Feature Request: Add `isolated` parameter to Task tool for true context isolation
Summary
The Task tool currently passes parent conversation context to spawned subagents. This makes it impossible to implement workflows requiring independent judgment (QA reviews, security audits, code reviews) where the reviewer should not see the creator's reasoning.
We propose adding an isolated: true parameter that starts subagents with zero parent context.
Note on observation: The Task tool documentation states that "Agents with 'access to current context' can see the full conversation history before the tool call." This suggests context sharing is the current behavior. If this understanding is incorrect, we would appreciate clarification on how context boundaries currently work.
---
The Critical Problem
Multi-Agent Systems Require Independence
The value of multi-agent workflows comes from different perspectives:
Developer perspective: "This works and meets requirements"
QA perspective: "But what about edge case X?"
Security perspective: "This exposes attack vector Y"
When agents share context, these perspectives collapse:
Shared context agent: "I know the developer had constraints, so I'll be lenient"
→ Review becomes validation, not critique
Current Architecture
CURRENT: Subagent Inherits Parent Context
Orchestrator (parent)
├─ User goal: "Add auth feature"
├─ My reasoning: "JWT is simpler, skip edge cases"
├─ Developer work: [code with shortcuts]
│
└─► Task(subagent_type="general-purpose")
└─ QA Subagent
├─ Sees: Parent reasoning (bias source!)
└─ Result: Lenient review
NEEDED: Isolated Subagent
Orchestrator (parent)
├─ [all context stays here]
│
└─► Task(subagent_type="general-purpose", isolated=true)
└─ QA Subagent
├─ Sees: Only explicit prompt
└─ Result: Unbiased review
---
The Deeper Problem: Trust Collapse in Multi-Agent Systems
The Essence
In a world where many agents work together, the fundamental question is:
"Can I trust this agent's output?"
Trust requires verifiable independence. Without isolation:
Agent A creates artifact
Agent B reviews artifact
But B saw A's reasoning
→ B's review is contaminated
→ Trust in B's output = 0
→ Why have B at all?
The Value Equation
Value of 1 agent = 1 perspective
Value of N agents = N independent perspectives
BUT with shared context:
Value of N agents = 1 perspective × N
= Just repetition
= Expensive echo chamber
Scale Amplification: More Agents = Worse Problem
| # of Agents | Without Isolation | With Isolation |
|-------------|-------------------|----------------|
| 2 | Mild bias | 2 perspectives |
| 5 | Echo chamber | 5 perspectives |
| 10 | Groupthink | 10 perspectives |
| 100 | Dangerous false consensus | 100 perspectives |
The more agents you add, the worse the problem becomes—not better.
Why Organizations Have Departments
Developer: "Ship it, it works"
QA: "Wait, edge case fails"
Security: "Wait, this is exploitable"
Legal: "Wait, this violates GDPR"
Each department has BOUNDED KNOWLEDGE by design.
They don't read each other's internal memos.
This is not inefficiency—it's PROTECTION.
The Deepest Insight
Naive view: "More information = better decisions"
Reality: "BOUNDED information = independent judgment"
Sharing everything makes everyone think the same.
The value of multiple agents IS their different views.
Shared context destroys the only thing that matters.
Critical for AI Agent Future
The industry is moving toward autonomous agent swarms, AI companies with agent "employees", and multi-agent verification systems.
Without context isolation, all of these become:
- N agents with shared context = 1 agent with extra steps
- Expensive echo chamber
- False sense of verification
The real danger: Humans will trust "multi-agent consensus" that is actually "single-perspective amplified N times."
When a human sees "5 agents reviewed this and agreed," they assume 5 independent checks occurred. Without isolation, they got 1 check repeated 5 times—but paid for 5 and trusted the result as if it were 5.
This is not a feature gap. This is a trust and safety issue for the future of multi-agent AI systems.
---
Proposed Solution
Add isolated Parameter
Task(
subagent_type="general-purpose",
isolated=True, # NEW PARAMETER
prompt="Review the test plan at docs/testing/PLAN.md"
)
When isolated=True:
- Subagent starts with zero parent context
- Only receives the explicit
promptparameter - Must read files explicitly to see content
- Cannot access parent conversation history
Behavior Specification
isolated=False (default, current behavior):
Subagent context = Parent context + Prompt
isolated=True (new):
Subagent context = System instructions + Prompt only
Optional Enhancement: Explicit Artifact Passing
Task(
subagent_type="general-purpose",
isolated=True,
artifacts=["docs/testing/PLAN.md"], # Files to include
prompt="Review this test plan"
)
---
Use Cases Enabled
1. Independent QA Review
Task(
subagent_type="general-purpose",
isolated=True,
prompt="You are a QA reviewer. Review docs/testing/FEATURE_TEST_PLAN.md
from a customer perspective. Document gaps and risks."
)
2. Security Audit
Task(
subagent_type="general-purpose",
isolated=True,
prompt="You are a security auditor. Review src/auth/ for vulnerabilities.
Assume no prior knowledge of implementation decisions."
)
3. Code Review
Task(
subagent_type="general-purpose",
isolated=True,
prompt="Review this PR diff for code quality. Evaluate the code itself,
not the author's reasoning."
)
---
Implementation Considerations
- Backward compatible:
isolateddefaults toFalse - Minimal scope: Only affects context passing, not subagent capabilities
- Verifiable: Users can trust that isolation occurred
---
Summary
The isolated parameter is a small API change that enables a fundamental capability: true multi-agent workflows with independent judgment.
Without it, Claude Code's multi-agent features are limited to collaborative delegation.
With it, adversarial and review patterns become possible.
This isn't about adding a feature—it's about completing the multi-agent architecture.
---
We're happy to contribute a PR if the direction is approved.
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗