How are you testing local coding-agent work gates against prompt injection?

Hi all - I'm working on an open-source, local-first MCP/work-gate tool for coding agents and I'm trying to get sharper feedback from people building or using agent workflows. The problem I'm thinking about is indirect prompt injection and evidence trust. A local coding agent may ingest issues, PR text, docs, logs, dependency output, webpages, or MCP tool results. Even if the user is trusted, that input may not be. If the agent can then decide whether it satisfied its own gates, there are some awkward questions: \- What stops an injected instruction from convincing the agent to skip a review gate? \- What counts as real verification evidence versus a final-response claim? \- Should agent-supplied receipts be treated differently from independently fetched CI or attached evidence? \- What bypass paths would you test first? I'm not claiming prompts are a security boundary, and I'm not trying to replace sandboxing. I'm trying to make local agent workflow claims more honest before people lean on them too hard. I'll put the GitHub issue links in a comment to keep this from being a link-drop. Friendly pushback very welcome.