Structural enforcement of pipeline sequencing across
multi-stage agentic workflows
Any agent could call mode(clear) at any time — zero gate policy, no friction, no log entry. Dropping all tool restrictions was a one-liner.
Nothing prevented an agent in brainstorm from jumping directly to finish. Stage order was advisory at best — effectively ignored in practice.
Execution agents had bash access with no prohibition against git push or merge operations — even in stages where code should only be written, not shipped.
| Where | Gap Found |
|---|---|
| mode(clear) | Zero gate policy — instant, silent, no friction |
| mode(set) | No transition sequencing — any mode reachable from any mode |
| All 5 non-finish modes | No "DO NOT push/merge/PR" instruction in any mode |
| 3 execution agents | Bash access with no prohibition against push/merge |
| execute-plan.md | Internal contradiction: said /mode off but should have said /verify |
| brainstorm.md | mode(clear) listed as a valid escape hatch |
The modes infrastructure was built to control what agents can do inside a mode, but not how they move between modes.
Mode exits were never treated as a transition requiring a gate. They bypassed all policy checks entirely — the same hooks that block unsafe tool calls simply weren't wired to mode(clear).
amplifier-bundle-modes PR #6
allowed_transitions field — restricts reachable modesallow_clear field — locks or permits mode exitmode(clear) — same warn/confirm/auto flow as mode(set)amplifier-bundle-superpowers PR #22
/mode off contradiction in execute-plan.md files. Any bundle can define its own pipeline rules.
When set, _handle_set checks the target mode against the list before applying gate policy. Denied transitions return a structured error showing the valid options.
When absent, any mode transition is permitted (legacy behavior).
When false, _handle_clear returns a denial. The agent stays in-mode. Only the designated exit mode can actually clear.
Gate policy on mode(clear) now mirrors mode(set) — same warn/confirm/auto flow that was already proven for set operations.
| Mode | Can transition to | allow_clear |
|---|---|---|
| brainstorm | write-plan debug | false |
| write-plan | execute-plan brainstorm debug | false |
| execute-plan | verify debug brainstorm write-plan | false |
| debug | verify brainstorm execute-plan | false |
| verify | finish debug execute-plan brainstorm write-plan | false |
| finish | execute-plan brainstorm | true ← only exit |
debug is reachable from every stage — it's the universal lateral escape when something breaks. But agents cannot jump from debug straight to finish.
Only finish has allow_clear: true. Every other mode denies mode(clear). Agents must traverse the pipeline to exit it.
| Scenario | Before | After |
|---|---|---|
Agent calls mode(clear) from brainstorm |
Instantly exits all mode restrictions | Denied — brainstorm has allow_clear: false. Structured error lists valid options. |
| Agent jumps brainstorm → finish | Allowed — no transition enforcement | Denied — finish not in brainstorm's allowed_transitions list |
Execute-plan agent runs git push |
No instruction preventing it | Mode doc now says DO NOT push/merge/PR; scope boundary in agent context |
| Agent hits bug, needs to rethink | Could silently exit to brainstorm or clear | Must route through debug → brainstorm (explicit lateral path) |
| Mode author creates a new pipeline | Pipeline was purely documentary — no enforcement | Two-field declaration gives structural guarantee the pipeline will be followed |
| Existing mode without new fields | — | Zero change — backward-compatible defaults. No migration required. |
Define multi-stage pipelines where agents must follow your intended sequence. Agents stay in the pipeline until they reach the designated exit point.
Create escape-hatch modes (like debug) that are reachable from anywhere, while preventing arbitrary forward jumps that skip critical stages.
Restricted and unrestricted modes coexist freely in the same bundle. Only modes with the fields set are constrained — others remain fully open.
Structured denial messages tell the agent what it can do, not just what it can't. The agent is never left stuck — it always has a valid path forward.
No infrastructure code to write. Two optional YAML fields in your mode frontmatter, and the enforcement infrastructure handles the rest automatically.
The modes infrastructure provides the enforcement mechanism.
The policy lives entirely in the mode .md files.
Data as of: March 4, 2026
Feature status: Active — both PRs merged
Data source: All metrics provided directly by the developer in the feature brief. No independent git research was performed for this deck.
Repositories:
Gaps: Primary author attribution, exact PR merge dates, and lines of code changed were not provided in the brief and are not stated in this deck.
Two optional fields. Zero migration. Any bundle can define its own enforced workflow.
Infrastructure changes in amplifier-bundle-modes PR #6. Field definitions, gate policy wiring, and test coverage.
Superpowers pipeline reference implementation in amplifier-bundle-superpowers PR #22. All 6 modes fully annotated.
Add allowed_transitions to any mode and watch the enforcement kick in — no other code changes needed.