Ship Like a Creator: What MrBeast’s Production Memo Teaches Modern Product Teams

Most product teams still build like they are producing a film, even as the playbook has shifted under their feet. This is why the internal creator-style operating guidance in How-To-Succeed-At-MrBeast-Production.pdf is so useful: it reads less like entertainment advice and more like a blueprint for how modern product teams should ship, learn, and win.

They obsess over scripts, storyboards, governance, and handoffs. They treat launch as the finish line. They measure success with spreadsheets. Then they act surprised when customers do what audiences have always done: they click away.

MrBeast builds like he is shipping software in a hostile environment where attention is the currency and retention is the proof. His internal memo reads like a product operating system, except it is written with the clarity that only comes from having your work judged by the market every single day.

The uncomfortable takeaway is simple. Creators are out-executing traditional product organizations on the skills product orgs claim to own: customer empathy, rapid iteration, ruthless prioritization, metrics, feedback loops, and craft.

And with AI collapsing the cost of prototyping, copy, design, and even code, we are heading into a world where the best teams will look less like “product, engineering, design” and more like a creator studio that ships constantly.

Lesson 1: Stop building “a good product” and start building “the right product for the channel”

MrBeast starts with a statement most product orgs avoid because it is too sharp: “Your goal here is to make the best YOUTUBE videos possible.” Then he clarifies what that is not: “It’s not to make the best produced videos. Not to make the funniest videos. Not to make the best looking videos.”

That is a strategy line. It is also a filter.

Most enterprise teams optimize for internal proxies: architectural purity, roadmap predictability, stakeholder comfort, process compliance. They ship something “good” that is wrong for the market moment and wrong for the customer’s actual workflow.

Creators do not confuse “well-made” with “works,” because the channel punishes them immediately.

Lesson 2: Product teams track lagging indicators. Creators track behavior.

MrBeast reduces performance to a tight set of operational metrics: “The three metrics you guys need to care about is Click Thru Rate (CTR), Average View Duration (AVD), and Average View Percentage (AVP).”

Product teams love to say “outcomes over output,” then run quarterly planning like a treaty negotiation and measure outcomes once the quarter ends. Creators measure outcomes every upload and can see exactly where the experience broke.

He is explicit about why the “packaging” matters: “The title and thumbnail on the videos you will be producing set the expectations for the viewer for your video.” That is not marketing. That is product truth.

If your promise and your experience do not match, users bounce. This is as true for SaaS onboarding as it is for YouTube. YouTube itself teaches creators to focus on CTR and watch time because those signals capture whether the audience is choosing the video and then staying with it. (blog.youtube)

Translate this directly to modern product work:

  • CTR is adoption intent. Does the promise earn the click, the activation, the first step?
  • AVD is time-to-value. Do users get pulled forward or do they bounce in the first minute?
  • AVP is completion and habit. Do they finish the workflow and come back?

If your dashboard can only tell you what happened last quarter, you are playing a different sport than the teams that are winning right now.

Lesson 3: The first minute is onboarding. Treat it like life or death.

MrBeast does not romanticize retention. He points at the drop-off and tells you where to fight: “As with almost every video on Youtube, the first minute has the most loss (go look).”

That one sentence should embarrass most onboarding flows.

Product teams routinely burn their first minute with setup friction, permission prompts, empty states, and tutorials that assume patience. Then they diagnose “activation problems” like it is a funnel issue, when it is usually a story issue.

Creators treat the first minute as the hook. Product teams should treat the first session the same way. You do not earn the right to explain yourself. You earn the right to continue by delivering value fast and matching the user’s expectation instantly.

Lesson 4: Pacing beats requirements

A big portion of traditional product development is paperwork disguised as clarity. Requirements. Acceptance criteria. Traceability. It looks disciplined. It often produces a slow, fragmented experience.

Creators do not build “requirements.” They build pacing.

MrBeast anchors decisions to attention and expectation because attention is measurable. Product teams should anchor decisions to user energy and cognitive load because that is what determines whether users complete a journey.

If your team cannot articulate what the experience feels like in the first minute, the first five minutes, and the first full workflow, you are not building a product. You are assembling features.

Lesson 5: Stop managing work. Manage constraints.

The memo is blunt about bottlenecks. It is not polite. It is operational. He warns that “not knowing and understanding something as simple as bottlenecks has fucked tons of videos.”

This is where many product organizations fail because they confuse “dependency management” with constraint management. They create elaborate status rituals that describe the bottleneck without changing it.

Theory of Constraints has said the same thing for decades: improve the system by improving the constraint. (leanproduction.com)

Creators operationalize this daily because they ship on a cadence. Product teams should do the same because cadence forces honesty. If you cannot ship weekly, you find religion about bottlenecks fast.

Lesson 6: Shared context wins. “Video everything” is not a documentation habit.

MrBeast says: “Video everything I really want us to see producing as a team job, not a solo thing.” Then he makes it executable: “Which is why it’s important you video everything critical (and also anything you think people would ask about).”

Most product teams still behave as if context lives in documents and gets transmitted through meetings. That is fragile. It creates the classic failure mode where everyone leaves the meeting with a different movie in their head.

Creator teams default to “show me.” They create artifacts that can be replayed. In product terms, that means recorded demos, prototypes, user walkthroughs, and decision clips that keep the team aligned without forcing constant meetings.

AI makes this even more obvious. When anyone can create a prototype quickly, the new bottleneck is shared understanding. Recording and replaying context becomes a competitive advantage.

Lesson 7: “Say the negatives” is the missing muscle in roadmap culture

This line should be printed and taped above every roadmap review: “It’s infinitely more valuable to tell us why it’s not good.”

Traditional product cultures reward optimism. They reward agreement. They reward “green status.” Then reality shows up late and expensive.

Creator cultures reward tension in the right place, early. They run the pre-mortem constantly. They surface what will fail before it fails.

If your roadmap conversations do not include disciplined tradeoffs and failure modes, you are not being strategic. You are being polite.

Lesson 8: Critical components and kill criteria

MrBeast defines the concept directly: “Critical components are the things that are essential to your video.” In other words, if this fails, the whole thing fails.

Most product teams do not name critical components early. They keep everything “in progress” until the end, then discover the one missing prerequisite that collapses the release.

Creator teams treat critical components like fragile assets. They track them aggressively, create backups, and escalate early. Product teams should do the same with integration dependencies, data availability, security requirements, migration paths, and the one metric that must move for the release to count.

Lesson 9: Constraints are a design tool. “Creativity saves money.”

MrBeast puts the budget reality in plain language: “Creativity Saves Money I don’t think it comes as a surprise when I say we don’t have unlimited money here.”

This is the opposite of the enterprise reflex to spend money to avoid thinking.

In product, constraints are often what force the better answer. Limited time forces focus. Limited engineering forces reuse. Limited scope forces you to ship the core value and learn faster.

AI multiplies this effect. When execution becomes cheaper, taste and judgment become the differentiators. The team that can use constraints as a creative prompt will beat the team that uses constraints as an excuse.

Lesson 10: Results over hours is not toxic. It is clarity.

MrBeast states the deal without ambiguity: “But at the end of the day you will be judged on results, not hours.” Then he lands the cultural expectation: “We are a results based company.”

A lot of product teams pretend they want this, then reward meeting performance, stakeholder management, and risk avoidance. Creator-style execution forces a different standard: ship, learn, improve, repeat.

The point is not to work people into the ground. The point is to stop hiding behind effort as a substitute for impact.

The real difference between traditional product development and the creator model

Traditional product development is optimized for coordination. Creator production is optimized for feedback.

Traditional teams gate learning behind releases. Creator teams pull learning forward into every cycle.

Traditional teams treat “marketing” as downstream. Creator teams treat expectation-setting as part of the product.

Traditional teams protect feelings. Creator teams protect performance.

If you want the creator advantage without turning your company into a YouTube studio, steal the mechanisms:

  • Instrument the first session like your business depends on it, because it does.
  • Treat promise and experience as a single system.
  • Name the bottleneck, then manage it daily.
  • Default to replayable artifacts, not meeting-based memory.
  • Make “say the negatives” a cultural norm, not a personality trait.
  • Define critical components early, and refuse to gamble on them late.

Your biggest competitor is not another product team. It is the attention economy.

The creator economy is not “content.” It is the most advanced R and D lab for persuasion, iteration, and craft that exists today.

In an AI-shaped world, everyone can be a creator, engineer, designer, and product manager. The winners will be the ones who can turn an idea into an artifact, learn from real behavior, and iterate with speed and taste.

Or, to borrow MrBeast’s tone, they will “make the best” version of what their channel demands, and they will do it relentlessly.

Context Window Compaction in Mastra: How to Keep Agents Sharp as Conversations Grow

Some teams think about long context the wrong way. They treat the context window like a storage upgrade. Bigger model. Bigger window. Bigger bill. Problem solved.

That is not how this works in production.

As conversations get longer, the real challenge is not whether the model can technically accept more tokens. The challenge is whether your application can preserve the right state without drowning the model in stale turns, repeated instructions, and buried facts. Mastra’s own memory model reflects this reality. It separates raw message history from working memory, semantic recall, and observational memory, with observational memory specifically intended to keep context smaller while preserving long-term memory across conversations. (Mastra)

That is context window compaction.

In Mastra, compaction is not a hack layered on top of the framework. It fits naturally into how the framework already wants you to think: keep structured memory for what should persist, use recent messages for local coherence, and use workflows when you want deterministic control over how context gets reduced and refreshed. Mastra also distinguishes clearly between agents and workflows: agents are open-ended and tool-using, while workflows give you explicit control over steps, order, and state transitions. (Mastra)

What context window compaction actually means in Mastra

In practical terms, context window compaction means you stop replaying the entire conversation forever.

Instead, you preserve context in layers:

  • Agent instructions for stable behavior
  • Working memory for durable structured state
  • Observational memory for compressed long-range memory
  • Recent message history for verbatim short-term coherence
  • Semantic recall when relevant past material should be pulled back in on demand

That is a much better production model than “just send the whole transcript again.” It is also aligned with how Mastra describes its own memory primitives. Working memory stores persistent structured information such as user profile, preferences, or goals. Observational memory maintains a dense observation log as raw history grows. Semantic recall retrieves relevant past messages by meaning rather than exact match. (Mastra)

The key idea is simple: not all context deserves to survive in the same form.

A temporary clarification can fade. A user constraint should not. A final decision should be preserved structurally, not buried in assistant prose.

Why naive summarization fails

A lot of teams hear “compaction” and think “summary.” So they replace the first fifty turns with a paragraph and hope for the best.

That usually breaks in quiet ways. The agent starts missing constraints. It forgets what was approved. It retains the tone of the discussion but not the actual commitments. This is exactly why structured memory matters more than generic summarization.

In Mastra terms, you should not rely on message history alone to preserve important state. Use working memory templates to explicitly track what matters. Mastra recommends custom templates so the agent remembers the information most relevant to the use case, rather than depending on an untargeted default. (Mastra)

The pattern that works in Mastra

The cleanest pattern is:

  1. Put durable instructions in the agent definition.
  2. Turn on memory.
  3. Use a custom working memory template to define what should persist.
  4. Let observational memory compress long-range history.
  5. Use a workflow when you want deterministic compaction and promotion of facts into structured state.

This matters because Mastra gives you two different control surfaces. If you want the model to reason flexibly, use an agent with memory. If you want explicit compaction behavior with step-by-step control, use a workflow built with createStep() and createWorkflow(). (Mastra)

A Mastra example in TypeScript

Below is a practical example that shows how to think about compaction in Mastra.

The example has three parts:

  • memory-enabled agent
  • working memory template that preserves durable state
  • workflow that compacts older conversation turns into a structured summary before the next agent run

1) Create a memory-enabled agent

import { Agent } from '@mastra/core/agent';
import { Memory } from '@mastra/memory';
const supportMemory = new Memory({
  options: {
    workingMemory: {
      enabled: true,
      scope: 'thread',
      template: `
# Active Case State
- User goal:
- Current issue:
- Constraints:
- Decisions made:
- Important facts:
- Open questions:
- Next expected action:
      `.trim(),
    },
    observationalMemory: true,
  },
});
export const supportAgent = new Agent({
  id: 'support-agent',
  name: 'Support Agent',
  instructions: `
You are a precise enterprise support agent.
Rules:
- Preserve decisions and constraints exactly.
- Do not restate stale details unless they affect the current issue.
- Prefer the structured memory over vague paraphrasing.
- If there is a conflict between recent messages and memory, call it out explicitly.
  `.trim(),
  model: 'openai/gpt-5.4',
  memory: supportMemory,
});

This is the first important shift. Instead of treating the transcript as the only memory, you tell Mastra what durable state should be maintained in working memory, and you let observational memory help compress the long tail of the conversation. Mastra documents thread-scoped working memory and custom templates for exactly this purpose, and it recommends observational memory as the long-term compression layer. (Mastra)

2) Add a compaction step in a workflow

Mastra workflows are useful when you want explicit control over how compaction happens, rather than leaving everything to the agent loop. Workflows define steps with schemas and controlled data flow. (Mastra)

import { z } from 'zod';
import { createStep, createWorkflow } from '@mastra/core/workflows';
const compactContextStep = createStep({
  id: 'compact-context',
  inputSchema: z.object({
    transcript: z.array(
      z.object({
        role: z.enum(['user', 'assistant', 'tool']),
        content: z.string(),
      })
    ),
  }),
  outputSchema: z.object({
    compactedSummary: z.string(),
    promotedFacts: z.array(z.string()),
    decisions: z.array(z.string()),
    openQuestions: z.array(z.string()),
  }),
  execute: async ({ inputData, mastra }) => {
    const prompt = `
Compact this conversation history for future use.
Rules:
- Preserve decisions, constraints, facts, and unresolved questions.
- Remove repetition, pleasantries, and obsolete turns.
- Be specific.
- Do not invent facts.
Transcript:
${inputData.transcript
  .map(t => `[${t.role}] ${t.content}`)
  .join('\n')}
    `.trim();
    const result = await supportAgent.generate(prompt, {
      output: {
        schema: z.object({
          compactedSummary: z.string(),
          promotedFacts: z.array(z.string()),
          decisions: z.array(z.string()),
          openQuestions: z.array(z.string()),
        }),
      },
    });
    return result.object;
  },
});

The important design choice here is that compaction returns structured outputs, not a blob of prose. That makes it far easier to feed the result into working memory, trace it, test it, and compare compaction quality over time.

3) Run the agent with compacted state

Mastra supports agents inside workflows, and workflows can map previous step output into the prompt that the agent sees. (Mastra)

const replyStep = createStep(supportAgent).map(async ({ inputData }) => {
  return {
    prompt: `
Use this compacted context to answer the user well.
Compacted summary:
${inputData.compactedSummary}
Promoted facts:
${inputData.promotedFacts.map(f => `- ${f}`).join('\n')}
Decisions:
${inputData.decisions.map(d => `- ${d}`).join('\n')}
Open questions:
${inputData.openQuestions.map(q => `- ${q}`).join('\n')}
Now answer the latest user request.
    `.trim(),
  };
});
export const compactingConversationWorkflow = createWorkflow({
  id: 'compacting-conversation',
  inputSchema: z.object({
    transcript: z.array(
      z.object({
        role: z.enum(['user', 'assistant', 'tool']),
        content: z.string(),
      })
    ),
  }),
})
  .then(compactContextStep)
  .then(replyStep)
  .commit();

This is a strong production pattern because the workflow owns the deterministic sequence while the agent handles the reasoning. Mastra explicitly supports this split: workflows for controlled multi-step logic, agents for judgment and generation. (Mastra)

What to watch for

1) Do not compact instructions

Your agent instructions are not chat history. They should remain stable and explicit in the agent definition, not be “remembered” through summary text. Mastra’s Agent class uses instructions as the core system behavior layer, which is a different concern from memory. (Mastra)

2) Do not let summaries replace structure

A paragraph that says “the team generally agreed on an approach” is nearly useless.

A compacted state that says:

  • Decision: use Redis for ephemeral cache
  • Constraint: never include client PII in prompts
  • Open question: whether audit logs need 30 or 90 day retention

Provides actionable structures.

That is exactly why Mastra working memory templates are so useful. They let you define the shape of what should persist instead of hoping the model keeps it straight. (Mastra)

3) Observational memory is powerful, but you still need design discipline

Mastra recommends observational memory because it keeps the context window small while preserving long-term memory, but that does not mean you should stop thinking about what belongs in structured state versus retrievable state. Observational memory helps compress; it does not remove the need for clear memory design. (Mastra)

4) Use workflows for deterministic compaction

If compaction is business-critical, do not leave it entirely implicit.

Use a workflow. Add schemas. Capture outputs. Evaluate whether important facts survived. Mastra workflows are explicitly built for this kind of multi-step, predictable execution. (Mastra)

5) Do not confuse compaction with retrieval

Compaction is about compressing conversational state.

Retrieval is about pulling in relevant external context when needed.

Mastra supports both memory and RAG-style retrieval patterns. You still want semantic recall or external retrieval for large bodies of knowledge that should not live permanently in prompt state. (Mastra)

The practical mental model

Here is the better way to think about it:

Message history is not your product memory model.

In Mastra, your real memory model is a combination of:

  • instructions for stable behavior
  • working memory for durable structured state
  • observational memory for compressed long-range continuity
  • message history for recent turns
  • semantic recall for relevant past material

That is a much stronger architecture than replaying everything and hoping a bigger model window will save you. Mastra’s documentation reflects this layered approach directly. (Mastra)

Summary

Context window compaction is one of the clearest differences between an LLM demo and an LLM system.

A demo keeps appending turns. A system decides what should persist, what should compress, what should be retrieved, and what should be forgotten.

Mastra is useful here because it gives you the pieces in the right shape. Agents handle reasoning. Memory handles persistence. Observational memory helps replace raw history as it grows. Workflows let you make compaction explicit when the stakes are high. (Mastra)

How to Ship Microsoft Agent Framework Skills from a CMS Instead of the File System

Most teams start with Microsoft Agent Framework skills on disk because that is the default mental model the framework encourages today. In .NET, FileAgentSkillsProvider is explicitly documented as an AIContextProvider that discovers skills from filesystem directories and follows a progressive disclosure pattern: advertise the skill, load the full SKILL.md only when needed, then read supporting resources on demand. That is a strong default, but it is still a file-system model, and Microsoft’s current .NET package is also still documented as prerelease. (Microsoft Learn)

That approach works well when skills are developer-owned assets that change with source code. It starts to break down when skills become operational artifacts. The minute you need legal review, policy updates, regional variations, tenant-specific skills, staged rollout, or emergency rollback without waiting for an application deploy, your storage model is no longer a technical detail. It becomes part of your operating model. Ben Bahrenburg’s March 30 article made that case for moving skills into a database. I think the next step for many enterprise teams is even more pragmatic: move skills into a CMS built for managed content operations, and let your C# agent runtime consume that content in a governed way.

I would implement this with Payload CMS as the skill control plane and a custom C# AIContextProvider as the runtime integration layer. Payload gives you structured collections, generated APIs, drafts, versions, access control, hooks, and an admin UI. Microsoft Agent Framework gives you the runtime seam through AIContextProvider and function tools created with AIFunctionFactory.Create. Put those together and you get a clean split: content teams manage skills as governed content, while the .NET application remains the execution boundary. (Payload)

Why a CMS is a better fit than a database for many enterprises

A database solves persistence. A CMS solves management.

That distinction matters. A raw database-backed solution usually forces you to build your own editorial workflow, role-based access patterns, audit history, publishing controls, and release process. Payload already gives you much of that shape. Collections automatically generate Local API, REST API, and GraphQL API endpoints. Drafts are built on top of versions, which means editors can change content without publishing it immediately. Access control can be scoped by operation, role, or document criteria. Hooks let you integrate with outside systems when content changes. (Payload)

From a management perspective, this is the real reason to do it. Skills are increasingly not just prompts. They are encoded operating policy. In a regulated environment, the question is not only “can the agent load the skill?” The question is “who changed it, who approved it, when does it go live, which tenant sees it, and how do we roll it back?” Payload’s drafts, versions, and access control line up much more naturally with that set of questions than a homegrown admin screen over a SQL table. (Payload)

There is also a release-management advantage. File-based skills tie skill rollout to application rollout. A CMS-based model decouples the two. Your engineering team can ship the runtime once, while product operations, risk, or domain experts can release updated skills on their own cadence through a controlled publishing process. That is a much better fit when the logic inside a skill changes more frequently than the code that executes it.

The architecture I recommend

I would keep the same progressive disclosure model Microsoft already documents for file-based skills. Do not dump full skill bodies into the system prompt. Advertise a small set of visible skills, let the agent call load_skill when it needs the full body, and let it call read_skill_resource only when it needs supporting material. That preserves token efficiency and keeps the interaction model aligned with the framework. (Microsoft Learn)

The shift is simply where the content comes from. Payload becomes the source of truth for:

  • skill metadata
  • skill body content
  • supporting resources
  • publish state
  • version history
  • tenant and environment targeting
  • editorial ownership and approval

Your C# layer does three jobs:

  1. Query Payload for the set of skills the current run is allowed to see
  2. Inject that advertisement into the agent through AIContextProvider
  3. Expose load_skill and read_skill_resource as function tools backed by Payload APIs

That model stays true to the framework. AIContextProvider is documented as a lifecycle extension point that can provide additional context and function tools during invocation, and Microsoft documents C# function tools through AIFunctionFactory.Create. (Microsoft Learn)

Modeling skills in Payload

The mistake I would avoid is treating a skill as one giant blob of markdown with no structure. That puts you back in document chaos. Instead, define a first-class collection for skills.

A practical agent-skills collection in Payload should include fields like:

  • name
  • slug
  • description
  • instructionBody
  • tenantScope
  • environmentScope
  • isEnabled
  • effectiveFrom
  • effectiveTo
  • resourceManifest
  • toolPolicy
  • owner
  • riskTier

I would enable versions and drafts on this collection so edits can be staged and published deliberately. That gives you native revision history and draft publishing without inventing a separate release system. (Payload)

A simple Payload collection config might look like this:

import type { CollectionConfig } from 'payload'
export const AgentSkills: CollectionConfig = {
  slug: 'agent-skills',
  admin: {
    useAsTitle: 'name',
  },
  versions: {
    drafts: {
      autosave: true,
    },
  },
  access: {
    read: ({ req: { user } }) => Boolean(user),
    create: ({ req: { user } }) => user?.role === 'skill-admin',
    update: ({ req: { user } }) => user?.role === 'skill-editor' || user?.role === 'skill-admin',
    delete: ({ req: { user } }) => user?.role === 'skill-admin',
  },
  fields: [
    { name: 'name', type: 'text', required: true },
    { name: 'slug', type: 'text', required: true, unique: true },
    { name: 'description', type: 'textarea', required: true },
    { name: 'instructionBody', type: 'code', admin: { language: 'markdown' }, required: true },
    {
      name: 'tenantScope',
      type: 'array',
      fields: [{ name: 'tenantId', type: 'text', required: true }],
    },
    {
      name: 'environmentScope',
      type: 'select',
      options: ['dev', 'test', 'prod'],
      hasMany: true,
      required: true,
    },
    { name: 'isEnabled', type: 'checkbox', defaultValue: true },
    { name: 'effectiveFrom', type: 'date' },
    { name: 'effectiveTo', type: 'date' },
    {
      name: 'resources',
      type: 'array',
      fields: [
        { name: 'name', type: 'text', required: true },
        { name: 'body', type: 'textarea', required: true },
        { name: 'contentType', type: 'text' },
      ],
    },
    {
      name: 'riskTier',
      type: 'select',
      options: ['low', 'medium', 'high'],
      required: true,
    },
  ],
}

That schema is code-defined, which is important. You still want developers to control the shape of skills. What you are delegating is the management of skill content, not the integrity of the platform.

The C# side: consume Payload through a repository

Payload collections automatically expose APIs, so your .NET runtime does not need direct database access. It can consume Payload through REST or GraphQL. In most enterprise environments I would choose REST for simplicity and cacheability, and I would keep the C# code behind a repository interface so the runtime does not care whether the backing system is Payload today or something else later. (Payload)

public sealed record AdvertisedSkill(
    string Name,
    string Description,
    string Slug,
    string Version);
public sealed record SkillDocument(
    string Name,
    string Slug,
    string Description,
    string InstructionBody,
    string Version,
    bool IsEnabled,
    DateTimeOffset? EffectiveFrom,
    DateTimeOffset? EffectiveTo,
    IReadOnlyList<SkillResource> Resources);
public sealed record SkillResource(
    string Name,
    string Body,
    string ContentType);
public interface ISkillRepository
{
    Task<IReadOnlyList<AdvertisedSkill>> ListAdvertisedSkillsAsync(
        string tenantId,
        string environment,
        CancellationToken ct);
    Task<SkillDocument?> GetSkillAsync(
        string slug,
        string tenantId,
        string environment,
        CancellationToken ct);
    Task<SkillResource?> GetSkillResourceAsync(
        string slug,
        string resourceName,
        string tenantId,
        string environment,
        CancellationToken ct);
}

And a Payload-backed implementation:

public sealed class PayloadSkillRepository : ISkillRepository
{
    private readonly HttpClient _httpClient;
    public PayloadSkillRepository(HttpClient httpClient)
    {
        _httpClient = httpClient;
    }
    public async Task<IReadOnlyList<AdvertisedSkill>> ListAdvertisedSkillsAsync(
        string tenantId,
        string environment,
        CancellationToken ct)
    {
        var url =
            $"/api/agent-skills" +
            $"?where[isEnabled][equals]=true" +
            $"&where[environmentScope][in]={environment}" +
            $"&depth=0&limit=100";
        using var response = await _httpClient.GetAsync(url, ct);
        response.EnsureSuccessStatusCode();
        var payload = await response.Content.ReadFromJsonAsync<PayloadListResponse>(cancellationToken: ct);
        return payload?.Docs
            .Where(d => IsVisibleToTenant(d, tenantId))
            .Select(d => new AdvertisedSkill(d.Name, d.Description, d.Slug, d.UpdatedAt))
            .ToList() ?? [];
    }
    public async Task<SkillDocument?> GetSkillAsync(
        string slug,
        string tenantId,
        string environment,
        CancellationToken ct)
    {
        var url =
            $"/api/agent-skills" +
            $"?where[slug][equals]={Uri.EscapeDataString(slug)}" +
            $"&where[isEnabled][equals]=true" +
            $"&where[environmentScope][in]={environment}" +
            $"&draft=false&depth=1&limit=1";
        using var response = await _httpClient.GetAsync(url, ct);
        response.EnsureSuccessStatusCode();
        var payload = await response.Content.ReadFromJsonAsync<PayloadListResponse>(cancellationToken: ct);
        var doc = payload?.Docs.FirstOrDefault();
        if (doc is null || !IsVisibleToTenant(doc, tenantId))
            return null;
        return new SkillDocument(
            doc.Name,
            doc.Slug,
            doc.Description,
            doc.InstructionBody,
            doc.UpdatedAt,
            doc.IsEnabled,
            doc.EffectiveFrom,
            doc.EffectiveTo,
            doc.Resources.Select(r => new SkillResource(r.Name, r.Body, r.ContentType)).ToList());
    }
    public async Task<SkillResource?> GetSkillResourceAsync(
        string slug,
        string resourceName,
        string tenantId,
        string environment,
        CancellationToken ct)
    {
        var skill = await GetSkillAsync(slug, tenantId, environment, ct);
        return skill?.Resources.FirstOrDefault(r =>
            string.Equals(r.Name, resourceName, StringComparison.OrdinalIgnoreCase));
    }
    private static bool IsVisibleToTenant(PayloadSkillDoc doc, string tenantId)
        => doc.TenantScope.Count == 0 || doc.TenantScope.Any(t => t.TenantId == tenantId);
}

Wiring it into Microsoft Agent Framework

The runtime pattern is the same as the file-based provider. The difference is that your context comes from Payload at invocation time instead of from disk. Microsoft documents AIContextProvider as participating in the invocation lifecycle, and function tools can be added using AIFunctionFactory.Create. (Microsoft Learn)

using System.ComponentModel;
using Microsoft.Agents.AI;
using Microsoft.Extensions.AI;
public sealed class PayloadSkillsProvider : AIContextProvider
{
    private readonly ISkillRepository _repository;
    private readonly string _environment;
    public PayloadSkillsProvider(ISkillRepository repository, string environment)
        : base(null, null)
    {
        _repository = repository;
        _environment = environment;
    }
    protected override async ValueTask<AIContext> ProvideAIContextAsync(
        InvokingContext context,
        CancellationToken cancellationToken = default)
    {
        var tenantId = ResolveTenant(context);
        var skills = await _repository.ListAdvertisedSkillsAsync(
            tenantId,
            _environment,
            cancellationToken);
        var advertised = string.Join("\n", skills.Select(s => $"""
<skill>
  <name>{s.Slug}</name>
  <description>{s.Description}</description>
</skill>
"""));
        return new AIContext
        {
            Instructions = $"""
You have access to the following skills:
{advertised}
When a task clearly matches one of these skills, call load_skill with the exact skill slug.
Only call read_skill_resource when additional reference material is needed.
""",
            Tools =
            [
                AIFunctionFactory.Create(LoadSkillAsync),
                AIFunctionFactory.Create(ReadSkillResourceAsync)
            ]
        };
    }
    [Description("Load the full instructions for a skill.")]
    public async Task<string> LoadSkillAsync(
        [Description("Exact skill slug")] string skillSlug,
        CancellationToken cancellationToken = default)
    {
        var tenantId = TenantContext.CurrentTenantId;
        var skill = await _repository.GetSkillAsync(skillSlug, tenantId, _environment, cancellationToken);
        return skill?.InstructionBody ?? $"Skill '{skillSlug}' was not found.";
    }
    [Description("Read a named resource for a skill.")]
    public async Task<string> ReadSkillResourceAsync(
        [Description("Exact skill slug")] string skillSlug,
        [Description("Resource name")] string resourceName,
        CancellationToken cancellationToken = default)
    {
        var tenantId = TenantContext.CurrentTenantId;
        var resource = await _repository.GetSkillResourceAsync(
            skillSlug,
            resourceName,
            tenantId,
            _environment,
            cancellationToken);
        return resource?.Body ?? $"Resource '{resourceName}' was not found for skill '{skillSlug}'.";
    }
    private static string ResolveTenant(InvokingContext context)
        => TenantContext.CurrentTenantId;
}

And then:

AIAgent agent = chatClient.AsAIAgent(new ChatClientAgentOptions
{
    Name = "OperationsAgent",
    ChatOptions = new()
    {
        Instructions = "You are a controlled enterprise assistant."
    },
    AIContextProviders =
    [
        new PayloadSkillsProvider(skillRepository, environment: "prod")
    ]
});

Release management is where this architecture really pays off

This is the part engineering teams often undersell. Payload drafts let you separate authoring from publishing. Versions give you history. Access control lets you separate editors from approvers. Hooks let you notify downstream systems when a skill changes. Live Preview and autosave can even be used to give a controlled editorial experience when you want reviewers to see how a skill reads before it is published. (Payload)

That means your release flow can look like this:

  1. A domain expert edits a skill as a draft
  2. A risk or operations lead reviews the draft
  3. The draft is published to a target environment
  4. A Payload hook notifies the .NET runtime to clear cache or refresh a snapshot
  5. New agent runs see the updated skill without redeploying the application

That is dramatically better than “open a pull request to change markdown in the repo” when the real owners of the content are not developers.

The risks to plan for

The first risk is governance drift. Because it becomes easier to edit skills, it also becomes easier to introduce bad instructions. That means you need stronger approval discipline, not weaker discipline. Payload access control should be used to separate who can author from who can publish. (Payload)

The second risk is runtime inconsistency. If you advertise one version of a skill and load another because content changed mid-run, the agent can operate against a moving target. My recommendation is to include a version or updated timestamp in the advertised metadata and pin the chosen version in session state for the rest of the run or session.

The third risk is unsafe action execution. If a skill can lead to external side effects, do not rely on content governance alone. Microsoft documents human-in-the-loop approval for function tools, and that should be used for high-risk actions such as sending emails, updating records, or triggering downstream workflows. (Microsoft Learn)

My recommendation as a technical architect

Use the file system when skills are developer assets. Use a CMS when skills are managed business instructions. That is the decision line.

If your organization wants product managers, policy owners, legal reviewers, or operations leaders to participate in the lifecycle of skills, then skills are no longer just files. They are governed content. Payload gives you the management plane. Microsoft Agent Framework gives you the execution seam. C# remains the runtime backbone that enforces visibility, tooling, session behavior, and safety.

That is the architecture I would put into production.

How to Read Microsoft Agent Framework Skills from a Database Instead of the File System

Most teams start with file-based skills because that is the built-in model in Microsoft Agent Framework today. In .NET, the built-in FileAgentSkillsProvider discovers SKILL.md files from directories, advertises skill names and descriptions in the prompt, returns the full skill body through load_skill, and reads supporting files through read_skill_resource. That model is clean, portable, and easy to reason about. It is also fundamentally file-system oriented. (Microsoft Learn)

That becomes a constraint as soon as skills stop behaving like static project assets. The moment you want tenant-specific skills, runtime enablement, admin editing, approval workflows, audit trails, or controlled rollouts, a database-backed model starts to make more sense. Microsoft’s own recent Python update calls this out directly: not every skill fits a directory on disk, and one of the explicit motivations for code-defined skills is that sometimes the skill content comes from a database. (Microsoft for Developers)

The good news is that you do not need to fight the framework to do this. The right move is not to bend the file provider into something it is not. The right move is to build your own AIContextProvider in .NET that reads skill metadata and content from your database, then exposes the same progressive-disclosure pattern the file provider already uses. Microsoft documents AIContextProvider as the extension point for adding instructions, messages, and tools before each run, and for processing results after the run. (Microsoft Learn)

Why move skills into a database

A database-backed skill model is usually the right choice when skills are operational content rather than developer-owned files. If your operations team needs to update a policy skill without waiting for a code deploy, or if one client should see a different version of a skill than another client, the database becomes the control plane. You also gain versioning, effective dates, staged rollout, audit history, and the ability to disable a bad skill without rebuilding the app. Those are not nice-to-haves in enterprise systems. They are the operating model.

There is also a prompt-efficiency benefit. Agent Framework’s skill design already assumes a progressive-disclosure model: advertise a compact description first, load the full skill only when relevant, then load resources only if needed. That keeps the context window lean while still giving the model access to deeper domain knowledge on demand. A database-backed provider should preserve that exact pattern rather than dumping every skill into the system prompt on every turn. (GitHub)

How Microsoft Agent Framework is structured today

The built-in file provider is useful because it shows the contract you want to preserve. Microsoft documents the current .NET provider as an AIContextProvider that implements three steps: advertise skill names and descriptions, return the full SKILL.md body through load_skill, and read supporting resources on demand. The same docs note that the current .NET package is still at v1.0.0-rc2 and that some details are prerelease, so this is an area to watch as the framework matures. (Microsoft Learn)

For custom behavior, Microsoft documents AIContextProvider as running around each invocation. The provider can contribute instructions, messages, and tools before execution, and can process results afterward. The simplest path is to override ProvideAIContextAsync and StoreAIContextAsync. If you need finer control over how messages and tools are merged, you can override InvokingCoreAsync and InvokedCoreAsync. (Microsoft Learn)

That matters because it gives you the exact hook you need. Your database-backed provider can query the skills table during ProvideAIContextAsync, advertise only the skills relevant to the current tenant or user, and attach function tools for load_skill and read_skill_resource. Microsoft documents function tools in .NET through AIFunctionFactory.Create, which turns ordinary C# methods into agent-callable tools. (Microsoft Learn)

The design I recommend

Do not store raw skill markdown in the system prompt. Store metadata separately from content, and let the agent ask for the full skill only when it needs it. That keeps the token footprint low and gives you a natural place to apply authorization and versioning.

A practical schema looks like this:

  • AgentSkillsSkillIdNameDescriptionInstructionBodyVersionTenantIdIsEnabledEffectiveFromUtcEffectiveToUtc
  • AgentSkillResourcesResourceIdSkillIdResourceNameContentTypeBodyVersion
  • AgentSkillRevisions: immutable audit history for each change
  • AgentSkillRollouts: optional staged rollout targeting by tenant, environment, or percentage

The key is to separate what the model sees first from what the model can load later. Your advertisement layer should stay small and descriptive. Your content layer can be detailed and versioned.

How to implement it in .NET

Here is the shape of a custom provider. It reads visible skills from the database at invocation time, injects a short instruction block listing those skills, and exposes tools that fetch the full skill body and any named resources.

using System.ComponentModel;
using Microsoft.Agents.AI;
using Microsoft.Extensions.AI;
public sealed class DatabaseSkillsProvider : AIContextProvider
{
    private readonly ISkillRepository _repo;
    public DatabaseSkillsProvider(ISkillRepository repo) : base(null, null)
    {
        _repo = repo;
    }
    protected override async ValueTask<AIContext> ProvideAIContextAsync(
        InvokingContext context,
        CancellationToken cancellationToken = default)
    {
        var tenantId = ResolveTenant(context);
        var skills = await _repo.ListAdvertisedSkillsAsync(tenantId, cancellationToken);
        var advertised = string.Join("\n", skills.Select(s => $"""
        <skill>
          <name>{s.Name}</name>
          <description>{s.Description}</description>
        </skill>
        """));
        return new AIContext
        {
            Instructions = $"""
            You have access to the following skills:
            {advertised}
            When a task matches a skill, call load_skill with the exact skill name.
            Call read_skill_resource only when you need an additional file or reference.
            """,
            Tools =
            [
                AIFunctionFactory.Create(LoadSkillAsync),
                AIFunctionFactory.Create(ReadSkillResourceAsync)
            ]
        };
    }
    [Description("Load the full instructions for a skill.")]
    public async Task<string> LoadSkillAsync(
        [Description("Exact skill name")] string skillName,
        CancellationToken cancellationToken = default)
    {
        var skill = await _repo.GetCurrentSkillAsync(skillName, cancellationToken);
        return skill?.InstructionBody ?? $"Skill '{skillName}' was not found.";
    }
    [Description("Read a named resource for a skill.")]
    public async Task<string> ReadSkillResourceAsync(
        [Description("Exact skill name")] string skillName,
        [Description("Resource name")] string resourceName,
        CancellationToken cancellationToken = default)
    {
        var resource = await _repo.GetCurrentResourceAsync(skillName, resourceName, cancellationToken);
        return resource?.Body ?? $"Resource '{resourceName}' was not found for skill '{skillName}'.";
    }
    private static string ResolveTenant(InvokingContext context) => "default";
}

And you wire it into the agent exactly the same way you would wire in any other context provider:

AIAgent agent = chatClient.AsAIAgent(new ChatClientAgentOptions
{
    Name = "SkillsAgent",
    ChatOptions = new()
    {
        Instructions = "You are a helpful assistant."
    },
    AIContextProviders =
    [
        new DatabaseSkillsProvider(skillRepository)
    ]
});

This design stays aligned with the framework instead of inventing a parallel mechanism. The agent still sees skills as advertised capabilities, still calls tools to load them, and still keeps the context window lean. That is important because it lets you move storage without changing the agent’s interaction model. The framework’s documented file-based provider uses exactly that progressive-disclosure shape, and .NET function tools are intended to be added in precisely this way. (Microsoft Learn)

The part people miss: update visibility

This is where a database-backed design gets subtle.

Microsoft documents that AIContextProvider is invoked at the start of each run to provide additional context. That means if your provider queries the database inside ProvideAIContextAsync, any metadata changes you made before that run can be reflected on that run. Likewise, if your load_skill and read_skill_resource tools read the database directly and you do not add your own cache, the content fetched by those tools can reflect the latest committed version at the moment the tool is called. That is the cleanest and most predictable model. (Microsoft Learn)

In practical terms, that means:

  • A changed skill description becomes available on the next agent invocation, because skill advertisement happens before each run.
  • A changed skill body becomes available the next time the agent calls load_skill.
  • A changed resource becomes available the next time the agent calls read_skill_resource.

That timing is an implementation consequence of the documented lifecycle, not a special built-in database feature. If you introduce caches, precomputed prompt fragments, or session-persisted skill snapshots, you change those semantics.

This is where many teams get burned. Microsoft also documents that the same AIContextProvider instance is shared across sessions, and that session-specific state should live in AgentSession, not in provider instance fields. It also warns that sessions are agent- and provider-specific, and reusing a session with a different agent configuration or provider can lead to invalid context. The implication is important: if your session history or session state still contains older skill content, that old content can continue influencing the model even after the database row has changed. (Microsoft Learn)

So the right answer to “when is an updated skill accessible?” is:

Immediately for new reads, unless you cache. Potentially not immediately for ongoing sessions, if older skill content is still present in history or session state.

That is why production systems should version skills explicitly and decide what happens to in-flight sessions when a skill changes.

The update model I recommend

Treat skill changes like configuration deployment, not like editing a note in a CMS.

The safest pattern is this:

  1. Write a new immutable revision instead of updating the current row in place.
  2. Mark that revision with an effective timestamp or rollout flag.
  3. Keep a pointer to the “current” revision for new runs.
  4. Decide whether existing sessions should continue on the old revision or be upgraded.
  5. Include the revision identifier in any tool result so you can audit what the agent actually used.

If the change is minor, such as fixing wording or adding an example, letting new runs pick up the newest revision is usually fine. If the change is breaking, such as changing policy logic or action constraints, create a new skill version and either start a new session or mark the old session as bound to the earlier version.

A practical repository pattern looks like this:

public interface ISkillRepository
{
    Task<IReadOnlyList<AdvertisedSkill>> ListAdvertisedSkillsAsync(
        string tenantId,
        CancellationToken ct);
    Task<SkillRevision?> GetCurrentSkillAsync(
        string skillName,
        CancellationToken ct);
    Task<SkillResourceRevision?> GetCurrentResourceAsync(
        string skillName,
        string resourceName,
        CancellationToken ct);
    Task<SkillRevision?> GetSkillRevisionAsync(
        string skillName,
        string version,
        CancellationToken ct);
}

If you want deterministic behavior within a session, store the selected skill version in AgentSession the first time the skill is loaded, then keep serving that version for the life of the session. Microsoft’s session-state guidance exists exactly for this sort of per-session binding. (Microsoft Learn)

The risks you should plan for

The first risk is unauthorized skill exposure. In a file-based model, your boundary is usually the deployment package. In a database-backed model, the risk surface grows because your provider is now responsible for deciding what skills the model even knows exist. Filter before advertisement, not only at load time. If the model should not know a skill exists, do not list it in the injected instructions. The built-in provider’s security guidance is blunt: only use skills from trusted sources. (Microsoft Learn)

The second risk is stale or inconsistent behavior during rollout. If the advertisement query sees version 5 but load_skill reads version 6 because a deployment happened between those two steps, the model can end up operating against a moving target. You can solve this by advertising skill name plus version, or by issuing a per-run snapshot token and having load_skill resolve against that snapshot.

The third risk is prompt injection and unsafe actions. A database makes it easier to edit skill content, which also makes it easier to introduce bad instructions. Review and governance matter more, not less. In Python, Microsoft now supports skill scripts and explicitly recommends sandboxing, approvals for sensitive operations, and audit logging. In .NET, script execution for skills is not yet supported, but the approval pattern for function tools is already documented. If a skill can trigger a side effect such as sending an email, changing a record, or calling an external API, wrap the tool with approval before execution. (Microsoft for Developers)

The fourth risk is operational ambiguity. When an answer goes wrong, you need to know which skill revision, which resource revision, and which tool outputs were used. Without that, debugging becomes guesswork. The moment skills become runtime data, observability becomes part of the design, not an afterthought.

What I would do in production

I would use the database for skill metadata, instruction bodies, revisions, rollout rules, and audit history. I would keep the runtime contract identical to the built-in provider: advertise, load, then read resources. I would make new runs read fresh data by default, but bind a skill version inside the session once a skill is first loaded if consistency matters more than instant propagation.

I would also add four operational controls:

  • approval workflow for publishing a skill revision
  • explicit effective_from support
  • immutable audit trail of every revision
  • runtime logs that record skill name, revision, and resource revisions used per run

That gives you the flexibility of a database without turning skill behavior into a moving target.

Finally

Reading skills from a database is not a workaround. It is the right architecture when skills become operational assets instead of code assets. Microsoft Agent Framework already gives you the extension point to do it cleanly through AIContextProvider, and the built-in file provider gives you the pattern to preserve. The real engineering work is not the database query. The real work is deciding your update semantics, your versioning model, and your control plane. (Microsoft Learn)

If you get those right, database-backed skills become a major advantage. If you do not, you end up with invisible prompt drift and sessions that behave differently for reasons nobody can explain.

Task Context vs Shared Context: The Mental Model That Makes AI Product Teams Actually Scale

AI did not introduce the need for context. It exposed how little of it most teams have.

Right now, “context engineering” is having its moment. People talk about RAG, long context windows, tool calling, and standards like the Model Context Protocol. (Model Context Protocol) Those are real advances. But they skip the harder question that determines whether any of it works: what does good context look like in the first place, for humans and for AI?

If you want a clear lens, steal this one: task context versus shared context. Luca Rossi frames it crisply in his Refactoring essay, and it maps cleanly to how high-performing teams have always operated. (Refactoring.fm)

The contractor test

A simple test: imagine the engineer building your next feature is not on your team. They are a contractor you just onboarded, someone smart and capable, but unfamiliar with your norms. That is not a hypothetical anymore. It is increasingly what an AI agent is.

If you hand them a ticket with “Build onboarding flow v2,” plus a Figma link and a couple requirements, they can produce something. But will it be something you can ship?

They will immediately need answers to questions you probably do not write down:

Do you require tests? Which kinds? What is your definition of “done”? How do you instrument features? Do you have naming conventions? Are feature flags mandatory? How do you handle error states? What is acceptable latency? Which security checks are non-negotiable?

This is where the split matters.

Task context is the “what”

Task context is the job-specific payload. The feature spec. The user story. The acceptance criteria. The UI designs. The edge cases. The constraints that are true this time.

Task context changes constantly. It is supposed to. It is the volatile layer. If you are building a pricing experiment this week and an identity integration next week, task context should look completely different.

When people complain that AI “needs more context,” they often mean task context. That is valid, up to a point. But if you keep stuffing more into the prompt, you are treating the symptom.

Shared context is the “how”

Shared context is everything your team should not have to restate.

It is your working agreements and operating standards. It is the invisible scaffolding that lets an engineer succeed without a manager hovering. It is also the difference between “a prototype that passes a demo” and “a change that fits the system.”

In strong orgs, shared context lives in artifacts you can point to: engineering handbooks, golden paths, paved roads, templates, code review standards, test strategy, observability norms, security posture.

Google’s public engineering practices around code review are a good example of shared context expressed as a standard. The point is not perfection. The point is that code health improves over time because reviewers share an explicit bar. (Google GitHub) Microsoft’s Engineering Fundamentals Playbook is another example, a broad, explicit catalog of how teams work across delivery, quality, and collaboration. (Microsoft GitHub)

AI makes the absence of shared context painful, because AI will happily generate plausible output that violates your unwritten rules.

The north star: shrink the “what,” grow the “how”

Here is the counterintuitive strategy that actually scales: continuously shrink task context and grow shared context.(Refactoring.fm)

Shrinking task context does not mean writing vague tickets. It means you stop using tickets to carry institutional memory. You stop writing “make sure you add feature flags” or “remember to add metrics” or “please follow naming conventions” in every single prompt, PR, or story. Those are not task instructions. They are operating norms.

If you have to remind people to “write tests,” you do not have a testing practice. You have a testing suggestion.

And here is the uncomfortable truth: if you have to remind your AI agent to write tests every time, you do not have AI context engineering. You have prompt heroics.

GitHub’s own Copilot guidance implicitly points in this direction. Copilot is useful for generating tests and repetitive code, but the team still has to be in charge of standards and review. (GitHub Docs) Scaling AI safely is less about better clever prompts, and more about making the “how” unmissable.

The new industry signal: shared context is becoming machine-readable

The most important shift of the last year is not that models got bigger. It is that teams are starting to package shared context in a way agents can reliably consume.

AGENTS.md is an emerging open format that is effectively a README for coding agents. It exists for one reason: projects need a predictable place to put “how we work here.” (Agents) OpenAI’s Codex documentation goes further and describes how these instruction files can be layered from global guidance to repo guidance to directory-specific overrides. (OpenAI Developers) This is not a small UX detail. This is the shape of the next generation engineering handbook, one that can be applied automatically at the point of code generation.

On the “tools and data” side, MCP is doing something similar for external context: standardizing how AI apps connect to data sources and tools, so the agent can fetch the right facts instead of hallucinating. (Model Context Protocol)

Put those two together and you get a clean architecture:

Task context answers what you are building right now.
Shared context encodes how you build anything here.
Tool context provides the live facts and actions needed to execute.

Most teams are over-invested in the first and under-invested in the second.

When to use task context, and when it becomes a trap

Use task context aggressively when the work is ambiguous, novel, or decision-heavy. If the work requires tradeoffs, you want the tradeoffs visible. If the work impacts customers, you want explicit success metrics and failure modes. If there are non-obvious constraints, you want them written.

But task context becomes a trap when it is used to compensate for missing standards. If your tickets keep carrying the same reminders, your system is telling you something: the “how” is not shared.

There is also a failure mode that looks like maturity but is not: bloated specs that try to precompute every decision. Humans ignore them. Agents drown in them. A task spec should be a crisp description of intent and constraints, not an attempt to smuggle an entire engineering culture into a single document.

When to use shared context, and why most teams underfund it

Shared context should cover the recurring decisions that cause rework. Every time you see a repeat failure, that is a shared-context gap trying to get your attention.

In practice, shared context should make these things boring:

Testing expectations and commands, including what “good” looks like for unit, integration, and end-to-end coverage.
Observability norms, including logs, metrics, traces, and what gets instrumented by default.
Release discipline, including feature flags, rollout strategy, and how you handle canaries.
Code review standards, including what reviewers must enforce and what they should let slide. (Google GitHub)
Security defaults, including how secrets are handled, how dependencies are introduced, and what checks must pass.

If that sounds like a lot, good. High-performing orgs make this explicit because it reduces cognitive load. It also makes onboarding faster, whether the newcomer is a human engineer or an agent.

How to combine them without creating a mess

The clean combination pattern is simple: task context should point to shared context, not repeat it.

In human terms: “Build the new onboarding flow. Follow our standard release checklist and instrumentation guide.”

In agent terms: your Codex or agent instruction chain carries the shared context, while the prompt carries only what is unique to this task. That is exactly the layering model described for AGENTS.md style guidance. (OpenAI Developers)

This is where teams get leverage. Once shared context is dependable, task prompts can get shorter without quality collapsing. You are not lowering the bar. You are embedding it.

When to avoid both

There are two moments to deliberately avoid context.

The first is exploration. If you are brainstorming product directions, do not force shared delivery standards into the conversation. You want divergent thinking.

The second is when you are trying to diagnose a failure and you do not yet know if it is a task problem or a shared problem. If you immediately patch the output, you will miss the chance to fix the input that caused it.

This is the move most teams fail to make: treat failures as context bugs, not human bugs.

The feedback loop is the real context engine

Rossi’s point that resonates most is that good context engineering is a feedback loop. When something turns out wrong, the question is rarely “why was the output bad?” The real question is “what input allowed this to happen?” (Refactoring.fm)

In mature orgs, that loop looks a lot like incident response, but applied to product delivery:

If a PR shipped without adequate tests, you can fix the PR. But you should also update the shared checklist and the agent guidance, so it does not happen again.
If a feature launched without metrics, you can patch instrumentation. But you should also fix the default template, the definition of done, and the shared playbook.
If AI-generated code repeatedly violates conventions, you can keep correcting it. Or you can encode conventions once, in the place the agent always reads.

That is why formats like AGENTS.md matter. They give you a stable place to put the “how,” then evolve it as you learn. (Agents)

The opinionated takeaway

If you want AI to amplify your team, stop treating context as a prompt problem. Treat it as an operating system problem.

Task context is fuel. Shared context is the engine. Tools and live data are the sensors. If you only pour more fuel into a weak engine, you do not go faster. You just make more smoke.

The teams that win with AI will not be the teams with the most clever prompts. They will be the teams that make “how we build” explicit, enforceable, and continuously improved, until both humans and agents can ship high-quality work with minimal hand-holding.

Your Agent Does Not Need More Prompt. It Needs Memory.

Most teams try to fix weak agents by rewriting prompts. That is usually the wrong move.

The real issue is that the agent has no durable memory model. It can answer the current turn, but it cannot reliably carry forward user preferences, prior decisions, task context, or the small facts that make an interaction feel intelligent instead of stateless. Microsoft Agent Framework already gives you the extension points to solve this. By default, it uses in-memory chat history or service-managed history depending on the underlying provider, and it separates conversation history from richer context injection through ChatHistoryProvider and AIContextProvider. That separation is exactly what you want if you are serious about building agents that behave like products rather than demos. (Microsoft Learn)

As of February 2026, Microsoft Agent Framework is in Release Candidate for both .NET and Python, with the API surface described as stable on the road to GA. Microsoft also positions it as the successor to Semantic Kernel and AutoGen for agent development, which makes it the right place to invest if you are building new agent systems on the Microsoft stack. (Microsoft for Developers)

The important architectural move is this: do not treat “memory” as one blob. In Microsoft Agent Framework, short-term conversational recall belongs in ChatHistoryProvider. Durable user and workflow memory belongs in an AIContextProviderbacked by your own memory service. External knowledge belongs in retrieval, not memory. The framework pipeline reflects that design. On each run, history is loaded first, then context providers add messages, tools, or instructions, then the LLM executes, and afterward both history and context providers are notified so they can store new information. (Microsoft Learn)

That means a good memory design has three layers.

First, keep recent turns available so the model can follow the conversation naturally. Second, maintain a durable memory store that saves distilled facts such as user preferences, entities, project state, or decisions. Third, use retrieval for external documents and domain knowledge. Microsoft’s RAG support already follows this pattern through TextSearchProvider and Semantic Kernel vector store integrations, which is why you should resist the temptation to dump everything into “memory.” Retrieval is for knowledge. Memory is for continuity. (Microsoft Learn)

The cleanest way to add a memory service in .NET is to create a custom AIContextProvider. Microsoft’s docs explicitly describe AIContextProvider as the extension point for memory and context enrichment, and they show a memory-service pattern that loads relevant memories before invocation and stores new memories after invocation. They also make an important point that many teams miss: the same provider instance is reused across sessions, so session-specific state must not live on the provider object itself. It should live in the AgentSession, typically through ProviderSessionState<TState>. (Microsoft Learn)

Here is the pattern I would use.

using System.Text;
using Microsoft.Agents.AI;
public interface IMemoryService
{
    Task<string> CreateMemoryContainerAsync(CancellationToken cancellationToken = default);
    Task<IReadOnlyList<MemoryFact>> SearchAsync(
        string memoryContainerId,
        string query,
        int top = 5,
        CancellationToken cancellationToken = default);
    Task StoreAsync(
        string memoryContainerId,
        IEnumerable<ChatMessage> messages,
        CancellationToken cancellationToken = default);
}
public sealed record MemoryFact(string Text, double Score);
internal sealed class DurableMemoryProvider : AIContextProvider
{
    private readonly IMemoryService _memoryService;
    private readonly ProviderSessionState<State> _sessionState;
    public DurableMemoryProvider(IMemoryService memoryService)
        : base(null, null)
    {
        _memoryService = memoryService;
        _sessionState = new ProviderSessionState<State>(
            _ => new State(),
            stateKey: nameof(DurableMemoryProvider));
    }
    public override string StateKey => _sessionState.StateKey;
    protected override async ValueTask<AIContext> ProvideAIContextAsync(
        InvokingContext context,
        CancellationToken cancellationToken = default)
    {
        var state = _sessionState.GetOrInitializeState(context.Session);
        if (string.IsNullOrWhiteSpace(state.MemoryContainerId))
        {
            return new AIContext();
        }
        var userInput = string.Join(
            "\n",
            context.AIContext.Messages?
                .Where(m => m.GetAgentRequestMessageSourceType() == AgentRequestMessageSourceType.External)
                .Select(m => m.Text) ?? []);
        if (string.IsNullOrWhiteSpace(userInput))
        {
            return new AIContext();
        }
        var memories = await _memoryService.SearchAsync(
            state.MemoryContainerId,
            userInput,
            top: 5,
            cancellationToken);
        if (memories.Count == 0)
        {
            return new AIContext();
        }
        var memoryBlock = new StringBuilder();
        memoryBlock.AppendLine("Relevant durable memory for this conversation:");
        foreach (var memory in memories)
        {
            memoryBlock.AppendLine($"- {memory.Text}");
        }
        memoryBlock.AppendLine("Use this only when relevant. Do not invent details.");
        return new AIContext
        {
            Messages =
            [
                new ChatMessage(ChatRole.System, memoryBlock.ToString())
            ]
        };
    }
    protected override async ValueTask StoreAIContextAsync(
        InvokedContext context,
        CancellationToken cancellationToken = default)
    {
        var state = _sessionState.GetOrInitializeState(context.Session);
        if (string.IsNullOrWhiteSpace(state.MemoryContainerId))
        {
            state.MemoryContainerId = await _memoryService.CreateMemoryContainerAsync(cancellationToken);
            _sessionState.SaveState(context.Session, state);
        }
        var newMessages = context.RequestMessages.Concat(context.ResponseMessages ?? []);
        await _memoryService.StoreAsync(state.MemoryContainerId!, newMessages, cancellationToken);
    }
    private sealed class State
    {
        public string? MemoryContainerId { get; set; }
    }
}

This pattern does two things that matter. Before the model runs, it searches durable memory using only the new external input, not the full accumulated prompt. After the model runs, it stores the latest exchange back into the memory service. That lines up with the framework’s documented ProvideAIContextAsync and StoreAIContextAsync lifecycle, and it keeps the memory container ID in session state where it belongs. (Microsoft Learn)

Then wire it into your agent the way the framework intends:

using Azure.AI.OpenAI;
using Azure.Identity;
using Microsoft.Agents.AI;
var endpoint = Environment.GetEnvironmentVariable("AZURE_OPENAI_ENDPOINT")
    ?? throw new InvalidOperationException("Set AZURE_OPENAI_ENDPOINT");
var deploymentName = Environment.GetEnvironmentVariable("AZURE_OPENAI_DEPLOYMENT_NAME")
    ?? "gpt-4o-mini";
IMemoryService memoryService = new YourMemoryServiceImplementation();
AIAgent agent = new AzureOpenAIClient(new Uri(endpoint), new AzureCliCredential())
    .GetChatClient(deploymentName)
    .AsAIAgent(new ChatClientAgentOptions
    {
        ChatOptions = new() { Instructions = "You are a helpful assistant." },
        ChatHistoryProvider = new InMemoryChatHistoryProvider(),
        AIContextProviders =
        [
            new DurableMemoryProvider(memoryService)
        ]
    });
AgentSession session = await agent.CreateSessionAsync();
Console.WriteLine(await agent.RunAsync("My preferred reporting format is concise.", session));
Console.WriteLine(await agent.RunAsync("How should you format future updates for me?", session));

That registration model is straight out of the framework’s current design: one history provider, plus a list of context providers for memory, RAG, or dynamic instructions. (Microsoft Learn)

There is one more design choice that separates solid implementations from messy ones. Do not store raw transcripts forever and call that memory. A real memory service should distill turns into durable facts. “User prefers concise updates.” “Client uses Workday.” “Case escalated on March 12.” “Do not recommend option B because legal rejected it.” Your StoreAsync method should extract candidate facts, score them, deduplicate them, and set an expiration policy where appropriate. The framework gives you the hook points, but the product quality comes from what you choose to remember.

You also need to manage context growth. Microsoft’s compaction guidance is useful here. If you use CompactionProvider, be deliberate about where you register it. When registered through ChatClientAgentOptions, synthetic summaries can become part of persisted history. If you only want to compact the in-flight context window while preserving the original stored history, register compaction on the chat client builder with UseAIContextProviders(...) instead. That is a subtle detail, but it matters once your agent starts running real workloads instead of toy chats. (Microsoft Learn)

For production hosting, this pattern becomes even more powerful when paired with durable execution. Microsoft’s Azure Functions integration for Agent Framework supports durable thread management and persistent state for long-running, reliable workloads, with automatic endpoints and state handling. That is the right direction if your memory-backed agent is part of a business workflow rather than a single-turn assistant. (Microsoft Learn)

The broader lesson is simple. Memory should not be a prompt hack. It should be an architectural layer.

Microsoft Agent Framework is opinionated in the right way here. It gives you a dedicated history mechanism, a dedicated context mechanism, and a clean place to plug in your own memory service. Use those primitives as intended and you get an agent that remembers the right things, forgets the wrong things, and behaves consistently across sessions. Ignore them and you end up with an expensive autocomplete loop pretending to be an agent.

Defining Product Value: Stop Treating Products Like Projects

Most leadership teams say they are building “product value,” then immediately measure it like a finance exercise. ROI. LTV. Payback period. Those numbers matter, but they are also the fastest way to undervalue the most important products you will ever build. The uncomfortable truth is that many of the products that changed industries looked irrational on a spreadsheet in year one. They were not irrational. They were investments that created new compounding loops: better distribution, better data, stronger ecosystems, lower marginal cost to serve, and tighter control of the customer relationship.

Amazon has been blunt about this philosophy for decades: prioritize long-term market leadership over short-term profitability and measure investments analytically over time. (Corporate Investor Relations) That mindset is not a motivational poster. It is a valuation model. When you treat product as an investment vehicle, you stop asking “what is the ROI of this feature?” and start asking “what new asset does this create, and what future options does it unlock?”

ROI and LTV are necessary, but they are not sufficient

ROI and LTV are great at valuing direct monetization. They are weak at valuing strategic leverage.

They struggle with:

  • Platform effects where value accrues to the ecosystem first, and only later to you.
  • Capability-building where the product’s “profit” is speed, quality, and resilience across everything else you do.
  • Trust and risk reduction where the return shows up as avoided loss, regulatory confidence, and sales velocity.
  • Option value where the real payoff is the ability to launch the next thing faster and cheaper.

If you only use ROI and LTV, you will systematically underfund the products that create compounding advantage and overfund the products that create short-term optics.

A better question: What kind of value are we creating?

Here is the shift that changes everything. Instead of asking, “How much value does this product have?”, ask, “What typeof value is this product designed to create?” In my experience, modern product value shows up in five forms that compound when you get them right.

1) Ecosystem value: when your product becomes the market’s default surface area

Apple’s App Store is a masterclass in valuing the ecosystem, not just the transaction. Apple highlights that the App Store ecosystem facilitated roughly $1.3 trillion in billings and sales in 2024. (Apple) Whether you agree with every policy choice, the valuation insight is undeniable: the product’s value is not only Apple’s direct revenue. It is the gravitational pull that attracts developers, anchors users, and reinforces the platform.

If you try to measure a platform strictly by ROI in the early innings, you will miss the point. Platforms often look “expensive” until they become unavoidable.

2) Capability value: when the product is a factory for future products

AWS is the canonical example of a capability investment that turned into a new business category. It began as internal infrastructure discipline and APIs that made Amazon faster and more reliable, then became a product that changed how software is built. (Corporate Investor Relations) The early value was operational leverage. The later value was market creation.

You can see a modern version of this pattern inside software teams adopting AI-assisted development. Controlled studies and research report meaningful productivity gains with tools like GitHub Copilot, including faster task completion in experimental settings. (Microsoft) The point is not “AI will save us.” The point is that a tool can be a product investment when it upgrades throughput, developer experience, and time-to-market across everything you ship.

3) Data value: when learning becomes the moat

Netflix has long treated personalization as a value engine because it converts data into better decisions about discovery and engagement. External analyses describe that recommendations drive a large share of viewing activity, reinforcing retention and content discovery. (New America) You do not measure that with a single-feature ROI. You measure it as a learning system that compounds: every interaction makes the product smarter, and every improvement makes the next interaction more valuable.

In AI-first product design, this becomes even more direct. Your differentiation is rarely the model. Your differentiation is the feedback loop: the quality of your signals, the speed of iteration, and the discipline of your evaluation.

4) Distribution value: when the product lowers customer acquisition friction

Some products are valuable because they become your “front door,” even if they are not the primary revenue engine. Salesforce has invested heavily in enablement and ecosystem building, framing the broader “Salesforce Economy” as massive job and revenue creation beyond Salesforce itself. (Trailhead) You can debate methodologies, but the strategic idea is powerful: if your ecosystem grows faster than your competitors’ ecosystems, you win distribution, talent gravity, and partner momentum.

For CTOs and CPOs, distribution value often hides inside developer platforms, integrations, workflow surfaces, and anything that makes your product the easiest place to start.

5) Trust value: when the product accelerates sales and reduces existential risk

Trust is not soft. It is a growth lever and a risk hedge. Products that embed privacy, security, and compliance create value by shortening procurement cycles, reducing churn from security concerns, and preventing catastrophic downside. Many teams only “feel” this value when something goes wrong. That is too late.

If you want to value trust properly, treat it like an asset that increases conversion rates and protects cash flows under stress. It is not just cost avoidance. It is sales velocity and renewal confidence.

The valuation move that changes portfolio decisions: treat product like a set of real options

Here is a practical way to think about it without turning your operating rhythm into a finance seminar. A real option is the right, not the obligation, to make a future move. Great products create options: launch new modules, expand into new segments, partner with an ecosystem, shift pricing models, automate service delivery, or apply AI safely because your data and governance are ready.

That is why “feature ROI” often feels like a trap. The value is frequently not the feature. The value is the new option it creates.

Amazon’s long-term posture makes this explicit: invest for market leadership, measure what works, cut what does not, and double down on what compounds. (Corporate Investor Relations) That is real-option thinking in plain language.

Where AI changes the game for product value

AI does not just add features. It changes the unit economics of building, shipping, and operating products.

When you combine engineering management, product management, and software craftsmanship with AI, you can:

  • Reduce the cost of iteration, which increases experimentation volume and learning speed.
  • Improve quality through better testing, review support, and faster refactoring cycles, if you apply discipline.
  • Turn workflows into intelligent systems, where value compounds through feedback loops rather than static releases.

But AI also punishes sloppy teams. If you do not invest in evaluation, safety, and engineering fundamentals, you will ship confident nonsense at scale. That destroys trust value faster than it creates novelty.

The Point…

If you only value products by ROI and LTV, you will keep funding what looks safe and starving what creates durable advantage. The products that matter most often create value sideways first: ecosystems, capabilities, data loops, distribution, and trust. The cash shows up later, and when it does, it tends to compound.

The leadership move is to name the value you are building, instrument it like you mean it, and allocate investment like a portfolio manager, not a project sponsor. That is how you stop shipping features and start building assets.

If you want, I can turn this into a tighter LinkedIn version with one core story arc and two supporting examples, while keeping the same POV and evidence.

How to Add a Secure JavaScript Execution Tool to Microsoft Agent Framework

There is a recurring moment in agent design where a team realizes the model does not just need to reason. It needs to compute. It needs to transform JSON, run a formula, post-process extracted fields, normalize dates, build a dynamic object, or apply domain logic that is simply easier to express in JavaScript than in prompt text.

That is where most teams make a dangerous move. They reach for evalFunction, or Node’s vm module and tell themselves it is “sandboxed enough.”

It is not.

Node’s own documentation is explicit that node:vm is not a security mechanism and should not be used to run untrusted code. Worker threads are also not the right boundary for hostile code because they are designed for parallelism and can share memory. At the same time, Microsoft Agent Framework is built to let agents call external tools through function tools, so the clean pattern is not “run JavaScript inside the agent host.” The clean pattern is “make JavaScript execution a remote tool with a hardened execution boundary.” (Node.js)

That is the architecture this post covers:

  • Microsoft Agent Framework in .NET
  • A custom function tool exposed to the agent
  • A tRPC call from the tool to a separate Node.js execution service
  • Execution inside a locked-down isolate, not vm
  • Explicit whitelisting of namespaces and packages
  • Validation, time limits, memory limits, and auditable policy controls

The key design principle is simple: treat JavaScript execution as a privileged capability, not a convenience API.

The architecture

At a high level, the flow looks like this:

  1. The agent decides it needs computation.
  2. Microsoft Agent Framework calls a function tool.
  3. The function tool sends a request over HTTP to a tRPC endpoint in Node.js.
  4. The Node service validates the request with Zod.
  5. The Node service creates an isolated execution environment.
  6. Only approved globals and wrapped package facades are injected.
  7. The code runs with strict limits for time, memory, and output shape.
  8. The result is returned to the agent as tool output.

Microsoft Agent Framework supports function tools as first-class extensions to an agent, and tRPC gives you a type-safe RPC layer with input and output validation. That combination is ideal here because the .NET side stays thin and deterministic, while the execution policy lives in one place on the Node side. (Microsoft Learn)

First principle: “secure eval” is really “isolated execution”

It is important to be direct here. There is no magic secureEval() in Node.js. If you are executing model-authored or user-authored JavaScript, the safest practical pattern is:

  • out-of-process execution boundary
  • fresh isolate per run or per tenant pool
  • no ambient filesystem or network access
  • no raw require
  • whitelisted host-provided capabilities only
  • timeouts, memory ceilings, and payload size limits
  • container and OS-level restrictions around the service

Why not use node:vm? Because the Node docs explicitly say not to use it as a security boundary. Why not just use worker threads? Because workers are concurrency primitives, not isolation primitives. A better starting point for JavaScript isolation in Node is isolated-vm, which exposes V8 isolates and is designed for running code in fresh environments with no default Node runtime capabilities. Node’s permission model can also further restrict the Node process itself. (Node.js)

The important nuance is this: even isolated-vm should be one layer, not the only layer. The strongest production posture is to run the execution service in its own locked-down container or workload boundary and assume defense in depth.

Tool contract design

Do not let the model send arbitrary source code and a free-form module list with no governance. Give it a constrained contract.

A good request shape looks like this:

import { z } from "zod";
export const ExecuteJsInput = z.object({
  code: z.string().max(10_000),
  input: z.unknown().optional(),
  allowedNamespaces: z.array(z.string()).default([]),
  allowedPackages: z.array(z.string()).default([]),
  expectedResultSchema: z
    .object({
      type: z.enum(["json", "string", "number", "boolean", "array", "object"]),
    })
    .optional(),
  timeoutMs: z.number().int().min(50).max(3000).default(1000),
});

This matters for two reasons.

First, tRPC is designed around typed procedures, and Zod-driven validation makes the boundary explicit. Second, you now have a place to enforce policy before any code gets near an isolate. (trpc.io)

The Microsoft Agent Framework side

On the .NET side, the tool should be boring. That is the goal.

Microsoft Agent Framework lets you expose custom logic through function tools, including by creating an AIFunction from a C# method. The agent does not need to know how tRPC works. It just needs a tool description that makes the capability understandable to the model. (Microsoft Learn)

A simplified example:

using System.ComponentModel;
using System.Net.Http.Json;
public class JavaScriptExecutionTool
{
    private readonly HttpClient _httpClient;
    public JavaScriptExecutionTool(HttpClient httpClient)
    {
        _httpClient = httpClient;
    }
    [Description("Executes tightly sandboxed JavaScript for deterministic data transformation and calculation.")]
    public async Task<string> ExecuteSandboxedJavaScript(
        [Description("The JavaScript source to execute. Must return a serializable result.")] string code,
        [Description("Optional JSON input payload for the script.")] string? inputJson = null,
        [Description("Approved namespaces the script may access.")] string[]? allowedNamespaces = null,
        [Description("Approved package facades the script may access.")] string[]? allowedPackages = null)
    {
        var request = new
        {
            code,
            input = string.IsNullOrWhiteSpace(inputJson) ? null : System.Text.Json.JsonSerializer.Deserialize<object>(inputJson),
            allowedNamespaces = allowedNamespaces ?? Array.Empty<string>(),
            allowedPackages = allowedPackages ?? Array.Empty<string>(),
            timeoutMs = 1000
        };
        var response = await _httpClient.PostAsJsonAsync("/trpc/js.execute", request);
        response.EnsureSuccessStatusCode();
        return await response.Content.ReadAsStringAsync();
    }
}

Then you register it as a function tool with your agent. The architectural point is more important than the exact setup syntax: the agent host never evaluates code locally. It delegates execution to the hardened service. (Microsoft Learn)

The tRPC boundary

tRPC is a strong fit because it gives you typed procedures, validation, and a clean contract between the .NET caller and Node service. Even though .NET is not consuming generated TypeScript types directly, the Node service still benefits from strict schemas and a maintainable procedure surface. (trpc.io)

Example router:

import { initTRPC } from "@trpc/server";
import { z } from "zod";
import { ExecuteJsInput } from "./schemas";
import { runSandboxedScript } from "./sandbox";
const t = initTRPC.create();
export const appRouter = t.router({
  js: t.router({
    execute: t.procedure
      .input(ExecuteJsInput)
      .mutation(async ({ input, ctx }) => {
        return await runSandboxedScript(input, ctx.policyStore);
      }),
  }),
});
export type AppRouter = typeof appRouter;

This is where you can also add authentication, tenant context, rate limiting, audit metadata, and policy lookup.

The secure execution service

This is the heart of the design.

The mistake many teams make is trying to whitelist modules by exposing require. Do not do that. If you expose require, you are recreating Node inside the sandbox and dramatically expanding the attack surface.

Instead, preload and wrap approved capabilities in the host, then inject only those facades into the isolate.

That means your whitelist is not “the sandbox may import lodash.” It is “the sandbox may access a safe facade called packages.lodash that exposes only getpick, and omit.”

That is a much better boundary.

Example policy registry

type NamespaceFactory = () => Record<string, unknown>;
type PackageFactory = () => Record<string, unknown>;
const namespaceRegistry: Record<string, NamespaceFactory> = {
  math: () => ({
    round: Math.round,
    floor: Math.floor,
    ceil: Math.ceil,
    max: Math.max,
    min: Math.min,
  }),
  dates: () => ({
    nowIso: () => new Date().toISOString(),
  }),
};
const packageRegistry: Record<string, PackageFactory> = {
  lodash: () => {
    const { get, pick, omit } = require("lodash");
    return { get, pick, omit };
  },
  decimal: () => {
    const Decimal = require("decimal.js");
    return { Decimal };
  },
};

Notice what is missing: no arbitrary imports, no filesystem, no fetch, no process access, no environment access.

Example isolate runner

import ivm from "isolated-vm";
import { ExecuteJsInput } from "./schemas";
export async function runSandboxedScript(
  request: z.infer<typeof ExecuteJsInput>,
  policyStore: PolicyStore
) {
  const policy = await policyStore.resolve({
    namespaces: request.allowedNamespaces,
    packages: request.allowedPackages,
  });
  const isolate = new ivm.Isolate({ memoryLimit: 64 });
  const context = await isolate.createContext();
  const jail = context.global;
  await jail.set("global", jail.derefInto());
  const safeNamespaces = Object.fromEntries(
    policy.namespaces.map((name) => [name, namespaceRegistry[name]!()])
  );
  const safePackages = Object.fromEntries(
    policy.packages.map((name) => [name, packageRegistry[name]!()])
  );
  await jail.set("input", new ivm.ExternalCopy(request.input ?? null).copyInto());
  await jail.set("namespaces", new ivm.ExternalCopy(safeNamespaces).copyInto());
  await jail.set("packages", new ivm.ExternalCopy(safePackages).copyInto());
  const wrapped = `
    "use strict";
    (async function () {
      const console = undefined;
      const process = undefined;
      const require = undefined;
      const module = undefined;
      const exports = undefined;
      const Buffer = undefined;
      const setTimeout = undefined;
      const setInterval = undefined;
      const userFn = async ({ input, namespaces, packages }) => {
        ${request.code}
      };
      return await userFn({ input, namespaces, packages });
    })()
  `;
  const script = await isolate.compileScript(wrapped);
  try {
    const result = await script.run(context, { timeout: request.timeoutMs });
    const copied = await new ivm.Reference(result).copy();
    return {
      ok: true,
      result: copied,
    };
  } catch (error) {
    return {
      ok: false,
      error: sanitizeError(error),
    };
  } finally {
    isolate.dispose();
  }
}

This is intentionally opinionated.

  • The sandbox gets input
  • The sandbox gets namespaces
  • The sandbox gets packages
  • The sandbox does not get Node
  • The sandbox does not get require
  • The sandbox does not get the environment

That is the right posture.

The isolated-vm project describes these isolates as separate JavaScript environments free of the extra capabilities that Node normally exposes. That is why it is a better primitive here than vm. (GitHub)

How whitelisting should really work

A lot of teams hear “whitelist packages” and think they should allow date-fns or lodash directly. That is still too coarse.

You want three policy levels.

1. Namespace whitelist

These are internal capability groups you define, such as:

  • math
  • dates
  • currency
  • tax
  • normalizers

These are ideal for domain logic because they let you present stable semantic surfaces to the model.

2. Package facade whitelist

This is not raw NPM package access. It is a curated wrapper over a package.

Example:

const packageRegistry = {
  dateFns: () => {
    const { addDays, formatISO, parseISO } = require("date-fns");
    return { addDays, formatISO, parseISO };
  },
};

3. Tenant or tool policy whitelist

Even if a package exists in the registry, a given agent or tenant may not be allowed to use it.

That means final access should be the intersection of:

  • globally supported capabilities
  • tenant policy
  • current agent policy
  • current tool invocation request

That keeps the model from escalating its own power simply by naming more packages.

What “most secure method” means in practice

Here is the honest version.

If the code is untrusted, the strongest production pattern is not “just use a safer JavaScript library.” The strongest pattern is:

  • dedicated Node execution service
  • running in a separate process or container from the agent host
  • Node permission model enabled where possible
  • no filesystem permission unless explicitly required
  • no network permission unless explicitly required
  • no child process permission
  • no raw module loading
  • isolate-based execution inside the service
  • per-request timeout
  • per-request memory cap
  • rate limiting and audit logging
  • kill-and-recycle strategy for suspicious runs

Node’s permission model is now stable and is specifically intended to restrict access to resources during execution. That makes it a useful outer control around the execution worker process. (Node.js)

So the recommendation is:

Do not run JavaScript evaluation in the Microsoft Agent Framework process. Run it in a separate hardened execution service, and inside that service use an isolate with only host-injected safe facades.

Prompting the agent correctly

One subtle mistake is giving the model too much freedom in how it uses the tool. Your tool description should bias toward deterministic use cases.

Good use cases:

  • schema normalization
  • mathematical calculations
  • JSON reshaping
  • derived field generation
  • deterministic validation helpers
  • short business-rule transforms

Bad use cases:

  • arbitrary web requests
  • importing unknown libraries
  • long-running workflows
  • anything requiring secret access
  • anything that should really be a reviewed backend feature

You want the tool to feel more like “dynamic formula execution” than “tiny remote code runner.”

Observability and governance

Once you add this capability, you need a paper trail.

Log:

  • agent name
  • conversation or run id
  • caller identity
  • code hash
  • requested namespaces
  • requested packages
  • approved namespaces
  • approved packages
  • execution duration
  • memory tier
  • success or failure
  • sanitized error output

Do not log secrets in payloads. Do log enough to reconstruct who ran what and under which policy.

This matters because the risk is no longer just technical. It is operational. A dynamic execution tool without auditability becomes impossible to govern at scale.

Where this pattern is worth it

This pattern is especially valuable when building agents that need deterministic computation without shipping a new backend endpoint for every micro-use-case.

Examples:

  • tax calculation helpers
  • document extraction post-processing
  • migration mapping rules
  • payroll normalization
  • dynamic scoring or threshold logic
  • transforming AI output into strict structured shapes

In all of those cases, JavaScript is the execution language, but policy is the product.

Final opinion

The wrong way to add JavaScript to an agent is to think of it as a convenience feature.

The right way is to think of it as a controlled runtime.

Microsoft Agent Framework gives you the right extension point through function tools. tRPC gives you a clean typed boundary. Node can host the execution service. But the part that separates a toy from a production design is this: never let the model execute inside your primary trust boundary, and never equate “sandboxed” with “safe” unless you can explain the exact layers doing the isolation. (Microsoft Learn)

That is the architecture I use.

The Steinberger Threshold

Most leaders are asking the wrong question about AI.

They ask whether their teams are using it. They ask which model to standardize on. They ask whether agents are ready for production. They ask how quickly they can drive adoption.

That is all downstream. The real question is simpler and far more revealing: who on your team can actually direct AI, and who is starting to be directed by it? That is the divide I keep seeing in product and engineering organizations.

Some people use AI to expand their judgment. Others use it to avoid judgment. Some get faster while staying in control. Others get busy, impressed, and strangely passive. On the surface, both groups can look productive. Both can generate output. Both can show progress.

Only one of them is actually becoming more valuable. That is what is being referred to by some as The Steinberger Threshold.

I am borrowing the phrase from recent discussion around Peter Steinberger, but what matters is not the label. What matters is the shift it names. Steinberger is worth paying attention to because he has lived through multiple eras of software building, from deep technical craftsmanship to AI-native execution. The lesson embedded in his public writing and interviews is clear: the advantage is no longer just in doing the work yourself. The advantage is in framing the work, shaping the environment, inspecting the result, and deciding what happens next.

That is not prompt engineering. That is modern judgment. And that is why this matters more than another generic debate about AI productivity.

We are moving into a world where the cost of execution is falling fast. Agents can increasingly read codebases, edit files, run tests, summarize options, and handle meaningful chunks of delivery work. As that happens, the bottleneck shifts.

When execution gets cheaper, judgment gets more expensive.

That changes who stands out. It changes who scales. It changes who should lead.

The people who thrive in this environment will not be the ones who simply know how to use AI. That bar is dropping quickly. The people who thrive will be the ones who can define intent clearly, give the agent enough structure to move fast, and still know when the machine is wrong, shallow, overconfident, or drifting off mission.

That is the threshold. Below it, people let the agent set the pace, shape the work, and quietly narrow their thinking. Above it, people use the agent as leverage while keeping hold of direction, standards, and accountability.

This is not a tooling issue. It is a leadership issue.

The biggest mistake I see companies making is assuming AI adoption and AI capability are the same thing. They are not. Giving people access to powerful models tells you almost nothing about whether they can use them well. In fact, broad access can hide the problem for a while. Everyone suddenly looks more productive. More documents appear. More prototypes show up. More code gets written. More tickets move.

But velocity is a bad metric when the system can generate convincing motion on demand.

That is where executives get trapped. They see acceleration and assume capability has risen with it. Sometimes it has. Sometimes they are just watching the organization become more dependent on machine output without improving its ability to set direction or judge quality.

That is the real risk.

The person below the Steinberger Threshold is not necessarily junior. They are not necessarily non-technical. They are simply no longer fully in command once AI enters the loop. They delegate too early. They trust polished output too quickly. They confuse completeness with correctness. They let the system define the path instead of using the system to execute against a path they have defined.

The person above the threshold behaves very differently. They treat the agent like fast, tireless, sometimes brilliant labor. They know what outcome they want. They know where ambiguity is useful and where it is dangerous. They know when to tighten the frame. They know what needs review and what can be safely skimmed. Most importantly, they stay accountable for the result.

That last point matters more than people admit.

The best agent operators are usually not the ones writing the fanciest prompts. They are the ones with the clearest standards. They know what good looks like. They can spot weak reasoning. They can tell when the agent is optimizing for fluency instead of truth, or speed instead of soundness. They do not need to inspect every line, but they know exactly which lines matter.

This is why I think the rise of agents will reshuffle status inside product and engineering teams more than most people expect.

Some managers will struggle because they were already operating through abstraction without enough contact with the actual work. AI will expose that quickly. If you cannot define success in a way that a machine can execute against and a human can validate, your authority gets thinner.

Some engineers will struggle too, especially those whose identity is tied too tightly to personal output. AI does not care about your attachment to hand-crafted implementation if someone else can steer the machine to a better result faster.

And some people in the middle of the organization will rise quickly. They may not have the biggest titles. But they have taste. They can decompose messy problems. They can write clear acceptance criteria. They can create structure where others create noise. They can tell the difference between a useful first pass and a dangerous hallucination. In an agentic world, those people become force multipliers.

You can already see the outlines of this shift in the market. Companies are starting to act as though part of every team’s job is now translating work into something machines can execute. Whether you look at AI-first operating models, agentic coding environments, or the emerging idea of software factories, the pattern is the same: the bottleneck is moving away from raw execution and toward the ability to define, direct, and verify execution.

That is the Steinberger Threshold in practice.

So how do you figure out who has crossed it? Not with training completion rates. Not with prompt libraries. Not with AI badges. You run a scout mission.

By that I mean a real piece of work with enough ambiguity that judgment matters, enough structure that success can be observed, and enough consequence that the quality of direction shows up clearly. It should be something an agent can materially accelerate, but not something so trivial that the agent can stumble into a passable answer without supervision.

A good scout mission is not theater. It is a bounded business problem that exposes how someone thinks in an agentic environment.

Give them a real bug with messy symptoms. Give them a workflow that needs redesign. Give them a thin internal tool to build. Give them a reporting process full of edge cases. Then watch what they do.

Do they sharpen the objective before they delegate? Do they define acceptance criteria? Do they improve the environment with better tests, clearer documentation, or stronger context? Do they review the critical path or only the polished summary? Do they notice drift? Do they challenge the output? Can they explain why the result should be trusted?

Most importantly, when the agent gets stronger, do they become more decisive or more passive? That is the question.

Because that is what separates someone who is using AI as leverage from someone who is slowly handing over their agency to it.

My view is simple. The companies that win with AI will not be the ones with the most licenses, the biggest model budget, or the loudest transformation language. They will be the ones that identify who can actually operate above the Steinberger Threshold, then redesign teams, workflows, and leadership expectations around those people.

Because once agents become part of the execution layer, judgment becomes the scarce asset.

And scarce assets end up running the system.

AI is not killing the PM role. It is being forced to grow up.

Agile changed the choreography of delivery, but it did not fundamentally change the cast. We kept the same job titles, the same swim lanes, and mostly the same power dynamics. AI is different because it collapses the distance between intent and execution. Engineers can prototype in hours. Designers can ship interactive flows without waiting for front-end availability. Researchers can summarize themes across hundreds of interviews in minutes. Documentation is no longer a sacred artifact because it can be generated on demand.

When everyone can “do the thing” faster, the old product manager value proposition gets exposed.

Not because PMs are unnecessary, but because too many PMs have been operating as human middleware. In an AI-enabled team, middleware becomes friction.

Product management is becoming the bottleneck again, but not for the reason people think

Andrew Ng has been blunt about what he is seeing: engineering velocity is exploding, while product decision velocity is not keeping up. He has cited teams floating extreme staffing ratios like “1 PM to 0.5 engineers,” precisely because the constraint is no longer “can we build it,” it is “what should we build next, and why.” (The Washington Post)

That lands uncomfortably because it cuts through a decade of agile mythology. We convinced ourselves that tighter cycles and better rituals would make decisions faster. In practice, many teams just shipped smaller batches of indecision.

AI does not fix that. AI amplifies it.

If your org cannot make crisp calls on tradeoffs, positioning, risk, and sequencing, then AI turns your product into a slot machine. Lots of output, unpredictable outcomes.

The real shift: from writing requirements to engineering decisions

In AI-enabled teams, the PM’s center of gravity moves away from “capturing what we know” and toward “creating the conditions to learn faster than competitors.”

That is why the most valuable PMs are becoming:

  1. System designers of feedback loops.
    If engineers can build ten prototypes this week, your job is to ensure you can get ten rounds of real feedback this week. Not opinions from internal stakeholders. Not a survey that takes a month. Actual behavioral signal, usability signal, and commercial signal. Ng’s point about product work becoming the bottleneck is basically a warning that many teams still run discovery like it is 2015. (LinkedIn)
  2. Narrative owners who reduce ambiguity.
    AI makes it cheap to create options. It does not make it cheap to align a company. The PM’s job is to create a shared narrative that makes tradeoffs obvious. What are we optimizing for this quarter. What risks are acceptable. What customer segment wins. What we are explicitly not doing.
  3. Outcome executives, not ticket shepherds.
    There is a reason the “PM as project manager” instinct feels so suffocating in modern teams. Dr. Bart Jaworski’s micromanagement critique hits because it describes a PM role that has quietly metastasized into dependency chasing and task decomposition, which is exactly the work AI will commoditize first. (LinkedIn)

Here is the uncomfortable truth: if your calendar is full of status checks, you are not leading product. You are compensating for a system that does not trust itself.

AI pushes PMs into an accountability gap, and you either own it or get sidelined

A lot of leaders are responding to AI by demanding “builder ratios,” fewer coordinators, more doers. You can see the cultural momentum in how companies publicly talk about AI expectations. Shopify’s CEO memo, widely circulated, framed AI usage as a baseline expectation and pushed teams to try AI before asking for more headcount. (Business Insider) Duolingo’s “AI-first” shift, including changes to how work is staffed, is another example of leadership trying to rewire the org around automation and leverage. (The Verge)

The implication is not “PMs are dead.”

The implication is: the org has less patience for roles that cannot directly accelerate learning and outcomes.

This is why the PM job splits into two archetypes in AI-enabled environments:

  • The “product operator” PM who runs ceremonies, writes tickets, and translates between functions. AI eats a meaningful chunk of this, and orgs will push it into tooling, into the team, or into program management.
  • The “product strategist and experiment leader” PM who sets direction, clarifies the bet, instruments the system, and drives rapid iteration with tight customer loops. This PM becomes more valuable, not less.

Most PMs want to believe they are the second archetype. Their calendars often reveal they are the first.

“But everyone can prototype now.” Exactly. That is why the PM must level up.

The PM in an AI-enabled team cannot be purely a non-technical coordinator. You do not need to be a production engineer, but you must be able to move at the speed of prototypes. Otherwise, you become the pacing item that Andrew Ng is warning about.

This is where “vibe coding” becomes a useful cultural signal. Andrej Karpathy’s framing captured what many teams are living: people can increasingly build by intent, using natural language to drive code generation. (on X)

If you are a PM and your superpower is writing a spec that takes two weeks to socialize, you will lose credibility in a world where a teammate can generate three working prototypes before your PRD is approved.

So what replaces the PRD as the PM’s leverage?

A tighter operating system for decisions.

What the best PMs are doing differently right now

They are not micromanaging delivery. They are not disappearing into strategy decks either. They are building a product learning engine that can keep pace with AI-accelerated execution.

Practically, that looks like this:

  • They treat prototypes as questions, not solutions. Each prototype exists to answer one uncertainty: desirability, usability, feasibility, viability, compliance risk, adoption friction. If your prototype is not tied to a question, it is just expensive entertainment.
  • They shorten the loop from build to signal. They ship behind flags, use concierge tests, run internal dogfooding with instrumentation, and put customers in front of flows weekly, not quarterly.
  • They operationalize customer truth. AI can summarize interviews, but it cannot decide what matters. The PM owns the mechanism that converts messy qualitative input into clear product calls.
  • They create decision hygiene. In high-velocity teams, the cost of a bad decision is not the decision. The cost is the cascade. PMs need lightweight decision records, explicit tradeoffs, and crisp “reversibility” framing so teams can move fast without becoming reckless.
  • They make the team safer to move quickly. That includes guardrails for privacy, security, and compliance, especially when AI features touch regulated data. The PM is often the person who ensures “fast” does not become “fragile.”

The paradox: PMs must stop being the bottleneck by doing more “product,” not more “process”

If product management is becoming the bottleneck, the fix is not hiring more PMs to write more documents. It is upgrading the PM role into a higher-leverage function.

This is where the comparison to agile is useful. Agile gave us faster cycles, but many companies never built true empowerment. They created rituals around a command-and-control core.

AI will punish that model.

Because AI does not just increase speed. It increases optionality. And optionality without empowered decision-making becomes chaos.

So the question is not “what is the PM’s role in an AI-enabled team.”

The question is: can your PM function produce clarity, priority, and validated learning as fast as your engineers can produce code?