Operational Your level
Coordinator → field-agent hierarchy with differentiated full-stack roles — each role has its own context scope (structurally enforced per `PL1-codebase-scoping`), tools, permissions, and prompt. The partitioning serves not only parallelism and specialisation but also [lethal-trifecta](../internal/references/willison-lethal-trifecta.md) separation: no single role simultaneously holds (1) access to private data, (2) exposure to untrusted content, and (3) ability to externally communicate. Concrete realisations include sparse-checkout context scoping (role sees only its subset of the repo), differentiated MCP / tool scopes per role (investigator reads private data without outbound capability; outbound-capable roles do not ingest untrusted content), and segregated credential tenancy per role. Clear handoffs between roles. Approval authority for material changes (elevation requests, protected-branch merges, release promotions, production-impacting actions) remains human, extending `PL4-branch-protection`'s human-approval requirement to approval surfaces outside git. Agent-to-agent approval is permitted only within a platform-codified low-risk policy (e.g. dependency updates within declared semver bounds, cosmetic-only commits, test-only changes) and only where the approving agent is in a distinctly-credentialed role with audit trail. Segregation of incompatible duties between agent roles — both approval duties *and* trifecta-leg duties — is load-bearing, not optional