How Astrid Discovers Hidden Instructions Across

When LLM agents move through file systems, they silently encounter project-level instruction files - like CLAUDE.md - that quietly shape behavior but often go unnoticed. Unlike Claude Code’s unchecked loading, Astrid now detects these files dynamically as it traverses directories, ensuring no instruction slips through. This discovery is not automatic or invasive: it’s triggered by CWD changes, validated through content hashing, and scoped precisely to where instructions live.

Instruction trust is built on content hashing (BLAKE3), not trust by path. Only known, verified hashes enter the prompt context - no silent injection, no permission escalation. When files shift, users get soft notices, not blocks - keeping security visible without fatigue. Frontend apps, from CLI to Discord, render these updates naturally: toasts, banners, modals - all typed, consistent, and non-blocking.

But here’s the catch: while the system surfaces instructions, it never grants capabilities or bypasses approval. Instructions are context, not authority. That distinction matters - approval fatigue kills security, not protection. The design minimizes interruptions while keeping intent clear.

What’s invisible is how deeply trust and notice work together: one ensures only real, hashed content influences the agent, the other keeps users informed without friction. The real innovation? A capsule-level event system that respects workspace boundaries, respects user agency, and turns directory hops into transparent, secure updates - no silent surprises, just clean, scoped context.