LACUNA: Safe Agents as Recursive Program Holes

LACUNA is a new programming model that allows LLM agents to write code that shapes their own runtime environment while maintaining safety through type-checking and validation. The system rejects unsafe code before execution and uses compiler diagnostics to drive retries, achieving competitive performance on benchmark tests while preventing prompt injection and tool misuse attacks.

LACUNA addresses a fundamental architectural challenge in LLM agent systems: the disconnect between the runtime that controls execution and the model-generated code that performs actions. Traditional agent frameworks maintain strict separation, limiting expressiveness but protecting against cascading failures. This research proposes collapsing that boundary through a typed programming primitive where each agent action is a typed call that the model fills with code, then validated before execution.

The safety mechanism relies on type-checking and static analysis rather than runtime constraints alone. When code is rejected, the environment remains untouched and compiler diagnostics automatically trigger retries without human intervention. This approach prevents prompt injection attacks and tool misuse from propagating through the entire system, a critical concern when agent-written code can modify runtime behavior.

The practical impact is significant for agent reliability and capability. Test results show 8.6% of generations are rejected before execution on BrowseComp-Plus with minimal retry overhead, while achieving 27.1% accuracy on that benchmark and 76% on τ²-bench across four domains. These results demonstrate that safety validation imposes manageable performance costs.

For the AI development community, LACUNA represents progress toward safer, more expressive agentic systems without sacrificing capability. The programming model unifies diverse patterns—ReAct loops, sub-agents, skill composition, and parallel decomposition—under ordinary control flow. This could influence how future agent frameworks balance expressiveness with safety, particularly in autonomous systems that interact with external tools and APIs. The research suggests type-safe abstractions offer a viable middle ground between rigid safety constraints and unrestricted code execution.

• →LACUNA validates agent-generated code through type-checking before execution, preventing unsafe code from modifying runtime state.
• →The system achieves 76% task completion on τ²-bench while rejecting 8.6% of unsafe generations, with only 0.7 average retries per query.
• →The programming model unifies ReAct loops, sub-agents, and parallel decomposition as ordinary control flow, improving expressiveness.
• →Safety violations trigger automatic compiler diagnostics and retries rather than failures or human intervention.
• →The approach addresses prompt injection and tool misuse attacks by bounding which tools and data each code action can access.