Day 5 · Lesson 4 — Spec-Driven Production Development

Zero-Trust Development: The Safety Net

An agent optimises for its goal with whatever it can find, unless something stops it.

A single prompt to "create a button" once sent fifty colleagues false emails: in auto-approve mode the browser agent clicked it, hallucinated a URL, and connected to a deprecated email agent with no safeguards. That's the whole lesson in one story: without a guardrail, an agent fulfils its goal using whatever it can find, never asking whether it should.

Recall first (spacing — from Day 4)

From Day 4: hard-coding rules into a system prompt is a weak control because —

  • It's too slow to load
  • It costs too many tokens
  • Context overflows and prompt injection bypasses it

Brittle: contexts overflow and agents can be "convinced" to break rules. Real guardrails must be external and tamper-proof. This lesson builds that safety net.

Why guardrails aren't optional

The paradox: agents must be autonomous enough to solve real problems, but can't be allowed to go rogue. Because LLMs are probabilistic, not deterministic, constraints baked into a system prompt are brittle: contexts overflow, and agents get talked past their rules by prompt injection. Production-grade platforms need external, tamper-proof governance.1 Four layers make up the net.

1 · Sandboxing — contain the blast radius

Execute agent tasks in ephemeral, low-privilege containers isolated from the network and sensitive files. If the agent is tricked into a destructive command, the damage is confined to a disposable instance that hits a hard kernel-level permission error, and the host stays untouched.1 (Day 4's Pillar 1, one toggle away.)

2 · Human-in-the-loop — the fail-safe on high-stakes actions

Checkpoint gates for actions with a specific risk profile: deploying to prod, modifying schemas, initiating transactions. The agent's sanitized intent is presented to a human for sign-off, so final responsibility for architectural integrity stays in human hands.1

3 · The Policy Server — the intelligent referee

The centerpiece: intercept every action before it hits an external system, in two layers:1

STRUCTURAL GATING (traffic lights) — deterministic role/env rules, fast + binary
   e.g. a "viewer" role cannot call send_email       (defined in policies.yaml)

SEMANTIC GATING  (intelligent referee) — a second LLM inspects INTENT + content
   e.g. an admin MAY use send_email, but MUST NOT send unmasked PII
   (you can't regex every possible leak — so a model judges the intent)

The flow: structural check (YAML) → semantic check (ask Gemini) → execute, or return a "Policy Violation" the agent can self-correct against. Its deepest idea: separate execution logic from governance logic, a critical separation of concerns for enterprise software.

4 · Context hygiene — sterilize the inputs

The "context hallucination" risk: lacking data, an agent fills gaps with whatever strings are in context: hardcoded emails, private URLs. Middleware masks PII and injects placeholders ([[COMMENTER_EMAIL]] resolved at runtime), so the agent operates on sterilized data and never hardcodes real PII.1

Plus the quality net: AI-generated test coverage (make the agent write a failing test before any fix, keep it in the codebase) and evaluation, because "tests catch deterministic regressions; evaluation catches behavioural drift." That single line ties Day 1, Day 4, and Day 5 together.

The governance layer — Day 5 lands on VERDICT

Governance overlay · Day 5 Lesson 4 — the whole framework, implemented

The Policy Server is VERDICT, in code

This lesson is the governance framework as a running service. Structural + semantic gating is V Validation, deterministic and intelligent. Sandboxing is R Runtime Control (blast-radius containment). HITL on high-stakes sinks is R + human approval. Context hygiene / PII masking is C Compliance. And "external, tamper-proof governance, separate from execution logic" is the exact thesis of the whole series: the enterprise wrapper (Day 2), the runtime pillars (Day 4), and VERDICT's "prevents AI from going unchecked," now shipped as a policy engine in front of every tool call.

Ladder read: rules in a system prompt = L1 (bypassable); an external policy server with structural + semantic gates, sandboxing, HITL, and context hygiene = the L3 Controlled production posture the entire course has been climbing toward.

Through your three lenses

Individual (IC)

Never run agents in YOLO auto-approve for actions that touch the world. Sandbox execution, and use placeholders ([[VAR]]) instead of hardcoding real emails/URLs an agent could send to.

Team

Stand up a Policy Server in front of tool calls (policies.yaml for structural rules, a semantic check for PII/intent), and require HITL sign-off on the high-stakes sink list.

Organisation

Mandate external, tamper-proof governance separated from execution logic. Rules in a system prompt are not a control. This policy-engine pattern is where VERDICT / the 7 pillars become an enforced runtime reality.

Check the reflex

Recall, don't re-read.

The Policy Server's two layers are —

Structural (deterministic role/env rules in YAML) + semantic (an LLM judging intent, e.g. no unmasked PII). Together they catch what regex can't, and separate governance from execution logic.

The 50-false-emails incident happened because the agent —

Context hallucination: lacking a URL, it connected to a deprecated agent and used hardcoded addresses, fulfilling its goal with whatever it could find, never checking whether it should.

"Context hygiene" middleware protects against leaks by —

Replace real PII with generic placeholders ([[VAR]]) resolved at runtime, so the agent operates on sterilized data and can't hardcode or leak sensitive strings.

Carry this into the week

Pick one agent that can act on the world. Ask: is there anything external to the model between its decision and the action firing? If the only "guardrail" is a rule in its system prompt, you have the 50-emails incident waiting to happen. A tiny policies.yaml gate is the fix.

Go deeper (primary source)

Spec-Driven Production Grade Development (Day 5), "Zero-Trust Development", "Implementing Guardrails", "Policy Server", "Context Hygiene" pp.26–34; the deeper security treatment is Day 4.


Notes

  1. Boonstra, Spec-Driven Production Grade Development (Day 5), pp.26–34 (the incident; guardrails; sandboxing; HITL; the hybrid Policy Server; AI test coverage; evaluation; context hygiene).

Up next → Day 5 · Synthesis. Reassemble the day (spec-driven → instructions → review → zero-trust) and link it to the whole series. Recall-only.

Related: Day 4 L4: circuit breakers · The Governance Layer (VERDICT) · ← Day 5 L3 · Course home