This started as a question applied historians ask routinely: can we find lessons from history that inform current practice? The specific case was commercial telegraphy and LLM agents — two systems that compress language for expensive, noisy channels.
I went through a lot of telegraph techniques and operations asking what might be useful when working with LLMs. Almost everything survived — delimiters, confirmation, priority tiers, compression, validation, observability, access control — but as information management fundamentals, not telegraph-specific insights. They entered the general toolkit long ago. (Some comparisons are in the appendix.)
But there’s one area that might not have! A lessons from history? I give you: redundancy in control labels.
What codebooks got right
Telegraph codebooks had to compress messages cheaply while ensuring a damaged codeword didn’t silently become a different valid one. Bentley’s rule: good codewords should differ by at least two letters.1 The ABC Code applied the same principle, screening out Morse-similar words.2 Bellovin surveys the full design space — compression, error correction, confidentiality — and how codebook designers balanced all three.3
Good compression leaves enough redundancy to detect mistakes.
This didn’t carry forward into LLM agent design because the problem is newly common. LLM agents combine properties that make label confusability newly dangerous:
- probabilistic language generation (the model can produce near-miss strings)
- exact symbolic control (downstream code treats labels as exact inputs)
- natural-language prompts wrapped around short labels (easy to miscopy or misread)
- tool calls and routes with real side effects (wrong label → wrong action)
Recent research confirms this is not hypothetical. Qiu et al. show that LLM tool selection is sensitive to surface-level cues in tool names: assertive names, specific phrasing, and similar-looking alternatives all shift routing behavior measurably.4 Wang et al. demonstrate that small adversarial perturbations to tool names can reliably redirect tool calls to attacker-controlled tools.5
Example labels that are too close:
A1 / AI / Al
prod / production / live
docs.api / doc.api
FACTCHECK_API / FACT_CHECK_API
In an agent system, these may route work, call tools, select environments, or satisfy exact enum values. A wrong valid label is worse than an invalid label, because invalid labels fail validation, wrong valid labels pass validation and trigger the wrong action.
An agent-aware check
The check that matters is not just string similarity. It is string similarity weighted by what the label controls.
Generic similarity check:
docs.api / doc.api — edit distance 1.
Agent-aware check:
CRITICAL docs.api / doc.api
route-name collision across different effects.
read-only route is one edit away from external-write route.
The severity boundary depends on the label’s role:
- Two confusable read-only routes: annoying but low risk.
- Two confusable routes where one is destructive: critical.
- Two confusable environment labels that both mean production: critical.
- Two confusable enum values the model must emit exactly: high risk.
I am experimenting with small tools to check this: wireword. The rules are simple and include visual confusables, edit-distance-one pairs, case-only and punctuation-only differences, plural/stem collisions, and production-alias overload.
Appendix: telegraph practices and LLM-agent counterparts
| Telegraph practice | What it was | LLM-agent version | How it survived |
|---|---|---|---|
STOP and spelled punctuation |
Explicit delimiters in a whitespace-charged medium | Source/task boundary markers | Structured data formats (XML, JSON, protocol framing) |
| Repeat-back | Operator reads message back for sender confirmation | Human approval gates | Confirmation dialogs, two-person integrity |
| Service classes | Ordinary, urgent, night letter — priority and cost tiers | Model routing, effort levels | QoS, SLAs, tiered pricing |
| Codebooks | Substitution tables compressing phrases to single words | Prompt libraries, macros | Compression, abbreviation, lookup tables |
| Word-count checks | Validation that the received message had the expected length | Output validation, schema checks | Checksums, content-length headers, schema validation |
| Operators | Human review at relay points for accuracy and routing | Linters, traces, observability | Monitoring, logging, human-in-the-loop review |
| Private codes | Custom substitution hiding meaning from operators | PII masking, redaction | Encryption, access control, data masking |
Sources
-
E. L. Bentley, “Codes: Their Nature and Manipulation”, transcribed by John McVey. Bentley describes the two-letter-difference rule and explains that it prevents a one-letter mutilation from silently becoming another valid codeword. ↩︎
-
John McVey, “A.B.C. Telegraphic Codes, seven editions 1873-1936”. The page quotes the 1920 sixth edition on five-letter codewords built with at least a two-letter difference and notes the code’s attention to Morse similarities. ↩︎
-
Steven M. Bellovin, “Compression, Correction, Confidentiality, and Comprehension: A Modern Look at Commercial Telegraph Codes”, USENIX Security 2009. Surveys the design tradeoffs in commercial telegraph codebooks across compression, error resistance, and secrecy. ↩︎
-
Qiu et al., “Tool Preferences in Agentic LLMs Are Unreliable” (2025). Shows that LLM tool selection is measurably sensitive to surface-level cues in tool names and descriptions. ↩︎
-
Wang et al., “ToolTweak: Attack on Tool Selection of Large Language Models” (2025). Demonstrates that adversarial perturbations to tool names can reliably redirect LLM tool calls. ↩︎