network-ai 5.3.0 → 5.3.2

package/QUICKSTART.md

@@ -18,7 +18,7 @@ npm install
 npx ts-node setup.ts --check
 ```
 
-**Zero external AI dependencies.** All 28 adapters are self-contained — add framework SDKs only when you need them.
+**Zero external AI dependencies.** All 29 adapters are self-contained — add framework SDKs only when you need them.
 
 ---
 
@@ -254,7 +254,7 @@ export class MyFrameworkAdapter extends BaseAdapter {
 ```bash
 npx ts-node test-standalone.ts    # 88 core tests
 npx ts-node test-security.ts      # 34 security tests
-npx ts-node test-adapters.ts      # 218 adapter tests (all 28 frameworks)
+npx ts-node test-adapters.ts      # 218 adapter tests (all 29 frameworks)
  npx ts-node test-cli.ts           # 65 CLI tests
 npx ts-node test-qa.ts             # 67 QA orchestrator tests
 ```
@@ -265,7 +265,7 @@ npx ts-node test-qa.ts             # 67 QA orchestrator tests
 
 ```bash
 npx ts-node setup.ts --check      # Verify installation
-npx ts-node setup.ts --list       # List all 28 adapters
+npx ts-node setup.ts --list       # List all 29 adapters
 npx ts-node setup.ts --example    # Generate example.ts
 ```
 

package/README.md

@@ -5,7 +5,7 @@
 [![Website](https://img.shields.io/badge/website-network--ai.org-4b9df2?style=flat&logo=web&logoColor=white)](https://network-ai.org/)
 [![CI](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
 [![CodeQL](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
-[![Release](https://img.shields.io/badge/release-v5.3.0-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
+[![Release](https://img.shields.io/badge/release-v5.3.2-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
 [![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
 [![Tests](https://img.shields.io/badge/tests-2899%20passing-brightgreen.svg)](#testing)
 [![Adapters](https://img.shields.io/badge/frameworks-29%20supported-blueviolet.svg)](#adapter-system)

package/SKILL.md

@@ -1,13 +1,14 @@
 ---
 name: network-ai
-description: "Local Python orchestration skill: multi-agent workflows via shared blackboard file, permission gating, token budget scripts, and persistent project context. The bundled Python scripts make no network calls and have zero third-party dependencies. Workflow delegations via the host platform's sessions_send may invoke external model APIs."
+description: "Local Python orchestration skill: multi-agent workflows via shared blackboard file, permission gating, token budget scripts, and persistent project context. All bundled scripts run locally with zero network calls and zero third-party dependencies."
 metadata:
   openclaw:
     emoji: "\U0001F41D"
     homepage: https://network-ai.org
     bundle_scope: "Python scripts only (scripts/*.py). All execution is local. Only Python stdlib — no other runtimes, adapters, or CLI tools are included."
-    network_calls: "none — bundled scripts make zero network calls. The host platform's sessions_send (not part of this skill) may invoke external models."
-    sessions_send: "NOT implemented or invoked by this skill. sessions_send is a host-platform built-in. This skill only provides budget guards that run before the platform delegates."
+    network_calls: "none — bundled scripts make zero network calls and spawn no subprocesses."
+    inter_agent_comms: "none — this skill does not implement, invoke, or control inter-agent messaging or sessions_send. All coordination is via local file-based blackboard only."
+    sessions_send: "NOT implemented or invoked by this skill. sessions_send is a host-platform built-in entirely outside this skill's control. See data-flow notice below."
     sessions_ops: "platform-provided — outside this skill's control"
     requires:
       bins:
@@ -31,7 +32,11 @@ metadata:
 
 > **Scope:** The bundled Python scripts (`scripts/*.py`) make **no network calls**, use only the Python standard library, and have **zero third-party dependencies**. Tokens are UUID-based (`grant_{uuid4().hex}`) stored in `data/active_grants.json`. Audit logging is plain JSONL (`data/audit_log.jsonl`).
 
-> **Data-flow notice:** This skill does NOT implement, invoke, or control `sessions_send`. That is a host-platform built-in (OpenClaw runtime). The orchestration instructions below describe *when* to call the platform's `sessions_send` after budget checks pass — but the actual network call, model endpoint, and data transmission are entirely the host platform's responsibility. If you need to prevent external network calls, disable or reroute `sessions_send` in your platform settings before installing this skill.
+> **Advisory tokens notice:** Grant tokens issued by `check_permission.py` are **advisory scoring outputs only** — the caller-supplied `--agent` identity is not cryptographically verified. Downstream systems must not treat these tokens as authenticated credentials without adding a separate identity-verification step or human approval gate, especially for PAYMENTS, DATABASE, and FILE_EXPORT resources.
+
+> **Data-flow notice (host platform — not this skill):** This skill does NOT implement, invoke, or control `sessions_send` or any inter-agent messaging. All bundled Python scripts are local-only tools (budget guard, blackboard, permission scorer, context manager). If your platform has a `sessions_send` built-in, whether and how it is used is entirely the **host platform’s** responsibility and is outside this skill’s scope. If you need to prevent external network calls, disable or reroute delegation in your **platform settings** before installing this skill.
+
+> **Context file integrity:** The `context_manager.py inject` command now validates `data/project-context.json` for injection patterns and oversized fields before printing the context block. Review any warnings printed to stderr before passing the output to an agent system prompt.
 
 > **PII / sensitive-data warning:** The `justification` field in permission requests and the audit log (`data/audit_log.jsonl`) store free-text strings provided by agents. **Do not include PII, secrets, or credentials in justification text.** Consider restricting file permissions on `data/` or running this skill in an isolated workspace.
 
@@ -112,12 +117,12 @@ Sub-Task 3 (RECOMMEND): [strategy_advisor]
   - Output: Recommendations with rationale
 ```
 
-### Budget-Aware Handoff Protocol
+### Budget Check Protocol
 
-**CRITICAL:** Before EVERY `sessions_send`, call the handoff interceptor:
+**Run the budget interceptor before any task delegation:**
 
 ```bash
-# ALWAYS run this BEFORE sessions_send
+# Run this before delegating to any sub-agent
 python {baseDir}/scripts/swarm_guard.py intercept-handoff \
   --task-id "task_001" \
   --from orchestrator \
@@ -128,10 +133,10 @@ python {baseDir}/scripts/swarm_guard.py intercept-handoff \
 **Decision Logic:**
 ```
 IF result.allowed == true:
-    → Proceed with sessions_send
+    → Budget check passed — proceed with the delegated task
     → Note tokens_spent and remaining_budget
 ELSE:
-    → STOP - Do NOT call sessions_send
+    → STOP — budget exceeded or handoff limit reached
     → Report blocked reason to user
     → Consider: reduce scope or abort task
 ```
@@ -268,11 +273,10 @@ python {baseDir}/scripts/swarm_guard.py budget-init \
   --description "Q4 Financial Analysis"
 ```
 
-### 2. Delegate a Task to Another Session
+### 2. Check Budget Before Task Delegation
 
-> **Platform note:** `sessions_list`, `sessions_send`, and `sessions_history` are **OpenClaw host platform built-ins** — they are part of the OpenClaw runtime, not provided or invoked by this skill's Python scripts. This skill only runs local `python scripts/*.py` commands. The guidance below describes how to combine the platform's session tools with this skill's budget guard.
 
-First check budget, then use the OpenClaw platform operation:
+Always run the budget guard before delegating any task:
 
 ```bash
 # 1. Check budget (this skill's Python script)
@@ -280,17 +284,8 @@ python {baseDir}/scripts/swarm_guard.py intercept-handoff \
   --task-id "task_001" --from orchestrator --to data_analyst \
   --message "Analyze Q4 revenue data"
 
-# 2. If allowed, delegate using the OpenClaw platform tool (not this skill):
-#    sessions_list    → see available sessions/agents
-#    sessions_send    → send task to another session
-#    sessions_history → check results from delegated work
-```
-
-**Example delegation prompt:**
-```
-After running swarm_guard.py intercept-handoff and getting result.allowed == true,
-use the OpenClaw sessions_send platform tool to ask the data_analyst session:
-"Analyze Q4 revenue trends from the SAP export data and summarize key insights"
+# 2. If result.allowed == true, proceed with delegation via your platform's built-in tools.
+# If result.allowed == false, stop — budget exceeded or handoff limit reached.
 ```
 
 ### 3. Check Permission Before API Access
@@ -325,7 +320,7 @@ python {baseDir}/scripts/blackboard.py list
 
 ## Agent-to-Agent Handoff Protocol
 
-When delegating tasks between agents/sessions:
+When delegating tasks between agents, always run the budget guard first.
 
 ### Step 1: Initialize Budget & Check Capacity
 ```bash
@@ -338,12 +333,6 @@ python {baseDir}/scripts/swarm_guard.py budget-check --task-id "task_001"
 
 ### Step 2: Identify Target Agent
 
-> **Platform note:** `sessions_list` is an **OpenClaw host platform built-in**, not provided by this skill.
-
-```
-sessions_list  # OpenClaw platform operation — find available agents
-```
-
 Common agent types:
 | Agent | Specialty |
 |-------|-----------|
@@ -352,10 +341,10 @@ Common agent types:
 | `risk_assessor` | Risk analysis, compliance checks |
 | `orchestrator` | Coordination, task decomposition |
 
-### Step 3: Intercept Before Handoff (REQUIRED)
+### Step 3: Run Budget Guard Before Delegation
 
 ```bash
-# This checks budget AND handoff limits before allowing the call
+# Check budget AND handoff limits before delegating
 python {baseDir}/scripts/swarm_guard.py intercept-handoff \
   --task-id "task_001" \
   --from orchestrator \
@@ -364,8 +353,8 @@ python {baseDir}/scripts/swarm_guard.py intercept-handoff \
   --artifact  # Include if expecting output
 ```
 
-**If ALLOWED:** Proceed to Step 4
-**If BLOCKED:** Stop - do not call sessions_send
+**If ALLOWED:** Proceed with delegation via your platform's own tools
+**If BLOCKED:** Stop — budget exceeded or handoff limit reached; do not delegate
 
 ### Step 4: Construct Handoff Message
 
@@ -375,38 +364,25 @@ Include these fields in your delegation:
 - **constraints**: Any limitations or requirements
 - **expectedOutput**: What format/content you need back
 
-### Step 5: Send via OpenClaw Platform Session Tool
+### Step 5: Check Results
 
-> **Platform note:** `sessions_send` is an **OpenClaw host platform built-in** — it is NOT implemented by this skill. This skill only provides the budget guard (`swarm_guard.py`) that must be run first.
+After delegation completes, read results from the blackboard:
 
+```bash
+python {baseDir}/scripts/blackboard.py read "task:001:data_analyst"
 ```
-# OpenClaw platform operation (not this skill):
-sessions_send to data_analyst:
-"[HANDOFF]
-Instruction: Analyze Q4 revenue by product category
-Context: Using SAP export from ./data/q4_export.csv
-Constraints: Focus on top 5 categories only
-Expected Output: JSON summary with category, revenue, growth_pct
-[/HANDOFF]"
-```
-
-### Step 6: Check Results
 
-> **Platform note:** `sessions_history` is an **OpenClaw host platform built-in**, not provided by this skill.
+## Permission Scoring
 
-```
-sessions_history data_analyst  # OpenClaw platform operation — get the response
-```
+> **Tokens are audit scoring outputs only.** Grant tokens from `check_permission.py` are NOT authenticated credentials and must NOT be used as real access control. They are advisory hints based on a local scoring model. Require a separate authenticated identity and explicit human approval before accessing PAYMENTS, DATABASE, or FILE_EXPORT resources.
 
-## Permission Wall
+**Always score permission before accessing:**
+- `DATABASE` — Internal database / data store (abstract label — no external credentials)
+- `PAYMENTS` — Financial/payment data services (abstract label — requires `--confirm-high-risk`)
+- `EMAIL` — Email sending capability (abstract label)
+- `FILE_EXPORT` — Exporting data to local files (abstract label — requires `--confirm-high-risk`)
 
-**CRITICAL**: Always check permissions before accessing:
-- `DATABASE` - Internal database / data store access
-- `PAYMENTS` - Financial/payment data services
-- `EMAIL` - Email sending capability
-- `FILE_EXPORT` - Exporting data to local files
-
-> **Note**: These are abstract local resource type names used by `check_permission.py`. No external API credentials are required or used — all permission evaluation runs locally.
+> **Note**: These are abstract local resource type names used by `check_permission.py`. No external API credentials are required or used — all evaluation runs locally.
 
 ### Permission Evaluation Criteria
 
@@ -502,16 +478,14 @@ Sequential processing - output of one feeds into next.
 
 ### Example Parallel Workflow
 
-> **Platform note:** `sessions_send` and `sessions_history` are **OpenClaw host platform built-ins**, not provided by this skill. This skill provides only the `swarm_guard.py` budget/handoff check that runs before each delegation.
-
 ```
-# For each delegation below, first run:
+# For each delegation below, first run the budget guard:
 #   python {baseDir}/scripts/swarm_guard.py intercept-handoff --task-id "task_001" --from orchestrator --to <agent> --message "<task>"
-# Then, if allowed, use the OpenClaw platform tool:
-1. sessions_send to data_analyst: "Extract key metrics from Q4 data"
-2. sessions_send to risk_assessor: "Identify compliance risks in Q4 data"
-3. sessions_send to strategy_advisor: "Recommend actions based on Q4 trends"
-4. Wait for all responses via sessions_history
+# If result.allowed == true, delegate via your platform's own tools.
+1. Delegate to data_analyst: "Extract key metrics from Q4 data"
+2. Delegate to risk_assessor: "Identify compliance risks in Q4 data"
+3. Delegate to strategy_advisor: "Recommend actions based on Q4 trends"
+4. Wait for all results and read them from the blackboard
 5. Synthesize: Combine metrics + risks + recommendations into executive summary
 ```
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "network-ai",
-  "version": "5.3.0",
+  "version": "5.3.2",
   "description": "AI agent orchestration framework for TypeScript/Node.js - 29 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS, Copilot, LangGraph, Anthropic Computer Use, OpenAI Agents SDK, Vertex AI, Pydantic AI, Browser Agent, Hermes, Orchestrator, RLM + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
   "homepage": "https://network-ai.org",
   "main": "dist/index.js",

package/scripts/check_permission.py

@@ -41,6 +41,17 @@ GRANT_TOKEN_TTL_MINUTES = 5
 GRANTS_FILE = Path(__file__).parent.parent / "data" / "active_grants.json"
 AUDIT_LOG = Path(__file__).parent.parent / "data" / "audit_log.jsonl"
 
+# ADVISORY TOKENS — IMPORTANT
+# Grant tokens produced by this script are ADVISORY scoring outputs only.
+# They are NOT authenticated credentials. The agent_id supplied via --agent
+# is accepted as-is from the caller and is NOT verified against an identity
+# provider. Downstream systems MUST treat these tokens as hints, not proof
+# of identity, and SHOULD require a separate authenticated session or human
+# approval before honouring access to sensitive resources.
+#
+# For PAYMENTS, DATABASE (write), and FILE_EXPORT the caller must also pass
+# --confirm-high-risk to acknowledge the advisory-only nature of the grant.
+
 # Default trust levels for known agents
 DEFAULT_TRUST_LEVELS = {
     "orchestrator": 0.9,
@@ -49,6 +60,13 @@ DEFAULT_TRUST_LEVELS = {
     "risk_assessor": 0.85,
 }
 
+# Agents whose identity is pre-registered. Any agent_id NOT in this set
+# receives a reduced trust score (0.3) and triggers an advisory warning.
+KNOWN_AGENTS: set[str] = set(DEFAULT_TRUST_LEVELS.keys())
+
+# Resource types that require --confirm-high-risk before a grant is issued
+HIGH_RISK_RESOURCES: set[str] = {"PAYMENTS", "DATABASE"}
+
 # Base risk scores for resource types
 BASE_RISKS = {
     "DATABASE": 0.5,      # Internal database access
@@ -258,48 +276,88 @@ def save_grant(grant: dict[str, Any]) -> None:
     GRANTS_FILE.write_text(json.dumps(grants, indent=2))
 
 
-def evaluate_permission(agent_id: str, resource_type: str, 
-                       justification: str, scope: Optional[str] = None) -> dict[str, Any]:
+def evaluate_permission(
+    agent_id: str,
+    resource_type: str,
+    justification: str,
+    scope: Optional[str] = None,
+    confirm_high_risk: bool = False,
+) -> dict[str, Any]:
     """
     Evaluate a permission request using weighted scoring.
-    
+
+    NOTE: These tokens are ADVISORY ONLY — the caller supplies their own
+    agent_id and it is not authenticated. Downstream systems must not treat
+    the resulting token as proof of identity without additional verification.
+
     Weights:
     - Justification Quality: 40%
     - Agent Trust Level: 30%
     - Risk Assessment: 30%
     """
+    # Warn if agent_id is not in the pre-registered known-agents list
+    unknown_agent = agent_id not in KNOWN_AGENTS
+
     # Log the request
     log_audit("permission_request", {
         "agent_id": agent_id,
         "resource_type": resource_type,
         "justification": justification,
-        "scope": scope
+        "scope": scope,
+        "unknown_agent": unknown_agent,
     })
-    
+
+    # Require explicit acknowledgement for high-risk resources
+    needs_confirmation = (
+        resource_type in HIGH_RISK_RESOURCES
+        or (resource_type == "DATABASE" and scope and re.search(
+            r'\b(write|delete|update|modify|create)\b', scope, re.IGNORECASE
+        ))
+    )
+    if needs_confirmation and not confirm_high_risk:
+        return {
+            "granted": False,
+            "advisory": True,
+            "reason": (
+                f"{resource_type} is a high-risk resource. Re-run with --confirm-high-risk "
+                "to acknowledge that this token is advisory only and does not authenticate "
+                "the supplied agent identity."
+            ),
+            "scores": {"justification": None, "trust": None, "risk": None},
+        }
+
     # 1. Justification Quality (40% weight)
     justification_score = score_justification(justification)
     if justification_score < 0.3:
         return {
             "granted": False,
+            "advisory": True,
             "reason": "Justification is insufficient. Please provide specific task context.",
             "scores": {
                 "justification": justification_score,
                 "trust": None,
-                "risk": None
-            }
+                "risk": None,
+            },
         }
-    
+
     # 2. Agent Trust Level (30% weight)
-    trust_level = DEFAULT_TRUST_LEVELS.get(agent_id, 0.5)
+    # Unknown agents receive a reduced base trust score (0.3) — their identity
+    # has not been pre-registered and cannot be verified by this script.
+    trust_level = DEFAULT_TRUST_LEVELS.get(agent_id, 0.3) if not unknown_agent \
+        else 0.3
     if trust_level < 0.4:
         return {
             "granted": False,
-            "reason": "Agent trust level is below threshold. Escalate to human operator.",
+            "advisory": True,
+            "reason": (
+                "Agent trust level is below threshold. Escalate to human operator."
+                + (" (unrecognized agent_id — identity not pre-registered)" if unknown_agent else "")
+            ),
             "scores": {
                 "justification": justification_score,
                 "trust": trust_level,
-                "risk": None
-            }
+                "risk": None,
+            },
         }
     
     # 3. Risk Assessment (30% weight)
@@ -307,12 +365,13 @@ def evaluate_permission(agent_id: str, resource_type: str,
     if risk_score > 0.8:
         return {
             "granted": False,
+            "advisory": True,
             "reason": "Risk assessment exceeds acceptable threshold. Narrow the requested scope.",
             "scores": {
                 "justification": justification_score,
                 "trust": trust_level,
-                "risk": risk_score
-            }
+                "risk": risk_score,
+            },
         }
     
     # Calculate weighted approval score
@@ -325,13 +384,14 @@ def evaluate_permission(agent_id: str, resource_type: str,
     if weighted_score < 0.5:
         return {
             "granted": False,
+            "advisory": True,
             "reason": f"Combined evaluation score ({weighted_score:.2f}) below threshold (0.5).",
             "scores": {
                 "justification": justification_score,
                 "trust": trust_level,
                 "risk": risk_score,
-                "weighted": weighted_score
-            }
+                "weighted": weighted_score,
+            },
         }
     
     # Generate grant
@@ -346,15 +406,19 @@ def evaluate_permission(agent_id: str, resource_type: str,
         "scope": scope,
         "expires_at": expires_at,
         "restrictions": restrictions,
-        "granted_at": datetime.now(timezone.utc).isoformat()
+        "granted_at": datetime.now(timezone.utc).isoformat(),
+        "advisory": True,           # Always advisory — not an authenticated credential
+        "unknown_agent": unknown_agent,
     }
-    
+
     # Save grant and log
     save_grant(grant)
     log_audit("permission_granted", grant)
-    
+
     return {
         "granted": True,
+        "advisory": True,           # Token is advisory — agent identity was not verified
+        "unknown_agent": unknown_agent,
         "token": token,
         "expires_at": expires_at,
         "restrictions": restrictions,
@@ -362,8 +426,14 @@ def evaluate_permission(agent_id: str, resource_type: str,
             "justification": justification_score,
             "trust": trust_level,
             "risk": risk_score,
-            "weighted": weighted_score
-        }
+            "weighted": weighted_score,
+        },
+        "notice": (
+            "This token was issued based on local scoring only. "
+            "The agent identity supplied via --agent was NOT cryptographically verified. "
+            "Treat this token as advisory and require human approval before granting "
+            "access to sensitive systems."
+        ),
     }
 
 
@@ -649,6 +719,16 @@ Examples:
         action="store_true",
         help="Output result as JSON"
     )
+    parser.add_argument(
+        "--confirm-high-risk",
+        action="store_true",
+        dest="confirm_high_risk",
+        help=(
+            "Required for PAYMENTS and DATABASE resources. Acknowledges that the issued "
+            "token is advisory only and that the caller-supplied agent identity was not "
+            "cryptographically verified."
+        ),
+    )
 
     args = parser.parse_args()
 
@@ -672,17 +752,21 @@ Examples:
         agent_id=args.agent,
         resource_type=args.resource,
         justification=args.justification,
-        scope=args.scope
+        scope=args.scope,
+        confirm_high_risk=getattr(args, "confirm_high_risk", False),
     )
 
     if args.json:
         print(json.dumps(result, indent=2))
     else:
         if result["granted"]:
-            print("GRANTED")
-            print(f"Token: {result['token']}")
-            print(f"Expires: {result['expires_at']}")
+            print("GRANTED  [ADVISORY — agent identity was NOT verified]")
+            print(f"Token:        {result['token']}")
+            print(f"Expires:      {result['expires_at']}")
             print(f"Restrictions: {', '.join(result['restrictions'])}")
+            if result.get("unknown_agent"):
+                print("WARNING: agent_id is not in the pre-registered known-agents list.")
+            print(f"\nNOTICE: {result.get('notice', '')}")
         else:
             print("DENIED")
             print(f"Reason: {result['reason']}")

package/scripts/context_manager.py

@@ -74,6 +74,72 @@ def _now_iso() -> str:
     return datetime.now(timezone.utc).isoformat()
 
 
+def _validate_context(ctx: dict[str, Any]) -> list[str]:
+    """
+    Validate the project context file against the expected schema.
+
+    Returns a list of warning strings (empty = clean).
+    Checks:
+    - Required top-level keys are present
+    - String fields are not excessively long (injection/poisoning guard)
+    - List entries are strings or dicts, not executable-looking content
+    - No obvious prompt-injection patterns in goals, decisions, or banned entries
+    """
+    import re as _re
+    warnings: list[str] = []
+
+    REQUIRED_KEYS = {"project", "goals", "stack", "milestones", "decisions",
+                     "banned_approaches", "updated_at"}
+    missing = REQUIRED_KEYS - set(ctx.keys())
+    if missing:
+        warnings.append(f"Missing keys in context file: {', '.join(sorted(missing))}")
+
+    # Field length caps
+    project = ctx.get("project", {})
+    for field in ("name", "description", "version"):
+        val = project.get(field, "")
+        if isinstance(val, str) and len(val) > 500:
+            warnings.append(f"project.{field} exceeds 500 characters \u2014 consider shortening.")
+
+    # Injection pattern check on free-text list fields
+    INJECTION_RE = _re.compile(
+        r'ignore\s+(previous|above|prior|all)|override\s+(policy|restriction|rule)|'
+        r'system\s*prompt|you\s+are\s+(now|a)|act\s+as\s+(if|a|an)|'
+        r'pretend\s+(to|that|you)|bypass\s+(security|check|restriction)|'
+        r'disregard\s+(policy|rule)|admin\s+(mode|access|override)|'
+        r'\bsudo\b|\bjailbreak\b',
+        _re.IGNORECASE,
+    )
+
+    def _check_text(label: str, text: str) -> None:
+        if INJECTION_RE.search(text):
+            warnings.append(
+                f"Possible injection pattern detected in {label}: {text[:80]!r}"
+            )
+        if len(text) > 2000:
+            warnings.append(f"{label} entry exceeds 2000 characters \u2014 review before injecting.")
+
+    for i, goal in enumerate(ctx.get("goals", [])):
+        if isinstance(goal, str):
+            _check_text(f"goals[{i}]", goal)
+
+    for i, dec in enumerate(ctx.get("decisions", [])):
+        if isinstance(dec, dict):
+            dec_dict = cast(dict[str, object], dec)
+            for fld in ("decision", "rationale"):
+                fld_val = dec_dict.get(fld)
+                if isinstance(fld_val, str):
+                    _check_text(f"decisions[{i}].{fld}", fld_val)
+        elif isinstance(dec, str):
+            _check_text(f"decisions[{i}]", dec)
+
+    for i, banned in enumerate(ctx.get("banned_approaches", [])):
+        if isinstance(banned, str):
+            _check_text(f"banned_approaches[{i}]", banned)
+
+    return warnings
+
+
 def _load() -> dict[str, Any]:
     if not CONTEXT_PATH.exists():
         print(
@@ -127,6 +193,11 @@ def cmd_init(args: argparse.Namespace) -> int:
 
 def cmd_show(args: argparse.Namespace) -> int:  # noqa: ARG001
     ctx = _load()
+    warnings = _validate_context(ctx)
+    if warnings:
+        print("[context_manager] VALIDATION WARNINGS — review before injecting:", file=sys.stderr)
+        for w in warnings:
+            print(f"  ! {w}", file=sys.stderr)
     print(json.dumps(ctx, indent=2))
     return 0
 
@@ -134,6 +205,12 @@ def cmd_show(args: argparse.Namespace) -> int:  # noqa: ARG001
 def cmd_inject(args: argparse.Namespace) -> int:  # noqa: ARG001
     """Print a formatted block suitable for injection into an agent system prompt."""
     ctx = _load()
+    warnings = _validate_context(ctx)
+    if warnings:
+        print("[context_manager] VALIDATION WARNINGS \u2014 context has potential issues:", file=sys.stderr)
+        for w in warnings:
+            print(f"  ! {w}", file=sys.stderr)
+        print("[context_manager] Proceeding with inject, but review warnings above.", file=sys.stderr)
     p = ctx.get("project", {})
 
     lines: list[str] = []