La couche méta10 min de lecture

Meta-Prompting in Production: One File the Agent Can Touch, One Verifier It Can't

One AI writing prompts for another sounds like leverage until you watch it fail: an 80-node workflow that repeated every mistake, re-paid every failed run, and trusted every generated instruction. Tuning the meta-prompt never fixed it. A three-layer contract did: a verifier the generator can't touch, domain facts it can't ignore, generation left free in the middle. Two production failures in its first 24 hours stress-tested exactly that.

In 2025 I built an 80-node n8n workflow where one AI wrote the prompt another AI executed. It was fast: modular sub-workflows I could retrigger on demand, a full base post regenerated in about five minutes. And it was the right pattern: I still run meta-prompting today, in the system that wrote this post. What that workflow didn't have was a single validation gate, a trace log, or any memory between runs. That missing layer, not the prompts, is where meta-prompting systems still fail.

Here's the conclusion up front: meta-prompting fails or succeeds on the shell around it, not the prompt inside it. It's a powerful pattern and it is not a fix-all, because prompt quality was never the binding constraint. State is. A prompt-writing agent is production-safe only when the generated prompt is the single free variable inside a fixed contract: an immutable objective and a verifier it can't touch, accumulated domain facts it can't ignore, and an open middle where generation stays free. I call that the three-layer contract. What follows is the evidence, and the two production failures that stress-tested it on day one.

What Happens When One AI Writes Prompts for Another? Meta-Prompting Before I Knew Its Name

In 2025, an 80-node n8n workflow ran meta-prompting before I knew the term: a prompt-writer agent composed instructions a content agent executed verbatim, output flowing into Airtable and a CMS with no validation gate, no trace log, and no memory between runs.

The workflow was my Blog Maker: 80 nodes, 14 LangChain agent nodes, 16 LLM chat-model nodes. At its core sat a "Main Body Prompt Writer" node whose system message opened with "You are an AI Prompt Engineering Specialist..." Its output fed a Content Writer Agent that executed the generated prompt verbatim: {{ $('Main Body Prompt Writer').item.json.output }}, straight into the next agent's instructions.

From there, finished posts flowed into Airtable and Ghost CMS. Nothing checked the generated prompt. Nothing checked the generated post.

I treated it as a prompt-quality problem, because that's what everyone assumes the risk is. When output drifted, I tuned the specialist's system message. And that's the trap in how engineers reach for meta-prompting: if prompts are fragile, generate better prompts. It's the same bet, doubled: reliability through better wording. Prompt whack-a-mole, one level up.

The expensive failures were never in the prompts. Regeneration was cheap (any sub-workflow could be retriggered, a base post rebuilt in minutes), and that speed hid the real cost: rerunning was so easy that nothing ever forced a root cause to be fixed. No log recorded which agent decided what, so post-mortems were guesswork. And because nothing carried lessons between runs, every mistake the system made, it made again in the next artifact.

This failure mode deserves a name: the Ungated Generator, a prompt-writing agent whose output the system executes as trusted instruction with no bound, no gate, and no memory. The name puts the blame where it belongs: the failure is 'ungated', not 'generator'. Meta-prompting isn't the villain — running it without a contract is. Once you name it, you start seeing it in most meta-prompting architectures shipped today.

Why Doesn't a Better Meta-Prompt Fix It?

Static analysis of 6,549 LLM agent repositories confirmed 68 infinite agentic loops; the two dominant root causes (retry feedback without bound and tool-call iteration without bound) account for 48.5% of them. Every one is a missing bound, and a bound is state, not prompt wording.

Three failure classes hit ungated generators, and no wording flattens any of them. They're failures that look like model problems but aren't.

Unbounded loops. The IAL-Scan paper "When Agents Do Not Stop" ran static analysis over 6,549 LLM agent repositories; manual review confirmed 68 infinite-loop failures across 47 projects, at 91.9% precision. The paper's root-cause table puts "retry feedback without bound" at 25.0% and "tool-call iteration without bound" at 23.5%, together 48.5% of confirmed failures. The MAST taxonomy, built from 1,600+ annotated traces across 7 multi-agent frameworks, points the same direction: step repetition at ~16% of failures, agents unaware of stopping conditions at 12.4%. Explaining the task better fixes none of them. A finite budget the agent cannot exceed does. And a budget is state.

Trusted generated text. Inter-agent interfaces mostly lack trust boundaries: each agent treats upstream output as trusted input, so one compromised link propagates instructions across the whole workflow. February 2026 made this concrete. Per Cline's own post-mortem, "At 3:26 AM PT on February 17th, an unauthorized party used a compromised npm publish token to publish cline@2.3.0": a package whose single modification was an added postinstall script, live for approximately 8 hours.

The same post-mortem describes the sharper edge: "An attacker could craft an issue title containing instructions that trick Claude into running arbitrary code on the GitHub Actions runner." The issue title WAS the prompt. Third-party incident analyses put roughly 4,000 developer machines in the exposure window; Cline's post-mortem itself gives no count. In a meta-prompting system, every generated prompt is exactly this kind of untrusted text. You just wrote the attacker into the architecture and called it an agent.

Compounding per-step error. Plain arithmetic, not a study: at 85% per-step accuracy, a 10-step chain succeeds 0.85^10 ≈ 20% of the time. A better model lifts the level; it does not bend the slope. What bends the slope is fewer unchecked steps: gates that catch errors before they propagate.

What Is the Three-Layer Contract?

A prompt-writing agent is production-safe when the generated prompt is the single free variable inside a fixed contract: an immutable objective and a verifier the generator cannot touch, accumulated domain facts it cannot ignore, and an open middle where generation stays free.

I once spent three days debugging an agent's prompt because it kept misfiring an API call. The prompt wasn't the problem. I had just failed to build a validation gate between the LLM and the database. That's the bridge from diagnosis to fix: stop improving the generator, start constraining what surrounds it.

Layer 1: the fixed shell. The objective and the verification gates live outside the generator's write access. Karpathy's autoresearch repo makes this literal in three files: prepare.py is marked "do not modify," the agent only touches train.py, and the README's rationale is operational: "This keeps the scope manageable and diffs reviewable." Berkeley's CLTC agentic-AI risk-management profile draws the same line from the governance side: it classifies generator-writable oversight as high-risk, because write access lets an agent "introduce loopholes or weaken its own oversight." Same pattern at three scales, a research repo, a governance risk profile, and gates around agent decisions, proven at Ramp: the thing that checks the work must be unreachable from the thing that does the work.

Layer 2: accumulated domain facts. Recorded lessons the generator must consume on every run. This is memory as a contract layer, not a nice-to-have. Without it, the Ungated Generator's signature symptom appears: the same mistake in every artifact, forever, because nothing wrote it down.

Layer 3: the open middle. The generated prompt itself. This layer stays free; that's the entire point of meta-prompting. DSPy shows where this ends up: typed input-output signatures, prompts compiled against a numeric metric, assertion-based backtracking. The generated prompt becomes a measured artifact instead of free text you hope is good.

// The three-layer contract. The generated prompt is the ONLY free variable.
interface MetaPromptContract {
  // Layer 1 (fixed shell): the generator has no write access here
  readonly objective: string;                              // immutable per deployment
  readonly verify: (output: string) => ValidationResult;   // untouchable by the generator
  readonly budget: { maxRetries: number; maxToolCalls: number }; // hard bounds, not vibes

  // Layer 2 (accumulated domain facts): append-only, injected into every run
  readonly facts: ReadonlyArray<DomainFact>;               // "engagement decays in ~48h"

  // Layer 3 (open middle): the only field the generator writes
  generatedPrompt: string;
}

Mapped to STATE, the contract is three pillars applied to prompts-as-artifacts:

  • Layer 1 → E (Explicit): every generated output passes a validation gate before any write, and the generator cannot reach the gate's definition
  • Layer 2 → S + T (Structured, Traceable): every run logs its decisions, and recorded lessons persist as state the next run must load: state that outlives any single execution
  • Layer 3 → bounded freedom: the generated prompt is the only free variable, and the shell enforces finite retry and tool-call budgets around it

Did the Contract Actually Hold?

The 2026 rebuild of the same content system inverted the architecture: hard invariants and a validation gate the generator cannot touch, an append-only store of domain facts it must read, and sub-agent prompts it writes freely on every run. Its first two production failures were both missing facts, not missing intelligence.

This year I rebuilt the Blog Maker's job as a weekly-brief skill under the contract. Fixed shell: a validation gate before any write, one traceability log entry per run, recorded human decisions that must be respected. Accumulating domain facts in the middle layer. Open middle: the agent writes its own sub-agent prompts every run. Meta-prompting, still.

The first 24 hours produced two wrong task rankings. Under the old architecture I would have tuned the prompt-writer and hoped. Under the contract, the post-mortems took minutes, because both root causes were missing state.

First failure: no recorded fact that LinkedIn engagement decays within about 48 hours, so the ranker treated a stale draft as fresh. Second: it ranked a task without reading the goal's trigger condition, "within 7 days of audit delivery," when no audit had ever been delivered. Both fixes were one move each: write the fact into the system. Zero prompt changes. Zero model changes.

That's the thesis with receipts: State Beats Intelligence, even when the artifact the system produces IS a prompt. If you're running a prompt-writing agent today, I built a short self-audit that scores exactly this kind of gap. It's at simonparis.ca/score, and it takes about ten minutes.

One question before you tune that meta-prompt again: which parts of your system can the generator rewrite — and is the verifier one of them?

FAQ

Is meta-prompting safe to run in production?

Yes, inside a fixed contract. A prompt-writing agent is production-safe when the generated prompt is the single free variable: the objective and the verification gate live outside the generator's write access, accumulated domain facts are injected into every run, and hard retry and tool-call budgets bound every loop. Run it without that shell and you have an Ungated Generator (a system executing generated text as trusted instruction) and the documented failure classes follow: unbounded loops, propagated prompt injection, compounding per-step error. The prompt was never the dangerous part. The write access was.

Why does my prompt-writing agent keep making the same mistakes?

Because nothing writes the mistake down. Most meta-prompting systems have no memory between runs, no accumulated store of domain facts the generator must load, so every lesson dies with the run that learned it. That was the signature symptom of my 2025 content workflow: every error it made, it made again in the next artifact, because no state carried between executions. The fix is architectural: an append-only facts layer the generator consumes on every run. When the rebuilt system misranked tasks twice in its first 24 hours, both fixes were one recorded fact each: zero prompt changes, zero model changes.

What should a prompt-writing agent never be able to modify?

The objective, the verifier, and the budgets. Karpathy's autoresearch repo makes the boundary literal: prepare.py is marked "do not modify" and the agent only touches train.py. Berkeley's CLTC risk profile draws the same line from the governance side, classifying generator-writable oversight as high-risk because write access lets an agent weaken its own oversight. The pattern holds at every scale: the thing that checks the work must be unreachable from the thing that does the work. If your generator can rewrite its own validation gate, you don't have a gate — you have a suggestion.

Will a better model fix meta-prompting failures?

It lifts the level without bending the slope. At 85% per-step accuracy, a ten-step chain succeeds roughly 20% of the time (plain arithmetic), and a stronger model raises the per-step number without changing the compounding. The production evidence points the same way: the IAL-Scan study of 6,549 LLM agent repositories found that 48.5% of confirmed infinite agentic loops trace to retry feedback or tool-call iteration running without bound, and a bound is state, not prompt wording. What bends the slope is structure: fewer unchecked steps, validation gates that catch errors before they propagate, and finite budgets the agent cannot exceed.

Diagnostic

Votre système LLM est-il vraiment prêt pour la production?

Votre système est-il vraiment prêt pour la production? Le diagnostic STATE l'évalue sur cinq axes — avant l'incident.

Évaluer mon système →