Implementing Tools and Safety

Module 6, Lecture 6.2 | Building the Coding Agent

This lecture replaces the stub tools from Lecture 6.1 with real filesystem operations — list_files, read_file, and edit_file — and introduces the safety mechanisms that keep an agent inside its sandbox. The central principle is that tools are the only path through which an agent can affect the world: every safeguard, every error message, and every guardrail is something the developer puts in code. The lecture establishes the tool contract (accept arguments, return a string), shows why specific error handling is communication with the model rather than mere exception catching, and walks through validate_path with os.path.realpath as deterministic enforcement of directory boundaries. It closes with the confirmation pattern for destructive operations and a defense-in-depth framing that layers prompt guidance, tool-level validation, and dispatcher catch-alls.

Read the full lecture narrative

Additional Resources

• Lecture slides
• OWASP — Path Traversal — the canonical authoritative reference for the path traversal attack class.
• PortSwigger Web Security Academy — File path traversal — detailed walkthrough of how traversal attacks work, including encoded variants, and how to prevent them.
• OWASP — LLM Prompt Injection Prevention Cheat Sheet — extends the "prompts are advisory, tools are authoritative" principle into a broader defense-in-depth framework for LLM applications.
• Anthropic — Tool use with Claude — official documentation on the tool-use protocol, including guidance on returning errors via is_error in tool_result blocks.
• Python docs — os.path — reference for realpath, join, dirname, and the os.sep attribute used in validate_path.
• Simon Willison — The dual LLM pattern for building AI assistants that can resist prompt injection — influential design pattern that complements the lecture's tool-enforcement framing.