How Gemini CLI and Claude Code Achieve Context Isolation for AI Agents

AI Agent Core Strategies: Gemini CLI and Claude Code Context Isolation

In previous posts we discussed AI Agent context‑management strategies and compression techniques. Context management generally involves writing, selecting, compressing, and isolating. After covering compression, we now focus on isolation.

When an AI Agent tackles a complex task such as refactoring a React project, it may need to edit files, run code, execute tests, and query documentation simultaneously. Mixing these sub‑tasks in a single context is like holding ten meetings in a noisy office at once.

1. Why Context Isolation?

With a limited context window, lack of isolation can cause four serious problems:

Context poisoning – erroneous information enters the context and continuously corrupts subsequent decisions due to the model’s autoregressive nature.

Context interference – overly long context makes the model focus on historical data and ignore the core task, similar to having 50 open file tabs in an IDE.

Context chaos – information overload sharply degrades model performance, leading to wrong tool invocations.

Context conflict – new and old information directly contradict each other, leaving the Agent’s reasoning confused.

These issues are amplified in Agent scenarios because Agents collect multi‑source information, perform sequential tool calls, and engage in multi‑round reasoning, easily causing context bloat and loss of control.

2. Claude Code Isolation Strategy

Claude Code’s isolation resembles a submarine’s watertight compartments: a failure in one compartment does not affect the whole vessel.

2.1 Master‑Slave Execution Model

The core design separates a master Agent (the nO loop engine) from SubAgents (I2A instances). The master coordinates the overall workflow, while SubAgents handle specific tasks in isolated execution environments, communicating only via a one‑way Task tool. Errors in one SubAgent do not impact others.

2.2 Three‑Layer Memory Architecture

Claude Code divides conversation history into three layers:

Short‑term memory – real‑time message array with O(1) access and automatic token counting.

Mid‑term memory – when short‑term usage reaches 92%, the AU2 algorithm performs an eight‑segment structured compression, extracting background, key decisions, tool usage, user intent evolution, execution summaries, errors, unresolved issues, and future plans.

Long‑term memory – the CLAUDE.md system stores project‑level information such as project context, user preferences, coding style, environment, and security configuration, enabling persistent cross‑session memory.

2.3 Six‑Stage Tool Execution Pipeline

Claude Code’s MH1 engine enforces a strict six‑stage pipeline:

Tool discovery & verification – name resolution, registry lookup, availability check.

Input validation – Zod schema validation, type checking, required‑parameter verification.

Permission check – Allow/Deny/Ask actions with hook support.

Cancellation check – AbortController signals, user interruption handling, timeout control.

Tool execution – concrete function call, async generator handling, streaming output.

Result formatting – standardization, state cleanup, event logging.

2.4 Intelligent Concurrency Isolation

The UH1 scheduler classifies tools:

Concurrency‑safe tools (up to 10 simultaneous): Read, LS, Glob, Grep, WebFetch, TodoRead, Task.

Non‑concurrency‑safe tools (must run serially): Write, Edit, MultiEdit, Bash, TodoWrite.

This ensures read operations can run in parallel while write operations are strictly serialized to avoid resource conflicts.

2.5 Session‑Turn Isolation

currentTurnState = {
  compacted: true,
  turnId: generateTurnId(), // independent turn ID
  turnCounter: 0 // independent counter
};

Each turn has its own state, so a failure in turn 20 does not affect earlier completed work, and the system can roll back like a Git commit.

2.6 Full SubAgent Isolation

Independent nO loop instance.

Dedicated message queue.

Isolated tool permissions.

Separate error handling.

Single‑message return mechanism (stateless communication).

2.7 File‑Content Injection Capacity Limits

Maximum 20 files opened per request.

Each file limited to 8 K tokens.

Total token count not exceeding 32 K.

This prevents overload from malicious or erroneous requests.

2.8 Six‑Layer Security Defense

Input validation layer – Zod schema strict checks.

Permission control layer – Allow/Deny/Ask triple validation with hook overrides.

Sandbox isolation layer – Bash commands run with sandbox=true, file‑system writes restricted, network whitelisted.

Execution monitoring layer – AbortController for interruption, timeout enforcement, resource limits.

Error recovery layer – exception capture, detailed logging, automatic retry and fallback.

Audit logging layer – comprehensive operation logs, real‑time alerts, periodic compliance audits.

3. Gemini CLI Isolation Strategy

Compared with Claude Code’s strictness, Gemini CLI adopts a more pragmatic approach.

3.1 Physical Session Isolation

Each chat session stores its context in a separate file on the filesystem:

const timestamp = new Date().toISOString().slice(0,16).replace(/:/g,'-');
const filename = `session-${timestamp}-${this.sessionId.slice(0,8)}.json`;
this.conversationFile = path.join(chatsDir, filename);

The naming combines a timestamp and a truncated session ID, guaranteeing uniqueness and easy lookup.

3.2 Project‑Level Organization

Conversation records are organized by project hash, placing different projects in distinct directories:

this.projectHash = getProjectHash(config.getProjectRoot());
const chatsDir = path.join(this.config.storage.getProjectTempDir(),'chats');

This design ensures that context from project A never interferes with project B.

3.3 Graceful Session Management

Session reset – create a brand‑new conversation context at any time:

async resetChat(): Promise<void> {
  this.chat = await this.startChat();
}

Session resume – continue from a previous session while preserving isolation:

if (resumedSessionData) {
  this.conversationFile = resumedSessionData.filePath;
  this.sessionId = resumedSessionData.conversation.sessionId;
}

3.4 Model Switching Handling

When switching models, Gemini CLI shares historical records but aborts the current query, retaining useful context while preventing inconsistency.

4. Practical Recommendations

4.1 Start Simple, Evolve Gradually

Begin with file‑level isolation like Gemini CLI and add more layers as requirements grow.

4.2 Define Clear Isolation Boundaries

Specify what information may cross boundaries; adopt Claude Code’s unidirectional data flow where context only flows from higher to lower layers.

4.3 Monitor Isolation Effectiveness

Context size trends.

Task success rate.

Response latency.

Token consumption.

4.4 Prepare for Failures

Implement multi‑layer security similar to Claude Code’s six‑layer defense to ensure robust execution.

4.5 Consider Cost

Single chat: 1× token usage.

Single Agent: 4× token usage.

Multi‑Agent: 15× token usage.

Ensure the value of isolation justifies the added cost.

5. Closing Thoughts

Context is the operating system of an AI Agent. Just as an OS uses process isolation, memory management, and permission control to stay stable, a well‑designed Agent system needs meticulous context isolation to execute tasks reliably. Whether through Claude Code’s rigorous approach or Gemini CLI’s pragmatic design, the goal is the same: keep the Agent focused and safe.