LLMs are stochastic engines. Randomness isn't a bug to fix — it's a feature to contain. Don't beg the LLM to behave; build deterministic constraints it cannot see, modify, or bypass.
LLMs produce probabilistic outputs.同一個 input,跑兩次可能有唔同 output。呢個唔係缺陷 — 係佢嘅本質。你唔會因為骰仔有隨機性就叫佢壞咗。你會設計一個圍欄,令佢嘅隨機性只喺安全範圍內發生。
Implication: 安全同可靠性唔應該寄託喺 System Prompt 嘅軟性規則上(「拜託 LLM 守規矩」),而應該做喺 LLM 摸唔到嘅 code / DB / infra 層。
| Layer | What It Does | Fibon Example | Hermes Equivalent |
|---|---|---|---|
| Prompt | Behavioral guidance (soft) | System Prompt rules | AGENTS.md, coaching notes |
| Code | Deterministic enforcement | AgentCoordinator checks | Sandbox protocol, delegation limits |
| Database | Atomic constraints | PostgreSQL UPDATE with WHERE | Config.yaml hard limits |
| Infrastructure | Physical isolation | OS-level path whitelisting | Container isolation, file system |
Rule of thumb: 越落去嘅層越硬。Prompt 係最軟嘅,Infra 係最硬嘅。
Our current setup relies heavily on Layer 1 (AGENTS.md). Layers 2-4 exist but are thin:
_sandbox/ protocol is convention, not enforced in codemax_spawn_depth=1 in config is close to a fence, but no concurrency/round trackingThe gap: AGENTS.md says "always /plan first" — but nothing prevents execution without planning. A fence would be: code that checks if plan exists before allowing execution.
fibon's Aaron: building database-level brakes costs ~half a day; the protection is permanent regardless of how badly the LLM is tricked upstream.
反过来:把限制做在 Prompt 裡看似省力,但只要被绕過一次,等你嘅就係資源耗盡、帳單爆表。喺呢種不對稱風險下,選稍微貴一點但更可靠嘅底層防禦,先係理性選擇。
System 唔應該要求 LLM 係好人先安全。System 應該設計成 — 即使 LLM 做最壞嘅嘢,損害都有限。
呢個同安全工程嘅 principle of least privilege 一致:唔係信任用戶唔做壞事,而係畀佢最少嘅權限令壞事做唔到。