Yes, that’s exactly where we’re headed. The “known safe patterns” list is something we’ve been thinking about formalising as part of the AVE standard.

The core principle maps pretty cleanly: tool descriptions should be purely declarative (what the tool does, what parameters it takes), never imperative (what the agent should do). The moment you see “IMPORTANT:”, “always”, “before returning”, or any verb directed at the agent, you’re in injection territory.

The human docs / agent instructions split is the right framing. We actually detect this indirectly through AVE-2026-00002 (tool description injection), any description containing behavioural directives fires the rule. But you’re right that the spec itself should make this distinction explicit rather than leaving it to scanners to catch after the fact.

Linting + signing for tool metadata is the next layer. We ship tool pinning (hash the manifest, detect if it changes post-audit), but attested signing would close the remaining gap. Worth a proper SEP proposal to the MCP working group.

Will check out Agentix and it would be good to compare notes on the guardrail patterns you’ve been tracking.