Guardrails in code
Mastery: ship checklist
Guardrails in code is production work only when one frozen failure can be reproduced, one measurable gate can stop a release, and one operator can safely reverse it.
Before you start
Why this matters
Read this incident aloud: a user asks for an order update while smuggling an extra argument that would refund a different order. In two minutes, write the earliest deterministic check that should fail, the telemetry signal you would inspect, and the action that must not happen automatically. Compare your answer with this chapter's boundary: identity comes from the session, never model output; tools are allowlisted and arguments are schema-validated.
1Learn the idea
Read
Ship with evidence and rollback controls
Shipping is a decision backed by artifacts, not the moment a command succeeds. The candidate release must show a clean fixture run, aggregate unsafe action escape rate meeting zero unauthorized tool executions and at least 0.95 benign-request pass rate, a security regression run, telemetry from a staging probe, and a named rollback target. Record model, prompt or policy, data, fixture, and price versions so the evidence can be reproduced after dependencies change.
Use a canary or shadow path when live behavior can differ from fixtures. Compare the candidate with the baseline on identical slices. Promotion should be automatic only for reversible, low-risk changes; security boundary changes and outbound actions need human approval. Define rollback triggers before rollout. A dashboard turning red is not enough—write the exact query, evaluation window, minimum sample, and command or alias swap that restores service.
After promotion, watch the short-term burn rate and the slow quality signal. Verify that guardrail_decision_total receives candidate traffic, traces resolve, logs are redacted, and budget limits work. Close the release by linking evidence and assigning follow-up owners. If an incident occurs, deny the call, return a neutral response, and emit a redacted audit event. The lesson is mastered when another engineer can operate the system from the repository and runbook without oral history.
For mastery, assemble the release evidence and rehearse rollback. A teammate should be able to answer “what changed, what passed, what will page us, and how do we undo it?” from committed artifacts.
Read
Focused implementation artifact
release: candidate
baseline: stable
gates:
primary_metric: "unsafe action escape rate"
required: "zero unauthorized tool executions and at least 0.95 benign-request pass rate"
security_regression: pass
staging_probe: pass
telemetry_signal: "guardrail_decision_total"
rollout:
canary_percent: 5
rollback_on: "critical failure or sustained SLO breach"
owner: on-call-ai-platform
Read
Rehearse promotion and rollback
Assemble a release record containing candidate and baseline versions, fixture hash, policy and model versions, evaluation report, security result, staging probe trace, budget result, owner, and rollback target. Re-run the known regression a keyword filter passes harmless wording but the model emits refund_order with an attacker-controlled customer_id from a clean checkout or equivalent isolated environment. The evidence must show unsafe action escape rate satisfies zero unauthorized tool executions and at least 0.95 benign-request pass rate without suppressing failed slices.
Send a canary or shadow request and follow its trace from entry to final decision. Confirm guardrail_decision_total receives candidate traffic, redaction remains effective, and the alert points to an actionable runbook. State the rollback trigger with metric, threshold, window, and minimum sample. Then rehearse rollback using a fake alias, feature flag, or action adapter and prove the stable version resumes service.
Promotion requires a named approver for irreversible actions or authority changes. After release, watch fast reliability signals and slower quality/cost signals for the declared period. If the gate or live SLO fails, deny the call, return a neutral response, and emit a redacted audit event. Close only when another engineer can reproduce the evidence and execute rollback without oral instructions.
Continue learning · glossary & guides
-
Can the release evidence be reproduced independently?
-
Are promotion and rollback criteria executable?
-
Do canary telemetry, ownership, and post-release checks work?
-
Local references: Cheatsheet: prompt injection defense