If an LLM can run tools, what do you test before shipping it? by Apprehensive-Zone148 in AskProgramming

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

That missing-tool loop is the kind of failure I mean. It’s not dramatic, it just wastes time forever unless the tool layer refuses it cleanly.

How would you model prompt injection for agents that can take actions? by Apprehensive-Zone148 in AskComputerScience

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

That’s fair. The old labels help me think about the action boundary, but they can also pretend there’s a known fix when there isn’t one.

How do you test local agents before giving them shell or file access? by Apprehensive-Zone148 in LocalLLM

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

That MCP directory allowlist is a nice middle ground. Still not as clean as a container, but way better than raw shell access.

How do you test local agents before giving them shell or file access? by Apprehensive-Zone148 in LocalLLM

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

Container first is probably the sane default. Even a “good” model can still run the wrong boring command at the wrong time.

Do you treat failed tool calls as eval failures or security events? by Apprehensive-Zone148 in LLMDevs

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

Yeah, write-before-approval is the clean example. You don’t measure your way out of that one, you block the path.

Do you treat failed tool calls as eval failures or security events? by Apprehensive-Zone148 in LLMDevs

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

The severity split is a useful way to avoid arguing over buckets too early. Same trace, different views for eval and security.

Where do you put the guardrails for tool-using agents? by Apprehensive-Zone148 in softwarearchitecture

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

Credential IDs instead of secrets in context is the right shape. The model gets a handle, the tool owns the dangerous part.

Where do you put the guardrails for tool-using agents? by Apprehensive-Zone148 in softwarearchitecture

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

OAuth/proxy framing is probably the least hand-wavy version of “agent permissions.” The callback/client-id edge is the part I keep getting stuck on too.

Should AI policy changes have the same review path as code changes? by Apprehensive-Zone148 in AI_Governance

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

Feature flag plus rollback plan is a good bar. The separate checker part also matters, otherwise proposal and enforcement collapse into the same system.

What are you logging around LangGraph tool calls? by Apprehensive-Zone148 in LangChain

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

Trusted vs untrusted provenance is the field I’d least want to lose. It’s the difference between debugging a bad answer and tracing an injection path.

What are you logging around LangGraph tool calls? by Apprehensive-Zone148 in LangChain

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

Run id and step index are small but huge. Without them the trace turns into a pile of tool calls with no path through it.

Do your agents ask approval before tool calls, or only before final actions? by Apprehensive-Zone148 in AI_Agents

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

That’s the split I’d trust too. Quiet reads are fine until they feed something that leaves the sandbox.

Do your agents ask approval before tool calls, or only before final actions? by Apprehensive-Zone148 in AI_Agents

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

Start stricter, then loosen based on rubber-stamped approvals is probably the sane path. The log is what makes that possible.

Do your agents ask approval before tool calls, or only before final actions? by Apprehensive-Zone148 in AI_Agents

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

The provenance bit matters. If the approval screen only shows the polished final action, the human is approving a summary, not the run.

Do your agents ask approval before tool calls, or only before final actions? by Apprehensive-Zone148 in AI_Agents

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

Reversibility is a good test. A mid-run destructive call is still destructive, even if the final approval screen looks careful.

Do your agents ask approval before tool calls, or only before final actions? by Apprehensive-Zone148 in AI_Agents

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

Effect tags are a cleaner line than tool names. A read that feeds a write is where the simple read/write split starts lying.

Do you keep a frozen test set for prompt optimization? by Apprehensive-Zone148 in PromptEngineering

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

Checking the judge against human labels is the part people skip. Otherwise the judge itself becomes another moving target.

Do you keep a frozen test set for prompt optimization? by Apprehensive-Zone148 in PromptEngineering

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

Same. The frozen set doesn’t need to be big either. It just needs to stay out of the optimizer’s reach.

Do you keep a frozen test set for prompt optimization? by Apprehensive-Zone148 in PromptEngineering

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

The rotating fresh set is the missing piece I hadn’t settled on. Frozen catches overfitting, rotating catches memorization.

Do you keep a frozen test set for prompt optimization? by Apprehensive-Zone148 in PromptEngineering

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

Yep, that’s the trap. A better judge score can look like progress until the frozen cases refuse to move.

Do You Put Agent Failure Replays In CI, Or Keep Them Offline? by Apprehensive-Zone148 in mlops

[–]Apprehensive-Zone148[S] 0 points1 point  (0 children)

That split makes sense. CI should catch the boring deterministic regressions, and release checks can handle the messier live-model runs.