# Retrofit Design

Retrofit design patterns derived from the analysis include:

- inserting policy checks between retrieval and context assembly
- attaching principal-aware capability checks before tools run
- isolating tenant context in retrieval, memory, and telemetry paths
- standardizing audit events across prompt, retrieval, tool, and output stages

The design is intended as a portable blueprint for secure RAG and agent hardening.