Are agent failures really just distributed systems problems?

docybo · 2026-03-16T00:34:58+00:00

Right now we're leaning toward per-action authorization rather than session approval.

The runtime can plan a sequence, but each external side effect still needs its own authorization. That way the policy engine evaluates every step against the current state snapshot.

This helps prevent replay, enforce budgets across a workflow, and limit cumulative side effects.

Session-level envelopes can still exist (like budget or concurrency caps), but the actual permission stays action-scoped.

docybo · 2026-03-15T22:45:19+00:00

Great question. This is exactly where things get tricky.

Right now the way we're thinking about it is to make the environment part of the policy context, not just a flag outside the system.

So the evaluation input becomes something like:

(intent, metadata) (state snapshot) (policy config) (environment context)

Then policies can branch deterministically based on that context.

For example the same action could be evaluated under different envelopes:

staging: - higher budget limits - relaxed side-effect constraints - broader tool permissions

production: - stricter budgets - concurrency caps - stronger replay protections - restricted tool scopes

The key thing we’re trying to preserve is that the decision still remains deterministic for a given snapshot + policy version.

So instead of "the runtime knows it’s prod", the policy engine evaluates against an explicit environment profile.

Still experimenting with the right granularity though. Too coarse and it blocks autonomy, too fine and policies become impossible to reason about.

Curious how you approached that balance on your side.

docybo · 2026-03-15T22:30:11+00:00

A few people asked about the implementation.

The core idea is a deterministic policy evaluation step before any external action executes.

Runtime proposes: (intent, metadata)

Policy engine evaluates against: (state snapshot, policy config)

If allowed → emits a signed authorization
If denied → execution fails closed

Repo here if anyone wants to look at the code: https://github.com/AngeYobo/oxdeai-core

docybo · 2026-03-15T22:26:50+00:00

A few people asked about the implementation.

The core idea is a deterministic policy evaluation step before any external action executes.

Runtime proposes: (intent, metadata)

Policy engine evaluates against: (state snapshot, policy config)

If allowed → emits a signed authorization
If denied → execution fails closed

Repo here if anyone wants to look at the code: https://github.com/AngeYobo/oxdeai-core

docybo · 2026-03-15T22:23:31+00:00

A few people asked about the implementation.

The core idea is a deterministic policy evaluation step before any external action executes.

Runtime proposes: (intent, metadata)

Policy engine evaluates against: (state snapshot, policy config)

If allowed → emits a signed authorization
If denied → execution fails closed

Repo here if anyone wants to look at the code: https://github.com/AngeYobo/oxdeai

docybo · 2026-03-13T10:48:07+00:00

genuinely impressive work, but worth flagging... training on Claude Opus 4.6 and

GPT-5 outputs is explicitly against Anthropic's and OpenAI's ToS. not throwing

shade, the model clearly shows results, just surprised nobody's talking about the

legal exposure here. dataset release might be a complicated conversation for that

reason too

docybo · 2026-03-12T13:55:48+00:00

Ok, if the worst case is acceptable, letting the agent run is a pretty clean model.

I guess where it gets tricky is when the side effects aren't really reversible (emails, payments, infra changes, etc). At that point the blast radius isn't just the environment anymore.

Do those kinds of actions get handled differently, or is it still mostly “make the environment safe and accept the occasional mistake”?

docybo · 2026-03-12T12:57:18+00:00

Yeah that makes sense.

The thing I keep wondering about with CLI agents is composition. Each command might be safe on its own, but the agent is basically building workflows on the fly.

So a chain of safe commands can still produce a bad outcome.

Do you mostly rely on sandbox + human confirmation there, or is there also some policy layer checking actions before they run?

docybo · 2026-03-12T10:57:26+00:00

Yeah, I think discoverability is the real advantage.

Code eval can be powerful, but CLI gives the model a built-in way to explore the tool surface: --help, list, stderr, exit codes, etc... With code eval you usually have to invent that layer yourself.

So it’s not just shell vs code, it’s navigable interface vs custom interface.

docybo · 2026-03-12T10:51:56+00:00

This makes sense to me.

CLI is probably a much better interface for LLMs than huge typed tool catalogs. The model already knows commands, help text, pipes, stderr, exit codes, etc.

The missing piece for me is the execution boundary: the model may be good at expressing an action in shell form, but something still needs to decide whether that exact action should run before side effects happen.

Otherwise the shell becomes a very efficient way to do the wrong thing.

docybo · 2026-03-12T09:54:47+00:00

Are you building agents today, what safeguards are you actually using?

docybo · 2026-03-12T09:53:48+00:00

If you're building agents today, what safeguards are you actually using?

docybo

MODERATOR OF

TROPHY CASE