Add 3 patterns: tool-search-lazy-loading, dual-llm-pattern, lethal-trifecta-threat-model (#4)

* Add 3 patterns: tool-search-lazy-loading, dual-llm-pattern, lethal-trifecta-threat-model

Inspired by gaps surfaced against agentic-patterns.com, rewritten from
upstream sources into the catalog's POSA schema:

- tool-search-lazy-loading (tool-use-environment, emerging) — defer tool
  schema injection until a ToolSearch primitive returns matches; addresses
  the context-budget cost that tool-loadout and tool-discovery don't.
  Sources: Anthropic Agent Skills post, MCP spec, Thariq Shihipar.

- dual-llm-pattern (safety-control, emerging) — split work between a
  privileged tool-holding model and a quarantined content-reading model
  with symbolic-handle handoff. Sources: Willison 2023, Beurer-Kellner
  et al. arXiv:2506.08837 §3.1(4).

- lethal-trifecta-threat-model (safety-control, emerging) — capability-set
  frame: no execution path may simultaneously hold private-data read,
  untrusted-content ingest, and outbound channel. Sources: Willison 2025,
  CVE-2024-38206, Beurer-Kellner et al.

Adds 11 mirror/inverse edges across tool-loadout, tool-discovery,
context-window-packing, mcp, prompt-injection-defense,
input-output-guardrails, sandbox-isolation, tool-output-poisoning to
balance the typed-edge graph. Adds 3 verification-todo entries.

Pattern count 195 → 198. All lint rules pass for new patterns.

* Strip pure-future known_uses; fix 2 dead URLs blocking CI

- Remove 4 known_uses entries with status='pure-future' across
  lats, llm-compiler, rewoo, reflexion (they are not actual
  known uses).
- Replace the now-empty known_uses on lats, llm-compiler,
  reflexion with real available implementations (paper authors'
  GitHub releases + LangGraph examples; all URLs verified live).
  rewoo retains its existing 'agent-patterns library' entry.
- Replace dead URL https://platform.openai.com/docs/api-reference/chat
  on confidence-reporting with https://cookbook.openai.com/examples/using_logprobs.
- Replace dead URL https://plandex.ai/ on framework-coverage
  plandex entry with the canonical GitHub repo URL.

Lint A6.1 (known_uses non-empty), A6.3 (URL liveness) and all
other rules pass.

Author: luxxyarns

INDEX.md

@@ -1,6 +1,6 @@
 # Pattern Index
 
-195 patterns across 13 categories.
+198 patterns across 13 categories.
 
 ## Reasoning
 
@@ -58,6 +58,7 @@
 - [Tool Discovery](patterns/tool-discovery.md) *(a.k.a. Capability Advertisement, Dynamic Tool Loading)* — Let the agent discover available tools at runtime rather than hardcoding the tool list at agent build time.
 - [Tool Loadout](patterns/tool-loadout.md) *(a.k.a. Tool Subset Selection, Per-Task Tool Filtering, Tool Filter, Limit Exposed Tools)* — Select a small task-relevant subset of available tools per request rather than exposing the full registry to the model.
 - [Tool Result Caching](patterns/tool-result-caching.md) *(a.k.a. Memoised Tools, Idempotent Cache)* — Cache the result of expensive deterministic tool calls keyed by their arguments so repeat calls within a session return immediately.
+- [Tool Search Lazy Loading](patterns/tool-search-lazy-loading.md) *(a.k.a. Lazy Tool Loading, On-Demand Tool Schema Loading, ToolSearch Primitive)* — Defer loading tool schemas into the context window until a search step shows they are needed.
 - [Tool Use](patterns/tool-use.md) *(a.k.a. Function Calling, Tool Calling, Action Use)* — Let the LLM produce typed calls against an external toolkit instead of producing free-form text the surrounding system has to parse.
 - [Toolformer](patterns/toolformer.md) *(a.k.a. Self-Supervised Tool Learning)* — Train the model to learn when and how to call tools through self-supervised data, without human annotation.
 - [Translation Layer](patterns/translation-layer.md) *(a.k.a. Anti-Corruption Layer, Adapter Pattern (Agentic), API Façade)* — Insert a typed boundary between the agent's clean domain model and a messy or legacy external API.
@@ -147,10 +148,12 @@
 - [Constitutional Charter](patterns/constitutional-charter.md) *(a.k.a. Immutable Constitution, Negative Constraints, Robot Laws)* — Define rules the agent reads every turn but cannot modify, encoding inviolable boundaries.
 - [Conversation Handoff to Human](patterns/conversation-handoff.md) *(a.k.a. Escalation, Live-Agent Handoff, Human Takeover)* — Transfer the entire conversation thread from agent to human operator, with state transfer and return primitive.
 - [Cost Gating](patterns/cost-gating.md) *(a.k.a. Budget Cap, Cost-Aware Approval)* — Block actions whose expected cost exceeds a threshold without explicit user (or operator) acknowledgement.
+- [Dual LLM Pattern](patterns/dual-llm-pattern.md) *(a.k.a. Privileged/Quarantined LLM Split, Dual-Model Privilege Separation, Symbolic-Variable Handoff)* — Split agent work between a privileged model that holds tool access and a quarantined model that reads untrusted content, exchanging only opaque references between them.
 - [Exception Handling and Recovery](patterns/exception-recovery.md) *(a.k.a. Error Recovery, Failure Mode Handler)* — Catch and react to predictable failure modes (tool errors, rate limits, validation failures) with structured recovery paths.
 - [Human-in-the-Loop](patterns/human-in-the-loop.md) *(a.k.a. HITL, Approval Gate, Confirmation Step, Risky Action Gate, Destructive Action Confirmation, Ask Before Risky Action)* — Require explicit human approval at defined points before the agent performs an action.
 - [Input/Output Guardrails](patterns/input-output-guardrails.md) *(a.k.a. Guards, Validators, Content Filters)* — Validate inputs before they reach the model and outputs before they reach the user.
 - [Kill Switch](patterns/kill-switch.md) *(a.k.a. Out-of-Band Stop, Emergency Halt, Killbit, Halt All Agents, Stop Every Running Agent)* — Provide an out-of-band control plane to halt running agent instances without redeploy.
+- [Lethal Trifecta Threat Model](patterns/lethal-trifecta-threat-model.md) *(a.k.a. Willison Trifecta, Three-Capabilities Exfiltration Risk)* — Block prompt-injection-driven exfiltration by ensuring no single agent execution path holds all three of: access to private data, exposure to untrusted content, and an outbound communication channel.
 - [PII Redaction](patterns/pii-redaction.md) *(a.k.a. Data Loss Prevention, Sensitive Data Filtering)* — Detect and remove personally identifiable information from inputs to and outputs from the model.
 - [Prompt Injection Defense](patterns/prompt-injection-defense.md) *(a.k.a. Instruction Hierarchy, Untrusted-Content Tagging)* — Tag user-supplied or tool-supplied content as untrusted and refuse to follow instructions found inside it.
 - [Quorum on Mutation](patterns/quorum-on-mutation.md) *(a.k.a. Two-Tick Confirmation, Distributed Consensus (Single Agent))* — Require multiple consecutive ticks (or runs) to agree before a mutation to durable state lands.

framework-coverage.json

@@ -1009,7 +1009,7 @@
       "name": "Plandex",
       "vendor": "Plandex",
       "language": "Go",
-      "url": "https://plandex.ai/",
+      "url": "https://github.com/plandex-ai/plandex",
       "last_analyzed": "2026-05-02",
       "coverage": {
         "plan-and-execute": "fully",

patterns-src/memory.json

@@ -256,6 +256,10 @@
         }
       ],
       "related": [
+        {
+          "pattern": "dynamic-scaffolding",
+          "relation": "complements"
+        },
         {
           "pattern": "episodic-summaries",
           "relation": "uses"
@@ -265,24 +269,24 @@
           "relation": "alternative-to"
         },
         {
-          "pattern": "dynamic-scaffolding",
-          "relation": "complements"
-        },
-        {
-          "pattern": "todo-list-driven-agent",
+          "pattern": "reasoning-trace-carry-forward",
           "relation": "used-by"
         },
         {
-          "pattern": "reasoning-trace-carry-forward",
-          "relation": "used-by"
+          "pattern": "salience-attention-mechanism",
+          "relation": "alternative-to"
         },
         {
           "pattern": "self-archaeology",
           "relation": "complements"
         },
         {
-          "pattern": "salience-attention-mechanism",
-          "relation": "alternative-to"
+          "pattern": "todo-list-driven-agent",
+          "relation": "used-by"
+        },
+        {
+          "pattern": "tool-search-lazy-loading",
+          "relation": "complements"
         }
       ],
       "references": [

patterns-src/planning-control-flow.json

@@ -393,13 +393,6 @@
         ]
       },
       "constrains": "Each node may be expanded only by sampling actions consistent with the parent state.",
-      "known_uses": [
-        {
-          "system": "Pure future for Stash2Go",
-          "note": "Conversational answerer for ambiguous knitting questions ('can I substitute X for Y?').",
-          "status": "pure-future"
-        }
-      ],
       "related": [
         {
           "pattern": "react",
@@ -486,7 +479,21 @@
       "diagram": {
         "type": "flow",
         "mermaid": "flowchart TD\n  Root[Partial trajectory] --> Sel[UCT selection]\n  Sel --> Exp[Expansion: sample next thoughts/actions]\n  Exp --> Sim[Simulate]\n  Sim --> Val[Value estimate]\n  Val --> Back[Backpropagate up tree]\n  Back --> Sel\n  Sel -.failing branch.-> BT[Backtrack instead of commit]"
-      }
+      },
+      "known_uses": [
+        {
+          "system": "LanguageAgentTreeSearch (reference implementation)",
+          "note": "Original code release by the LATS paper authors (Zhou et al.).",
+          "status": "available",
+          "url": "https://github.com/lapisrocks/LanguageAgentTreeSearch"
+        },
+        {
+          "system": "LangGraph LATS example",
+          "note": "LangGraph ships an LATS notebook in its examples.",
+          "status": "available",
+          "url": "https://github.com/langchain-ai/langgraph"
+        }
+      ]
     },
     {
       "id": "llm-compiler",
@@ -516,13 +523,6 @@
         ]
       },
       "constrains": "Steps run only when all referenced upstream variables are resolved.",
-      "known_uses": [
-        {
-          "system": "Pure future for Bobbin",
-          "note": "Agent-lane plans with two unrelated tools could run concurrently.",
-          "status": "pure-future"
-        }
-      ],
       "related": [
         {
           "pattern": "rewoo",
@@ -576,7 +576,21 @@
       "diagram": {
         "type": "flow",
         "mermaid": "flowchart TD\n  Q[Task] --> Pl[Planner: build dependency DAG]\n  Pl --> TFU[Task-Fetching Unit]\n  TFU --> S1[Step 1]\n  TFU --> S2[Step 2 parallel]\n  TFU --> S3[Step 3 parallel]\n  S1 --> S4[Step 4 depends on 1]\n  S2 --> S4\n  S3 --> S5[Step 5 depends on 3]\n  S4 --> J[Joiner]\n  S5 --> J\n  J --> Ans[Final answer]"
-      }
+      },
+      "known_uses": [
+        {
+          "system": "LLMCompiler (reference implementation)",
+          "note": "Berkeley SqueezeAILab release of the LLMCompiler paper code.",
+          "status": "available",
+          "url": "https://github.com/SqueezeAILab/LLMCompiler"
+        },
+        {
+          "system": "LangGraph LLMCompiler example",
+          "note": "LangGraph ships an LLMCompiler example.",
+          "status": "available",
+          "url": "https://github.com/langchain-ai/langgraph"
+        }
+      ]
     },
     {
       "id": "map-reduce",
@@ -1263,11 +1277,6 @@
       },
       "constrains": "The Planner cannot see tool outputs; substitution happens only at the Worker stage.",
       "known_uses": [
-        {
-          "system": "Pure future for Stash2Go",
-          "note": "Periodic offline normalisation of yarn catalogue when an upstream weight definition changes.",
-          "status": "pure-future"
-        },
         {
           "system": "agent-patterns library",
           "status": "available"