2 min readTechnical

Technical

Error Boundaries for Agents: Containing Blast Radius

2 min read

A misbehaving agent can do a lot of damage in a short time. It can rewrite the wrong file, delete rows you cared about, or post content you did not approve. Error boundaries are the pattern that keeps those failures contained. They are simple to implement and they have saved me more than once.

What An Error Boundary Does

An error boundary is a piece of wrapper code that sits between the agent and a sensitive operation. It inspects the agent's intended action, validates it against explicit rules, and either lets it through or blocks it with a structured error.

Unlike a prompt instruction that says "do not delete files," an error boundary is enforced at the code level. The agent cannot talk its way around it. That is the point.

Where I Put Boundaries

I wrap boundaries around anything that is expensive, irreversible, or external:

  • Database writes: no deletes without a whitelist of safe tables
  • File writes: no writes outside the project directory
  • Network calls: allowlist of domains the agent can reach
  • Shell commands: deny anything matching a blocklist pattern
python
ALLOWED_TABLES = {'posts', 'categories'}
def safe_delete(table: str, key: dict) -> dict:
    if table not in ALLOWED_TABLES:
        raise PermissionError(f'delete not allowed on {table}')
    return db.delete(table, key)

The Structure That Works

Every boundary I write has the same three parts:

  1. An allowlist (not a blocklist). Blocklists are guesswork. Allowlists are exhaustive.
  2. A structured error when the check fails, so the agent can decide what to do next.
  3. A log entry for every block, so I can audit what the agent tried to do.

What They Do Not Do

Error boundaries do not make your agent smarter. They do not replace good prompting. They do not handle every failure mode. What they do is make the worst-case outcome survivable. When the agent has a bad day, the blast radius is contained to what the boundary allowed. Everything else is rejected at the gate.

If you run agents in production, start here. Everything else is a feature. Boundaries are insurance.

The OWASP top 10 for LLMs covers more failure modes.

RELATED READING

Technical2 min

The Consulting Shift I Am Making In Year Two

After a year of writing and building, my consulting practice is changing shape. Shorter engagements. Sharper outcomes.

Read
Technical2 min

The Frontend Shift: Shipping Less JavaScript In Year Two

A year ago I reached for Next.js for everything. This year I often reach for nothing.

Read
Technical2 min

The Serverless Lesson I Would Write On A Sticky Note

After a year of shipping serverless projects, one rule explains most of the wins and all of the losses.

Read