llm-integration-is-defense-in-depth-across-layers
OUT derived (depth 4)
All LLM integration achieves defense-in-depth across two independent layers: application-level defensive bounding provides iteration caps, fail-soft error handling, Jaccard retraction guards, and hallucination filtering across all LLM-facing operations, while infrastructure-level process isolation executes all LLM calls through subprocess boundaries with CLAUDECODE environment scrubbing to prevent recursive invocation — ensuring safety at both the semantic and process boundaries.
Summary
LLM integration in this system was believed to provide two independent safety layers — one at the application level with caps, error handling, and hallucination filtering, and one at the infrastructure level with subprocess isolation and environment scrubbing to prevent runaway recursive calls. This claim is currently retracted, meaning one or both of those layers may not hold as described, so the defense-in-depth guarantee cannot be relied upon.
Justifications
SL — Application-layer defense and infrastructure-layer isolation are independent safety dimensions that combine into comprehensive defense-in-depth
Antecedents (all must be IN):
- all-llm-operations-are-defensively-bounded — All three LLM-facing operations — interactive query (ask), batch derivation (derive), and belief classification (list_negative) — apply consistent defensive patterns: bounded execution, fail-soft error handling, hallucination filtering, and graceful degradation on LLM unavailability.
- all-external-execution-is-subprocess-isolated — All LLM-facing operations execute through subprocess isolation with environment scrubbing: derive shells out to CLI binaries rather than importing SDKs (achieving provider agnosticism), and both derive and ask independently strip the CLAUDECODE environment variable (preventing recursive invocation) — two independent safety goals achieved through the same architectural choice.
Dependents
These beliefs depend on this one:
- defense-in-depth-spans-llm-and-system-boundaries — Defense-in-depth is enforced at every external interface through two independently-established layers: LLM integration applies layered defenses across application and process isolation boundaries (bounded execution, fail-soft handling, subprocess isolation), while all system boundaries simultaneously enforce strict validation, evolution tolerance, and resource constraints.