[zbyforgotp]

We don’t trust llm execution- so we add user approvals. But task decomposition calls for co-recursion between code and prompts. This means that the approvals should be evocable at any depth. I think we need some kind of protocol for that (à la the Cubes OS protocols for cut and paste between vms).

Maybe a workaround could be to use bubblewrap of the scripts ther recursively call the llm (and run the agent in yolo inside the wrap).

[frabcus]

Well, or not spawn any external commands, and actually have tools made of code written by someone who thought about what the agents at each level should be limited to doing.

[alfiedotwtf]

Or just run agents in a container…

[zbyforgotp]

In the limit we want the llm to write the code (like in RLMs).

[hashmal]

Currently, having LLM feeding on its own output repeatedly is the fastest way to get it hallucinate.

[agumonkey]

Transactional recursive agents ?

Nothing is committed until the final top-level transaction is accepted.

[zbyforgotp]

Too late for fixing it - but of course I meant https://www.qubes-os.org/

[gidellav]

zerostack contains --sandbox flags that forces bwrap usage on all shell tool usage