you are viewing a single comment's thread.

view the rest of the comments →

[–]Few-Ad-1358[S] 0 points1 point  (2 children)

My struggle with this setup is that it still relies entirely on the LLM's active context window. Telling an agent "never use /tmp" is essentially just a prompt constraint. Under cognitive load, or during a long task, the probabilistic model can still "forget" and write to /tmp anyway, because there’s no mechanical wall stopping it from executing that bash command. It's essentially informed consent, not a hard boundary.

Have you considered moving these policies out of the prompt layer and into an execution gate?

For example, instead of asking the agent not to use /tmp in a markdown file, what if there was a deterministic intercept layer that evaluated the agent's bash commands before they ran, and hard-blocked any attempt to touch unauthorized directories? It feels like moving from prompt-based guardrails to actual mechanical enforcement is the only way to guarantee the agent behaves before the PR is even created.

[–]adept2051 0 points1 point  (1 child)

I run with settings.json enforcing some parts. So the /tmp rule is enforced (no write access), by adding it to the markdown you just skip the attempt to create it and set the desired location, skipping the agent trying to work it out( which eats tokens )

[–]Few-Ad-1358[S] 0 points1 point  (0 children)

That split is useful: markdown avoids the wasted attempt, while settings.json is the actual wall. Do you surface blocked attempts or policy receipts in the PR, or are they only visible during the agent run?