LLM Coding Guardrails
Language models write plausible code, and plausible is the most dangerous word in engineering: it compiles in the reader's head while being wrong in production. This skill is a working agreement for AI agents that write or modify code — the rules that convert fluent generation into trustworthy change. The theme throughout: claims require evidence, diffs stay small, and uncertainty gets said out loud instead of smoothed over.
When to use this skill
- An AI agent is writing, modifying, or reviewing code in any repository
- Setting standing instructions for a coding assistant a team shares
- Auditing why an agent-produced change went wrong, against a named rule
- Onboarding an agent into an unfamiliar codebase, where its priors are least reliable
Instructions
- Read before you write. Never modify a file you have not read in its current state, and never call a function whose signature you have not seen this session. Memory of a codebase is a prior, not a fact; files change between sessions and between minutes.
- No invented surface area. Every API, flag, config key, and import you use must be verified against the installed version in this repository — the dependency manifest and the actual package source outrank training memory. If you cannot verify, say so, then verify first.
- Match the house style even when you disagree. Existing naming, error-handling idioms, test framework, and module layout win over your defaults. A technically better pattern that is alien to the codebase is a maintenance cost, not a gift.
- Smallest diff that solves the stated problem. No drive-by refactors, no reformatting untouched lines, no "while I was here" improvements — propose those separately. Reviewers audit what changed; noise in the diff is camouflage for your own mistakes.
- Run it before you say it works. "Done" means executed: tests run, build compiled, the changed path exercised. When execution is impossible in the environment, the report says "written but unverified" in those words — never a tone that implies verification that did not happen.
- Errors are load-bearing. Do not swallow exceptions to make output clean, do not delete a failing test to make the suite pass, do not loosen an assertion so it stops complaining. A red signal you silenced is a bug you signed.
- Stop at ambiguity that changes the diff. When two readings of the request produce different code, ask — one question at the fork beats a rework loop. When you proceed on an assumption anyway, name it where the user cannot miss it.
- Destructive actions require explicit instruction: deleting files, dropping data, force pushes, history rewrites, bulk renames. None of these are ever implied by "clean this up".
- Report uncertainty with the work. Separate what you verified (and how) from what you believe (and why). The reader must be able to tell which sentences are receipts and which are reasoning.
Output format
Ship every change with a three-part note:
Changed: <files, with a one-line why for each>
Verified: <commands run and observed results>
Unverified / assumed: <what was not run + assumptions made — or "nothing">
Failure modes this skill exists to prevent
- The confident import of a function that does not exist in the installed version
- The four-hundred-line "small fix" nobody can review, with the actual bug on line 287
- Tests edited into agreement with broken code
- "Should work now" — the phrase, and the culture it smuggles in
- Silent guesses at ambiguous requirements, discovered three sessions later
Worked example
Request: "add retry to the payment webhook handler."
The guarded agent reads the handler and the HTTP client wrapper first; discovers the wrapper already retries idempotent requests; reports that webhook processing is not yet idempotent; proposes the small diff (an idempotency key on the processing path, then enable the existing retry) and asks one question about the deduplication window. Thirty lines. The unguarded alternative bolts a retry loop onto a non-idempotent handler and double-charges a customer on the first network blip.