[docjay]

I tested a similar approach, but the issue, along with the solution to that issue, is that they’re autocomplete engines. Phrases like “Reply X to confirm” are a request with a high probability that X becomes the response. If you zoom out and look at the sequence from a text continuation perspective, once the ‘delete’ tokens are in play the “confirm” step is just how that exchange tends to go. It’s a bit like saying “Begin your response by saying ‘Yes’, then decide if that’s really the case.”

But you can simulate the effect of thinking and shift the token probabilities around by gaslighting it and having it explain the effect of running the command before it does it. What I found worked well was when a destructive command was detected my system automatically ignored it and edited the prior message to tack on a variation of “Briefly step through the effect of {{command}}, then continue the task.” It has ‘no idea’ why it’s explaining the command, as far as it ‘knows’ it didn’t issue the command and thus it’s not committed to a probability sequence that ends with confirming it. However, if the explanation includes “it would destroy the production database” then the continuation tends not to lead to issuing the command. But if it came through a second time it was allowed to run.

I quit bothering with it when I found that ‘destructive typos’ were mostly caused by perplexity, typically in the system prompt… assuming you prompt it like an adult and not like the person that just got their junk deleted. Still, it works well if that stuff is out of your control.