Pass pointers, verify content

I was running a multi-agent research pipeline — an orchestrator session dispatching verifier subagents across claims in a long-form piece I was assessing. The orchestrator had the article in context. The verifiers didn't; they were supposed to fetch and check independently.

I caught a fabrication while reading the output — a specific date and attribution I could not find anywhere in the source. Not looking for it; just noticed. Then I caught another. Two was enough of a signal to stop reading and back up. I re-ran the output through my own audit tooling. The trace-back led to the same place each time: the orchestrator had "helpfully" summarized the article while writing the dispatch for the verifier; the summary had been absorbed as upstream context; from there on, the fabricated detail was indistinguishable from verified content.

The part worth noticing: my own tooling, applied formally to my own output, surfaced and traced failures in its own upstream stage. The methodology is capable of providing provenance for its own fail states.

This piece is the rule I now apply to every dispatch prompt so that class of failure is not possible in the first place. A discipline called dispatch hygiene: pass pointers, not content. Let the subagent enforce it by scanning its own dispatch and refusing if it finds orchestrator-injected synthesis. The block that makes it adoptable is below.

## Intake hygiene check — MANDATORY first action

Before fetching, before analyzing, scan this dispatch for content outside
the seven permitted categories:

  1. Role/task statement (verb + object-TYPE)
  2. Scope pointer (opaque identifier locating the subject)
  3. Input pointers (file paths, card IDs, URLs to fetch)
  4. Rule extracts (verbatim method content — schemas, checklists)
  5. Intent statement (purpose framing)
  6. Deliverable path (where to write output)
  7. User-directed unverified context (must appear under an
     explicit `[orchestrator_context_unverified]` flag)

Any sentence describing the subject in a way not achievable by fetching a
pointer, and not explicitly flagged as unverified user-directed context,
is orchestrator-injected synthesis — outside permitted categories.

On detection:
  - Do NOT proceed with the task.
  - Respond with a list of violating sentences (verbatim) and the
    category each violates.
  - Request that the orchestrator resubmit the dispatch with violations
    removed or properly flagged.

Only proceed if the dispatch passes this check.

Category 7 is broader than first reading suggests. It covers anything the orchestrator has a legitimate reason to pass that is not a fetchable pointer — not only unverified claims about the subject, but operator control information like urgency, prior failed attempts, scope exclusions, operator hypotheses, and deduplication hints. These are not "contamination" when flagged; they are task constraints the subagent needs to do its work. The point of the flag is the provenance signal, not the content type: the subagent knows what follows is orchestrator-authored and should be treated accordingly.

This is one implementation of the rule, not the rule itself. The specific categories can be adapted to the work you are dispatching. What is load-bearing is the combination: a rule about authorship content plus a subagent-side scan that enforces it.

Who this is for

The rule applies whenever a subagent's output will be trusted downstream without further checking — when its findings become evidence, judgment, or analysis that the pipeline's next stage relies on as-is.

Classes where it applies:

• Verification and audit — subagent checks claims against primary sources
• Adversarial review and critique — subagent stress-tests a proposal
• Research and forage — subagent gathers external knowledge; orchestrator priming biases the gather
• Independent analysis where the orchestrator has seen the material — subagent assessment of tradeoffs, options, or source quality
• Synthesis where primary material is in scope — subagent digests sources; orchestrator pre-digestion is contamination

Classes where it applies less cleanly:

• Triage or prioritization under an operator rubric — the rubric is the task, not contamination
• Code generation with human review downstream — the human review is the provenance boundary
• Execution of pre-analyzed decisions — no independent judgment expected

Counterexamples at the end cover cases where the rule should not be applied literally.

The failure lives at prompt-writing time

The multi-agent literature has many failure-mode taxonomies. The MAST paper (Cemri et al., March 2025) catalogs fourteen failure modes. Building Effective Agents warns that framework abstraction can hide the underlying prompts and responses, making failures harder to debug. Each locates failures at different places in the pipeline: at the subagent's execution, at the handoff interface, at the memory store, at the orchestrator's structural choices.

The failure dispatch hygiene addresses lives somewhere else: at the moment the orchestrator writes the prompt.

To walk through the mechanics. By the point the orchestrator dispatches, it has absorbed the article. When it writes the prompt for the verifier subagent, it faces a choice. It can hand over a pointer — the article's URL — and let the verifier fetch. Or it can help by including, in the dispatch, a short summary of what the article claims and which claims look load-bearing.

The summary feels like good prompt engineering. It isn't. It's the failure mode.

The verifier receives the dispatch. It sees the orchestrator's summary. It treats the summary as reliable upstream context. Any verification step it was supposed to run — fetching the article, cross-checking claims against primary sources, flagging quoted-versus-inferred attributions — now proceeds in a pipeline where half the work is already done, by a party that didn't do the verification.

Nothing in the subagent's instructions tells it the summary is the orchestrator's synthesis, not a fetched primary source. The content arrived without provenance. By the time it reaches the next stage, it is indistinguishable from content the subagent genuinely verified.

The authorship moment — the moment the orchestrator decided to help by summarizing — is where the unverified content entered the pipeline. Every downstream remediation is trying to catch a contamination that the authorship act injected upstream of their scope.

The subagent's first tool call

The fix at the authorship layer has two sides.

On the orchestrator side, the rule is: pass pointers, not content. The seven permitted categories are in the intake-check block above; anything outside them, unflagged, is contamination. Not because the orchestrator is careless — because the orchestrator is helpful, and helpfulness is the failure mechanism.

Rules about what the orchestrator should do are usually necessary and sometimes sufficient. In my case they weren't. The orchestrator is the party least well-positioned to catch its own authorship drift: it believes its summary is accurate, it believes it is saving work, and it has no adversarial pressure to check. I needed the other side of the interface to enforce the rule.

The subagent's first tool call, before any fetch, before any analysis, is a scan of its own dispatch prompt for orchestrator-injected synthesis. On detection, it refuses the task and reports back, enumerating the violations. The orchestrator must then resubmit a clean dispatch.

The scan is a short, literal checklist. Does any sentence in the dispatch describe the subject in a way that the pointers, if fetched, would not independently establish? If yes, the sentence is contamination, and the dispatch fails intake.

This is not an adversarial posture. The orchestrator and subagent are not hostile parties. But the refusal protocol makes the discipline mutual: the orchestrator writes dispatches knowing they will be scanned; the subagent operates with structural assurance that the dispatch it executed was clean. Goodwill is not the enforcement mechanism. Structure is.

Provenance, not efficiency

The orchestrator-injected summary is not just bulk that wastes tokens. It is not just noise that distracts the subagent from its task. It is unverified evidence that has been laundered through a trusted source. In any pipeline that tags content with verification status — that distinguishes primary-source quotes from synthesized analysis — the orchestrator's injected summary is structurally identical to an untagged, unsourced finding. It occupies the position of verified content. It is not verified content.

This framing matters because it determines what happens when the rule is enforced inside a larger evidence discipline. Motivated by efficiency, an efficiency optimization might relax it in a fast-path. Motivated by security, a trusted-boundary assumption might relax it. Motivated by provenance, it hooks directly into whatever quoted-versus-inferred distinction the surrounding methodology already operates under. The rule travels with your existing evidence discipline; it does not ask you to adopt a new one.

It also clarifies why the refusal mechanism is not bureaucratic overhead. The subagent's scan is not a politeness check or a style guard. It is a provenance filter. Content that failed to arrive through a pointer is content that lacks the provenance markers the rest of the pipeline is about to depend on.

Where this sits relative to adjacent work

The pass-pointers mechanic itself is not new. Public writing on multi-agent architecture covers the same mechanic from efficiency and isolation angles:

• Anthropic, "Effective context engineering for AI agents" (September 2025): "agents built with the 'just in time' approach maintain lightweight identifiers (file paths, stored queries, web links, etc.) and use these references to dynamically load data into context at runtime using tools."
• Hamel Husain, "Context Rot" (September 2025): each subagent "operates with its own clean, focused context" and "returns only the most relevant information to the orchestrator, which maintains a concise, filtered history."
• Builder.io, "Subagents: When and How to Use Them" (February 2026): clean handoffs so "research noise doesn't leak into implementation, and implementation details don't bias verification."
• LangGraph, MCP, ProxyStore, and similar frameworks implement variations of the same pattern — the "memory pointer" or pass-by-reference architecture — motivated typically by token cost or subagent isolation.
• Anthropic, "Building Effective Agents" (December 2024): the backdrop argument for simple composable patterns over complex frameworks.

Dispatch hygiene adds two things the existing writing does not combine: a provenance justification for the same mechanic, and — more structurally — a refusal protocol that enforces the rule from the subagent side. Industry writing treats pointers as cost optimization and subagent isolation as hygiene; the refusal-as-architectural-firewall is the part of the discipline that does not yet have a common name.

Adjacent work this piece does not build on directly: Addy Osmani, "The Code Agent Orchestra" (March 2026), maps a human-developer-as-orchestrator shift using a different vocabulary; Shrivu Shankar, "How I Use Every Claude Code Feature" (November 2025), argues against Claude Code's custom subagent feature specifically, endorsing a Master-Clone alternative. Neither addresses the authorship-moment question directly.

The rule itself is framework-agnostic. It applies whether you are orchestrating via LangGraph's state machines, Temporal's durable workflows, Shankar's Master-Clone pattern, or direct calls to the Anthropic or OpenAI SDK. The authorship-moment discipline lives above the framework-versus-SDK debate.

On recent migrations, and adoption

One observation before closing. This failure mode surfaced for me during a recent Claude migration, not because the model caused it, but because my own transition from prompt machining to clear-intent prompting was incomplete. My older style prescribed steps and leaned on interpretive language like "consider" and "where possible," which had the side effect of absorbing orchestrator-injected synthesis as though it were merely more procedure. The cleaner style made my words land more directly, and that exposed contamination that had been there all along. If you are midway through the same authorship transition, you may hit this before you have finished rewriting your orchestrator prompts. The fix is a discipline, not a version bump.

The intake-check block at the top of this piece is what makes the discipline adoptable. How to use it:

1. Paste it into your subagent system prompts.
2. Run your orchestrator normally. On the first run, dispatches will get refused. That is the tool working.
3. Iterate the orchestrator's prompt construction until the refusals stop.

Your orchestrator is probably doing more of the subagents' verification work than you knew. Watching the rule enforce itself from the subagent side is the only reliable way to notice.

When this rule should not be applied literally

The discipline is scoped to pipelines where subagent output is trusted downstream. Three cases where it applies less cleanly:

Interpretation or triage under operator guidance. "Rate these incidents by urgency using this rubric" — the orchestrator's framing is part of the task definition, not contamination. The rubric is authored content, authored on purpose, flagged as operator rule (category 7), not smuggled in as verified fact.

Pipelines with a different provenance boundary. A code-writing subagent whose output will be reviewed by a human does not need to refuse dispatches that include the orchestrator's summary of the feature request — the human review is the provenance boundary, and the orchestrator's synthesis is task definition, not unverified evidence.

Fetched content that cannot itself be trusted. Stale, malicious, or preprocessed upstream content does not map cleanly to the pointers-vs-content distinction. Fetched content is not automatically provenance-bearing. The rule is "what arrived without provenance markers cannot pass as verified"; it is not "what arrived by fetch is always trustworthy."

When the verifier signs off, you know what it actually checked. That is the practical effect.

This discipline is a sharp tool for a specific problem. The broader principle is simpler: know your provenance boundaries, and do not let authorship style erode them by accident.

Pass pointers. Verify content. The interface is mutual.