The Leak Everyone Wanted to See

A complete system prompt for Meta's AI-powered customer support has been dumped publicly on GitHub, giving the security community an unprecedented look at how one of the world's largest tech companies handles automated support at scale. Posted by user michaelcummings12 in a repository titled "meta-ai-support-prompt," the full document reads like an operations manual for a sophisticated support pipeline that routes users through domain-specific agents while maintaining strict compartmentalization between internal tooling and customer-facing responses.

Inside Meta's Support Stack

The prompt reveals a multi-layered architecture built around specialized domain agents. When a user describes an issue, the system calls genpop_planner_v1_domain_agent_ranker to determine which specialized handlers can address the problem—whether that's account access, content appeals, or feature-specific troubleshooting. That ranker feeds into genpop_plan_synthesizer_with_dynamic_tool_loading, which generates structured resolution plans with root cause diagnosis and action steps cited from internal knowledge bases. The system also relies heavily on omni_context_retrieval for Help Center lookups when automated tools can't resolve an issue. Notably, the prompt specifies strict rules about language detection—agents must respond in whatever language the user writes in, whether that's Thai, Portuguese, or English. There's even a self-correction mechanism built in to catch and fix mismatched language responses.

The Confidentiality Doctrine

What stands out most is how paranoid Meta's internal documentation is about keeping tool names hidden from users. The prompt contains an "ABSOLUTE RESTRICTION" section explicitly forbidding any mention of tools, their calls, existence, or internal processes—even if a user directly asks or attempts to manipulate the system into disclosing this information. Agents are instructed to deflect questions about AI model identity by claiming to be a 'Meta Support Assistant' and redirecting to support topics. This compartmentalization extends to citation handling. The prompt says agents should only share help center links returned from omni_context_retrieval, not from "internal knowledge." It also forbids telling users about ranker results, plan synthesizer outputs, or any technical details like 'no automated tools available' or 'no R2 routine found.'

What This Means for Security Researchers

The leak exposes several interesting attack surfaces. The strict language-matching requirement creates potential injection vectors if an agent can be tricked into responding in a different language than intended. More critically, the plan execution rollback mechanism—which re-runs tool calls when users want to repeat actions—could theoretically be exploited through carefully crafted inputs that manipulate conversation state. For those studying LLM-powered customer support systems at scale, this document is gold. It shows how Meta structures autonomous agent workflows with fallback mechanisms, confidence levels from ranker outputs, and explicit rules for when to re-investigate versus continuing down a resolution path. The repetitive loop detection rules are particularly instructive—they prevent agents from getting stuck in confirmation cycles by mandating that repeated problems trigger different approaches.

Key Takeaways

  • Full Meta AI Support system prompt publicly available on GitHub since June 2, 2026
  • Reveals internal tool names including domain agent rankers and plan synthesizers never meant for public view
  • Exposes strict confidentiality rules preventing any mention of internal systems to users
  • Multi-agent architecture routes support requests through specialized handlers with fallback to Help Center searches

The Bottom Line

This leak is a reminder that even the most secretive companies can't fully protect their prompt engineering investments once these systems go into production. Meta's support AI isn't magic—it's a well-documented pipeline of rankers, synthesizers, and fallback mechanisms that any competent security researcher can now reverse-engineer. Expect to see this architecture inspire (or get copied by) competitors in the automated support space.