all-llm-interactions-are-bounded-and-fail-soft

OUT derived (depth 2)

All LLM-facing operations apply consistent defensive patterns across both interactive (ask) and batch (derive) paths: bounded execution (iteration caps, timeout handling), fail-soft error recovery (fallback to raw results or skipped proposals), and environment isolation (stripping recursive invocation variables).

Summary

Every place the system calls an LLM — whether answering a question or generating new derived knowledge — uses the same safety guardrails: hard limits on how long it can run, graceful handling when the LLM fails or misbehaves, and protection against accidentally spawning itself recursively. This means no single LLM call can hang the system, crash it, or spiral out of control.

Justifications

SL — Both LLM interaction paths share bounded-and-fail-soft design, ensuring no LLM failure can crash or hang the system

Antecedents (all must be IN):

  • ask-is-fault-tolerant-and-bounded — The ask module is fault-tolerant (always returns a string, catches LLM failures, falls back to raw FTS5 search) and execution-bounded (tool loop capped at 3 iterations), ensuring reliable bounded knowledge retrieval regardless of LLM availability.
  • derive-pipeline-is-defensive — The derive pipeline applies multiple defensive measures: fail-soft validation, Jaccard-based retraction guard, and environment variable stripping to prevent recursive spawning

Dependents

These beliefs depend on this one:

Details