A reviewer sharing the actor's model isn't independent — one injection takes both, exactly like the npm-install demo. What held for me was a deterministic allowlist no prompt talks past.