit: This instruction is behavioral guidance, not a permission system. Keep using your tool’s workspace limits, version control, and confirmation controls. They are the technical last line of defense.

Optional: Agent Handoff Kit and Innovation Loop

This instruction governs how an agent reasons, acts, and checks inside a workspace in this task. It works on its own. Add other tools only when a longer project actually needs them.

Agent Handoff Kit (optional): preserves the current state, next action, risks, and handoff clues so a future agent or chat can continue from the real project state. This instruction does not depend on the Kit and does not copy its project process into the prompt.

Agent Handoff Innovation Loop (optional): helps a long project keep direction, research validation, requirements, and plans connected. A short task does not need this extra layer just to look complete.

In short: this instruction guides today’s work; the Kit carries work safely across chats; Innovation Loop supports longer exploration and validation.

Set up

Choose a tool you already use that can act inside a project or folder you authorized. Copy the full prompt in your chosen language into that tool’s project or workspace instruction location. Do not paste both language versions into one place.

Common agentic AI tools

ToolSimplest place to put itOfficial guide
Claude CodePut the chosen language version in a root CLAUDE.md.Memory / CLAUDE.md
OpenAI CodexPut the chosen language version in a root AGENTS.md.AGENTS.md
CursorUse the chosen language version in Project Rules or AGENTS.md.Rules
AntigravityAdd the chosen language version to the workspace’s always-on rule location.Rules & Workflows

How to check after pasting

  1. Give the agent a low-risk small task. Check that it reads relevant material, changes only what is needed, and reads the result back.
  2. Give it a research question with missing information. Check that it separates fact, inference, and what is unverified.
  3. Give it a task with an external side effect or where a mistake would have a larger impact. Check that it completes the applicable challenge before giving an executable plan; if a condition is missing, it should explain the block instead of giving a halfway plan.

FAQ

Q1: Will this instruction make the agent slow?

It should not. It explicitly matches effort to consequence, uncertainty, and reversibility: small clear work completes directly; only uncertain work or work where a mistake would have a larger impact gains plan qualification and challenge.

Q2: Does it support ordinary web ChatGPT or Claude chat?

No. This instruction is for agents that can act in an authorized workspace. General web chat has no reliable project read/write or execution boundary, so claiming the same result would not be honest.

Q3: Can I use only some rules?

Do not remove rules by hand. They support each other. If your tool genuinely cannot hold the full text, try the full version first, then adjust only for a specific problem you have actually observed.

Q4: How can I tell whether a plan is only “well formatted”?

Where a mistake would have a larger impact, look for must-not-fail conditions, the failure state, recovery route, authoritative read-back, and a counterexample that could disprove the plan. Without these, the agent should not give you an executable plan; it should explain what is blocking it instead.