The goal of this series is simple:
If a decision can be turned into rules, we should “siliconize” it.
That is: move decisions from “interpretation-driven” to deterministic, replayable judgments.
“Determinism” here is not about “the correct time” or “powerful magic.”
What we really want is:
- Ordering: don’t break which came first
- Replay: later, with the same input + grounds + procedure, return to the same conclusion
Shared principles across the series
0) Label the target first (RML: which world is this decision in?)
Whether a decision can be “siliconized” is often determined before implementation—by the world (responsibility scope) the decision belongs to.
This series assumes a “world label” up front:
- RML-1 (Closed World): not outside yet / safe to fail (simulation, dry-run)
- RML-2 (Dialog World): counterparties exist / recover via dialog + compensation (sagas, retries, reconcile)
- RML-3 (History World): irreversible history / correct-forward with refunds, explanations, audits (ledger)
Once you fix:
“Which world does this decision live in?”
…it becomes much harder for the design to drift:
- how far you may automate
- where human approval or correction events are needed
- what must be kept as “non-erasable logs”
1) Split proposing from deciding
Whether it’s an LLM or a human, proposals can wobble—and that’s fine.
What must be stable is the side that decides accept/reject:
- Propose (probabilistic): LLM/humans produce a plan
- Verify (deterministic): rules return ACCEPT / REJECT / DEGRADE
- Execute (authority + audit): only verified, typed operations may pass
2) Make “insufficient information” first-class (DEGRADE)
In real operations, the common failure is not “rule violations,” but missing grounds.
So the first branch to design is not REJECT, but:
DEGRADE (defer / hold / request missing)
DEGRADE is not “stop.” It’s stop in a re-enterable way:
enumerate missing fields mechanically, and make it operable under SLOs.
3) Pin the grounds into logs (make incidents replayable)
A “plausible explanation” is not auditable grounds.
What must be pinned is:
- input schema
- policy/version
- reason codes
- evidence IDs
- an authority for ordering
Reading order (recommended)
From top to bottom, it naturally flows: agents → operations → distributed foundations.
1) The Real Reason AI Agents “Work” in Software (series intro)
Why “agents succeed” in software is not model intelligence, but deterministic guardrails (verifiers) already baked into the environment.
2) Don’t “Execute” the LLM: Typed Actions + Verifiers for Safe Business Agents
Never execute free text. Use Typed Actions + a deterministic verifier to prevent operational accidents.
3) Design DEGRADE (Defer) and Your Agent Becomes “Operations”
Once you can handle “missing,” you eliminate interpretation hell and turn workflows into re-enterable operations.
4) Grow the Verifier, Not the Prompt: Run Production with 10 Golden Cases
What must be stabilized is not the LLM output, but the verifier output:
verdict / reason / missing / normalized_plan. Includes how to “grow” it under CI.
Domain application (turn determinism into business reality)
5) Billing That Won’t Break: Deterministic Design to Kill Double Charges (API Contract × DB Boundary × Execution Patterns)
In “fatal if broken” billing domains, push design toward ordering, idempotency, auditability:
API contracts × DB boundaries × execution patterns.
6) Make A/B Tests Operable: Goal Surface × Deterministic Logs × Safe Automation (dry-run / shadow / canary / rollout)
Turn experiments from “one-off analyses” into operations:
connect multi-objective + constraints (goal surface) with DEGRADE, watermarking, and pinned logs.
Foundations (don’t break ordering and replay)
7) Deterministic Time: Don’t Break Ordering and Replay in Distributed Systems
Even without TrueTime, you can build “ordering authority” via seq / watermark / HLC.
Also covers late data, trace closure, and dual writes (outbox, event sourcing).
Series checklist (when you’re stuck, come back here)
- If discussions don’t align: Which world is it (RML-1/2/3)?
- If decisions wobble: did you separate proposal and verification?
- If you keep getting blocked by missing info: are DEGRADE and
missingfirst-class? - If it turns into meetings: are reason codes typed?
- If you can’t explain it later: are inputs / policy / snapshots / ordering pinned to logs?
- If long-running jobs break: are they state-machine based + re-enterable? (Fix dual writes via outbox / event sourcing.)
- If ordering breaks in distributed systems: which authority did you choose—seq / watermark / HLC?
Related series
The Worlds of Distributed Systems — Align Your Team’s Mental Model:
This determinism series is a parts kit for verification, evidence, and operations—but in practice, you often need to label the target world first.
- RML-1: grow verifiers safely inside a room
- RML-2: make workflows re-enterable via dialog + compensation (DEGRADE / action hints / retries)
- RML-3: keep history, reconcile with correction events (ledgers / audits / explanations)
Once the “world” is aligned, it becomes much easier to see where you need:
deterministic logs, DEGRADE, watermarking, outbox/event sourcing, and more.
Closing
This series is not about “perfecting everything.”
It’s a parts kit for siliconizing the most fragile decisions first.
Start with just:
- a minimal verifier, and
- minimal pinned logging
Then grow it using SLOs and reason codes.
The long-term endgame is a system that can make decisions autonomously—and when it hits a wall, it uses the failure as training data:
- unexpected events or missing inputs are recorded in deterministic logs,
- the next step becomes cheaper to decide,
- and if the decision is rule-able, you update the domain compiler and golden cases so the next run becomes automated.
Pushing full automation that far isn’t easy—but the operational load can be managed as engineering:
SLOs, reason codes, and staged adoption, not heroic effort.
At first, “Verifier + pinned logs” already pays off.
When you want more, add in order: domain compiler → golden case updates → proposal generation (LLM).
Top comments (0)