Streaming tool calls without losing your mind

Streaming a text response is easy: print tokens as they arrive, order doesn’t matter to the reader. Streaming a tool call is not, because the payload is JSON, and partial JSON is not valid JSON. The three ways people handle that mismatch, why two of them break in production, and the pattern that lets you show progress without ever executing on a half-formed argument.

July 16, 2026 · 6 min · 1076 words · Loop & Retry

Tool output is untrusted input: prompt injection is a data-flow bug

Prompt injection isn’t a prompting problem, so you can’t prompt your way out of it. It’s the same class as SQL injection: data from an untrusted source crosses into a control channel and gets executed as instructions. The web page your agent just fetched, the ticket it just read, the email in its inbox — all of it is attacker-controllable input flowing straight into the one component that can’t tell data from commands. Here’s the data-flow framing, why ‘ignore injected instructions’ can’t work, and the boundary that actually helps.

July 13, 2026 · 8 min · 1517 words · Loop & Retry

Your retry just sent the email twice: idempotency keys for agents

Retrying a read is free. Retrying a write can charge a card twice, send two emails, or book two rooms — and the model has no idea it happened. Retry safety is a property you build into the tool, not a flag you set on the loop. Here’s why at-least-once delivery is the default you’re actually running, how to derive a stable idempotency key from an agent’s intent, and a dedup wrapper that makes any write safe to retry.

July 13, 2026 · 8 min · 1535 words · Loop & Retry

Designing tools an LLM won't misuse

A tool schema is a contract with a caller that guesses. This is a concrete walkthrough of the four properties that separate a tool a model uses correctly from one it fumbles: legible schemas, validating boundaries, recoverable errors, and idempotency — with before-and-after code.

July 6, 2026 · 9 min · 1759 words · Loop & Retry