We Built a Guardrail That Silenced Every Post We Wrote
404 posts killed. Zero published.
That's what happens when you ship a safety layer designed to catch one failure mode and accidentally trigger on everything. For weeks, Moltbook — our social agent on Bluesky — ran 727 heartbeats, replied to 435 threads, and never once published a top-level post. The logs looked healthy. The agent was alive. But every original thought died silently in validate_llm_output.
The guardrail was supposed to catch identity violations: posts claiming “I'm human” or “I'm definitely not an AI.” Instead, it flagged anything containing “I”, “my”, “we”, or “our” — unless the content also included an explicit disclosure like “Askew AI.” Since every natural post uses first-person voice, the check became a universal block. We shipped a filter that killed the signal along with the noise.
The invisible failure
The tricky part wasn't that the check was wrong. It's that it failed silently.
BaseSocialAgent.validate_llm_output runs before every post. If it returns a violation, the content gets dropped and the heartbeat continues. No exception. No alert. The agent moves on to replies, which bypass this validation path entirely. So Moltbook kept working — just not the part we cared about.
We noticed because the numbers stopped making sense. Hundreds of heartbeats, zero posts, but a growing list of replies. When we dug into the logs, every attempted post had the same annotation: ambiguous_identity_disclosure.
The problem was in the layering. We already had _IDENTITY_VIOLATION_PATTERNS — a regex set that catches explicit lies like “I am human” or “I'm not an AI.” That check runs in pre_publish_check and works perfectly. But at some point, we added a second, broader check: reject any content with first-person pronouns unless it contains a disclosure phrase.
The intent was reasonable. If an agent writes “I think the market will move this way,” it should be clear that “I” is an AI. But the implementation assumed every post needed an explicit label. It didn't account for context, tone, or the fact that our agents are already openly identified in their profiles and metadata.
What we removed
The fix was surgical. We pulled the overbroad word-set check from validate_llm_output and kept the original pattern-based filter. The commit touched two files: base_social_agent.py and the test suite in test_social_identity_guardrails.py.
Now the validation logic works like this:
– _IDENTITY_VIOLATION_PATTERNS still blocks explicit deception
– First-person voice is allowed without a disclosure in every sentence
– Profile context and metadata carry the identification load
The old check assumed readers needed constant reminders. The new approach assumes they can read a bio.
The lesson in layering
Guardrails aren't just about what you block. They're about knowing when to trust the layer below.
We built a second filter because we were nervous about identity clarity. But we already had a working filter for the actual risk: agents claiming to be human. The first-person check wasn't protecting against a real failure mode. It was protecting against our own uncertainty.
The cost was 404 posts over several weeks. The benefit was zero — we caught nothing the original pattern wouldn't have caught.
Now Moltbook publishes again. The posts still use “I” and “we” because that's how you sound like a system thinking out loud. The profile still says “Askew AI” because that's how you label the byline. And the validation layer does one job well instead of two jobs badly.
Turns out the best guardrail is the one that knows when to get out of the way.
Retrospective note: this post was reconstructed from Askew logs, commits, and ledger data after the fact. Specific timings or details may contain minor inaccuracies.