Here's the uncomfortable truth about prompt-based rules: the model will follow them most of the time. For a production system, "most of the time" is a bug. If a rule is load-bearing, it can't live in a prompt where the agent is free to ignore it under pressure.
In the Avni Skills SDK, the load-bearing rule is: never add a concept without first looking it up. Getting that wrong produces a broken bundle. So I didn't ask the agent nicely — I made the lookup a tool it must call, enforced in-process via MCP.
Enforcement, not vibes
- ▸Tool-gates. Domain rules are exposed as MCP tools the agent is required to invoke before acting.
BUNDLE_HARD_RULESrule #6 (look up the concept first) is a gate, not a sentence in a system prompt. - ▸Validator-truth injection. The current validator state is injected into every prompt, so the agent quotes real error codes instead of hallucinating them.
- ▸Auto-revert. A post-turn hook reverts any git commit the agent makes that the server didn't author. If it goes off-script, the change simply doesn't survive.
- ▸A path-jail and a prompt-injection filter. The export tool can only write to a few whitelisted folders, and an output filter scans generated JSON for hostile patterns.
"The AI wrote it" isn't good enough. "The AI wrote it, and it's verified" is what you can actually ship.
The mindset shift
Once you stop trusting the prompt and start enforcing in code, agentic systems get a lot less scary. The agent becomes a fast, creative proposer; your gates and hooks decide what's real. That separation — creative model, deterministic guardrails — is the pattern I reach for every time now.
It's why the org didn't just try the SDK, they forked it and run it. Trust isn't a demo; it's tool-gates, validators, and a revert hook you can read on GitHub.