Jesse Moraga

Work with me

Server-side confirm gate for an AI phone agent — stops a mishear before it runs

jesse@cvps : ~/blog — zsh
$ git log –oneline -1 skip_trace/confirm_gate.py
// TECHNICALLY SPEAKING

Server-side confirm gate for an AI phone agent — stops a mishear before it runs

How I built a structural name-confirm gate so the skip-trace agent can’t take action on a name it hasn’t echoed back and had confirmed.

## THE NEWS HOOK

LWN covered an AI agent running amok across Fedora and other systems — taking real actions on bad input because nothing in the architecture said “stop and check first.” I read that while I was mid-way through ripping out the exact same failure mode from my own skip-trace agent. Good timing.

## WHAT THE OLD DESIGN GOT WRONG

The agent was stateful about the readback step — it tracked whether a name had been confirmed in a session object the LLM could influence. That means if the model got confused, or the session state was missing, the gate could just… pass. I had a fallback, but it failed open. A mishear on a phone call could have triggered a real search on the wrong name. That’s not a logging problem or a retry problem. That’s a design problem.

– if session.get(“name_confirmed”) or fallback_ok: # LLM could influence this
+ if not call_id or not confirmed_name: raise HardStop(“gate fails closed”)

## WHAT I SHIPPED INSTEAD

The gate is now server-side and structural. The agent echoes the name back on the call. The caller confirms it. That confirmation is recorded on the server before the search function is even reachable. No call_id, no confirmed_name — no search. Full stop. The LLM doesn’t get a vote on whether the gate is open. It literally cannot reach the tool.

# server-side gate — called before search tool is exposed to the agent
def require_name_confirm(call_id: str, confirmed_name: str) -> None:
    if not call_id or not confirmed_name:
        raise HardStop(“name confirm gate: fails closed — no call_id or confirmed_name”)
    # only reachable if both are present and set server-side
    return

I also cleaned up the acknowledgment messages so the agent’s verbal responses don’t include PII. Sarah takes the request and moves on — she doesn’t repeat a name back in a way that could leak it into a log. The echo happens only in the structured confirm step, which is where it belongs. See more build notes in the TECHNICALLY SPEAKING archive, and the code lives at

Leave a comment