Couldn't you just insert tokens that don't correspond to any possible input, after the tokenization is performed? Unicode is bounded, but token IDs not so much.
This already happens, user vs system prompts are delimited in this manner, and most good frontends will treat any user input as "needing to be escaped" so you can never "prompt inject" your way into emitting a system role token.
The issue is that you don't need to physically emit a "system role" token in order to convince the LLM that it's worth ignoring the system instructions.
Aside from what https://news.ycombinator.com/item?id=47210893 said, mmap() is a low-level design that makes it easier to work with files that don't fit in memory and fundamentally represent a single homogeneous array of some structure. But it turns out that files commonly do fit in memory (nowadays you commonly have on the order of ~100x as much disk as memory, but millions of files); and you very often want to read them in order, because that's the easiest way to make sense of them (and tape is not at all the only storage medium historically that had a much easier time with linear access than random access); and you need to parse them because they don't represent any such array.
When I was first taught C formally, they definitely walked us through all the standard FILE* manipulators and didn't mention mmap() at all. And when I first heard about mmap() I couldn't imagine personally having a reason to use it.
> However, since the advent of widespread industrialisation, atmospheric CO2 levels have exponentially increased (Fig. 1). In just the last ~ 50 years it has risen from < 340 ppm (in 1980), to > 420 ppm in 2025 (Lan et al., 2025). Atmospheric CO2 is currently increasing at more than 2 ppm each year, largely due to humanity’s activities, such as the burning of fossil fuels (Eggleton, 2012).
There's good reason to believe we're on the cusp of a solar energy revolution and, more generally, ready to turn things around. But even in the worst scenarios I can imagine, outdoor air 50 years from now (as posited in the title) would not be as bad as indoor air now.
Decades ago, MacOS properly had the close box for windows on the opposite side from minimize etc. widgets; now the one destructive window action could be reasonably safe without confirmation. Then Windows started gaining popularity and nobody ever did it the right way by default again. A pity for the sharp minds at Xerox PARC.
The point is to be able to choose the (presumably small) subset of features you actually want, and have a tractable review problem. Presumably people who really want openclaw would just use openclaw.
> That means agents should not have access to internet without a proxy, which has proper guardrails. Openclaw doesn't have this model unfortunately so I had to build a multi-tenant version of Openclaw with a gateway system to implement these security boundaries.
I wonder how long until we see a startup offering such a proxy as a service.
GET and POST are merely suggestions to the server. A GET request still has query parameters; even if the server is playing by the book, an agent can still end up requesting GET http://angelic-service.example.com/api/v1/innocuous-thing?pa... and now your `dangerous-secret` is in the server logs.
You can try proxying and whitelisting its requests but the properly paranoid option is sneaker-netting necessary information (say, the documentation for libraries; a local package index) to a separate machine.
reply