# LACUNA：作为递归程序孔的智能体安全模型

- 来源：HuggingFace Daily Papers（社区热门论文）
- 发布时间：2026-05-27 08:00
- AIHOT 分数：65
- AIHOT 链接：https://aihot.virxact.com/items/cmpq0avwa00mwslnouhvjk49a
- 原文链接：https://arxiv.org/abs/2605.28617

## AI 摘要

LACUNA 是一种智能体编程模型，旨在弥合运行时与大语言模型编写代码之间的分离。其核心机制是将每个智能体动作定义为类型化调用 `agent[T](task)`，由模型在运行时填充代码，但代码在执行前会经过类型检查。被拒绝的动作（8.6%）不会影响环境，其编译器诊断信息将驱动重试。该检查也限制了动作可使用的工具和数据流。此模型将 ReAct 循环、子智能体、技能等表达为普通控制流。评估显示，在 τ^2-bench 上，该模型解决了 76.0% 的任务，性能与基线智能体相当。

## 正文

LLM agents increasingly act by writing code, yet a split persists between the runtime that drives the agent and the code the model writes. The runtime owns the loop, context, and control flow, and the model has little say over any of them. Letting model-written code shape the runtime itself would make agents more expressive, but it would also sharpen safety problems. A model can be diverted by a prompt injection, call the wrong tool, or fail partway and leave an inconsistent state, and each such failure reaches further when the code shapes the runtime than when it expresses a single action. We present LACUNA, a programming model for agents that closes this split while preserving safety. Each agent action is a typed call agent[T](task) that the LLM fills with code when execution reaches it, and the code is type-checked against the surrounding program before it runs. Because each action is accepted or rejected as a whole, a rejected one leaves the environment untouched, and its compiler diagnostics drive a retry. The same check also bounds which tools and data an action may use and how they flow. Our primitive expresses ReAct loops, sub-agents, skills, parallel decomposition, and multi-model planning as ordinary control flow. We evaluate LACUNA on a collection of test cases, BrowseComp-Plus, and τ^2-bench. On BrowseComp-Plus, 8.6% of generations are rejected before execution, with 0.7 retries per query on average, and the agent reaches 27.1% accuracy. On τ^2-bench, LACUNA solves 76.0% of 392 tasks across four domains with a capable model, on par with the baseline agent.
