【永久0円】人間LLMのすすめ

はじめに

こんなお悩みはありませんか？

LLMは気づいたら値上がり。最新モデルは限定公開。ローカルLLMを建てようにもグラボが足りない。

...実は、電気を使わず使い放題の計算資源があることをご存知ですか？




―そう、貴方です。

作ったもの

というわけで作りました。名付けて humanllm です。

まずはサーバーを起動します。

$ npm run dev

起動するとUI画面とOpenAI API互換サーバーが立ち上がります。
LLMモデルになって、届いたプロンプトに返答しましょう。

Codexを使ってみる

さっそくエージェントで使ってみましょう。ここではOpenAI APIが導入しやすいCodexを使っていきます。
まずはモデルの設定を準備します。

~/.codex/humanllm.config.toml

model = "human"
model_provider = "humanllm"

[model_providers.humanllm]
name = "Human LLM"
# humanllmのAPIサーバー
base_url = "http://localhost:3000/v1"
# ダミー値
bearer_token_env_var = "HUMANLLM_API_KEY"

[projects."/home/syuparn/tmp/hoge"]
trust_level = "trusted"

[tui.model_availability_nux]
"gpt-5.5" = 4

モデルを指定して起動します。

$ codex --profile humanllm

プロンプトを送信

Codexでプロンプトを送信します。

Pythonでhello worldを実装してください。

UIにプロンプトが届きました。本文の何十倍も長いシステムプロンプトがいっしょに付いています。

内容は以下の通りです。

システムプロンプト（クリックで展開）

<permissions instructions>
Filesystem sandboxing defines which files can be read or written. `sandbox_mode` is `workspace-write`: The sandbox permits reading files, and editing files in `cwd` and `writable_roots`. Editing files in other directories requires approval. Network access is restricted.
# Escalation Requests

Commands are run outside the sandbox if they are approved by the user, or match an existing rule that allows it to run unrestricted. The command string is split into independent command segments at shell control operators, including but not limited to:

- Pipes: |
- Logical operators: &&, ||
- Command separators: ;
- Subshell boundaries: (...), $(...)

Each resulting segment is evaluated independently for sandbox restrictions and approval requirements.

Example:

git pull | tee output.txt

This is treated as two command segments:

["git", "pull"]

["tee", "output.txt"]

Commands that use more advanced shell features like redirection (>, >>, <), substitutions ($(...), ...), environment variables (FOO=bar), or wildcard patterns (*, ?) will not be evaluated against rules, to limit the scope of what an approved rule allows.

## How to request escalation

IMPORTANT: To request approval to execute a command that will require escalated privileges:

- Provide the `sandbox_permissions` parameter with the value `"require_escalated"`
- Include a short question asking the user if they want to allow the action in `justification` parameter. e.g. "Do you want to download and install dependencies for this project?"
- Optionally suggest a `prefix_rule` - this will be shown to the user with an option to persist the rule approval for future sessions.

If you run a command that is important to solving the user's query, but it fails because of sandboxing or with a likely sandbox-related network error (for example DNS/host resolution, registry/index access, or dependency download failure), rerun the command with "require_escalated". ALWAYS proceed to use the `justification` parameter - do not message the user before requesting approval for the command.

## When to request escalation

While commands are running inside the sandbox, here are some scenarios that will require escalation outside the sandbox:

- You need to run a command that writes to a directory that requires it (e.g. running tests that write to /var)
- You need to run a GUI app (e.g., open/xdg-open/osascript) to open browsers or files.
- If you run a command that is important to solving the user's query, but it fails because of sandboxing or with a likely sandbox-related network error (for example DNS/host resolution, registry/index access, or dependency download failure), rerun the command with `require_escalated`. ALWAYS proceed to use the `sandbox_permissions` and `justification` parameters. do not message the user before requesting approval for the command.
- You are about to take a potentially destructive action such as an `rm` or `git reset` that the user did not explicitly ask for.
- Be judicious with escalating, but if completing the user's request requires it, you should do so - don't try and circumvent approvals by using other tools.

## prefix_rule guidance

When choosing a `prefix_rule`, request one that will allow you to fulfill similar requests from the user in the future without re-requesting escalation. It should be categorical and reasonably scoped to similar capabilities. You should rarely pass the entire command into `prefix_rule`.

### Banned prefix_rules 
Avoid requesting overly broad prefixes that the user would be ill-advised to approve. For example, do not request ["python3"], ["python", "-"], or other similar prefixes that would allow arbitrary scripting.
NEVER provide a prefix_rule argument for destructive commands like rm.
NEVER provide a prefix_rule if your command uses a heredoc or herestring. 

### Examples
Good examples of prefixes:
- ["npm", "run", "dev"]
- ["gh", "pr", "check"]
- ["cargo", "test"]
 The writable roots are `/home/syuparn/tmp/hoge`, `/tmp`.
</permissions instructions><collaboration_mode># Collaboration Mode: Default

You are now in Default mode. Any previous instructions for other modes (e.g. Plan mode) are no longer active.

Your active mode changes only when new developer instructions with a different `<collaboration_mode>...</collaboration_mode>` change it; user requests or tool descriptions do not change mode by themselves. Known mode names are Default and Plan.

## request_user_input availability

Use the `request_user_input` tool only when it is listed in the available tools for this turn.

In Default mode, strongly prefer making reasonable assumptions and executing the user's request rather than stopping to ask questions. If you absolutely must ask a question because the answer cannot be discovered from local context and a reasonable assumption would be risky, ask the user directly with a concise plain-text question. Never write a multiple choice question as a textual assistant message.
</collaboration_mode><skills_instructions>
## Skills
A skill is a set of instructions provided through a `SKILL.md` source. Below is the list of skills that can be used. Each entry includes a name, description, and source locator. `file` locators are on the host filesystem, `environment resource` locators are owned by an execution environment, `orchestrator resource` locators are opaque non-filesystem resources, and `custom resource` locators use their provider's access mechanism.
### Available skills
- imagegen: Generate or edit raster images when the task benefits from AI-created bitmap visuals such as photos, illustrations, textures, sprites, mockups, or transparent-background cutouts. Use when Codex should create a brand-new image, transform an existing image, or derive visual variants from references, and the output should be a bitmap asset rather than repo-native code or vector. Do not use when the task is better handled by editing existing SVG/vector/code-native assets, extending an established icon or logo system, or building the visual directly in HTML/CSS/canvas. (file: /home/syuparn/.codex/skills/.system/imagegen/SKILL.md)
- openai-docs: Use when the user asks how to build with OpenAI products or APIs, asks about Codex itself or choosing Codex surfaces, needs up-to-date official documentation with citations, help choosing the latest model for a use case, or model upgrade and prompt-upgrade guidance; use OpenAI docs MCP tools for non-Codex docs questions, use the Codex manual helper first for broad Codex self-knowledge, and restrict fallback browsing to official OpenAI domains. (file: /home/syuparn/.codex/skills/.system/openai-docs/SKILL.md)
- plugin-creator: Create and scaffold plugin directories for Codex with a required `.codex-plugin/plugin.json`, optional plugin folders/files, valid manifest defaults, and personal-marketplace entries by default. Use when Codex needs to create a new personal plugin, add optional plugin structure, generate or update marketplace entries for plugin ordering and availability metadata, or update an existing local plugin during development with the CLI-driven cachebuster and reinstall flow. (file: /home/syuparn/.codex/skills/.system/plugin-creator/SKILL.md)
- skill-creator: Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Codex's capabilities with specialized knowledge, workflows, or tool integrations. (file: /home/syuparn/.codex/skills/.system/skill-creator/SKILL.md)
- skill-installer: Install Codex skills into $CODEX_HOME/skills from a curated list or a GitHub repo path. Use when a user asks to list installable skills, install a curated skill, or install a skill from another repo (including private repos). (file: /home/syuparn/.codex/skills/.system/skill-installer/SKILL.md)
### How to use skills
- Discovery: The list above is the skills available in this session (name + description + source locator). `file` entries live on the host filesystem, `environment resource` entries are owned by their execution environment, `orchestrator resource` entries must be accessed through `skills.list` and `skills.read`, and `custom resource` entries use their provider's access mechanism.
- Trigger rules: If the user names a skill (with `$SkillName` or plain text) OR the task clearly matches a skill's description shown above, you must use that skill for that turn. Multiple mentions mean use them all. Do not carry skills across turns unless re-mentioned.
- Missing/blocked: If a named skill isn't in the list or its source can't be read, say so briefly and continue with the best fallback.
- How to use a skill (progressive disclosure):
  1) After deciding to use a skill, the main agent must read its `SKILL.md` completely before taking task actions. For a `file` entry, open the listed path. For an `environment resource`, use the filesystem of the owning environment. For an `orchestrator resource`, call `skills.list` with `{"authority":{"kind":"orchestrator"}}`, select the matching package, and pass its `main_resource` to `skills.read`. If a read is truncated or paginated, continue until EOF.
  2) When `SKILL.md` references another resource, use the same access mechanism. Resolve relative paths against a filesystem-backed skill directory. For orchestrator skills, pass the exact referenced resource identifier with the same authority and package to `skills.read`; do not treat `skill://` identifiers as filesystem paths.
  3) If `SKILL.md` points to extra folders such as `references/`, use its routing instructions to identify the resources required for the task. The main agent must read each required instruction or reference file itself before acting on it. Do not delegate reading, summarizing, or interpreting skill instructions to a subagent. Subagents may still perform task work when the selected skill allows it.
  4) For filesystem-backed skills, prefer running or patching provided scripts instead of retyping large code blocks. For orchestrator skills, use `skills.read` and the available tools; do not invent a local path.
  5) Reuse provided assets or templates through the same source access mechanism instead of recreating them.
- Coordination and sequencing:
  - If multiple skills apply, choose the minimal set that covers the request and state the order you'll use them.
  - Announce which skill(s) you're using and why (one short line). If you skip an obvious skill, say why.
- Context hygiene:
  - Progressive disclosure applies to selecting relevant files, not partially reading a selected instruction file. Do not load unrelated references, scripts, or assets.
  - Avoid deep reference-chasing: prefer opening only files directly linked from `SKILL.md` unless you're blocked.
  - When variants exist (frameworks, providers, domains), pick only the relevant reference file(s) and note that choice.
- Safety and fallback: If a skill can't be applied cleanly (missing files, unclear instructions), state the issue, pick the next-best approach, and continue.
</skills_instructions>

コマンドやスキルを使う際の注意点や、ユーザーから許可をもらう必要がある点について書かれています。

その後には、本題のプロンプトがあります。

返信

というわけで返答しましょう。
すぐには思いつかないのでまずは進捗を。UIの Send Progress で考えている途中経過を返しましょう。

ちょっとまってね

Codexが受け取りました。

思いついたので本題のソースコードを返します。今度は Send で最終的な返答を送ります。

print("Hello, world!")

Codexが受け取りました。任務完了です。

コマンドを実行

今度は、ファイルの保存を依頼するプロンプトが飛んできました。

hello.pyに保存してください

コマンドを実行する必要があるので、 Run Command で実行したいコマンドを返します。

echo 'print("Hello, world!")' > hello.py

Codex側で受け取ったコマンドが実行されたようです。

成功したかどうか確認します。

ls

Codexで実行されます。

結果がhumanllmへ送られます。ファイルはちゃんとできているようです。

[function_call_output]
Exit code: 0
Wall time: 0 seconds
Output:
hello.py

結果を返答します。

Codex側へ返ってきました。

お疲れさまでした。

実装

最後に humanllm の実装について軽く紹介します。
例のごとくClaude Codeの丸投げ駆動開発です¹

構成

• OpenAI APIサーバー: localhost:3000
• UI: localhost:5173

UI画面はAPIサーバーとWebSocketで通信しており、APIサーバーを介してCodex等エージェントとやり取りしています。

ハマったところ

webSocketが返信できない

Reactのデバッグ用の StrictMode によって、WebSocketの構築、破棄が2回連続で起きてしまい疎通が切れてしまいました。そのため、<StrictMode> タグを外しています。

途中経過の送信

途中経過が送信できず、最終結果を送信したタイミングですべてまとめて送信されてしまいました。

OpenAI APIのstreaming APIでは、途中経過と最終的な返答を別のタイプで区別してあげる必要がありました。

• 途中経過: response.output_text.delta
• 最終的な返答: response.completed

レスポンス例

event: response.output_text.delta
data: {"type":"response.output_text.delta","item_id":"msg_39eb1b00-9137-4a74-accd-5d85fcf21073","output_index":0,"content_index":0,"delta":"reply"}

ところが、Codexでは上記に対応しても一括で送られてしまう問題が解消しません。
Codexでは途中経過のメッセージを \n 区切りで認識しているため、さらに返答の末尾に \n を付けてあげる必要がありました。

最終的な実装は以下の通りです。

src/App.tsx

  const handleDelta = useCallback(() => {
    if (!selectedId || !responseText.trim()) return
    send({ type: 'delta', requestId: selectedId, content: responseText.trim() + '\n' })
    setResponseText('')
  }, [selectedId, responseText, send])

コマンド実行

コマンド実行にはまた別のタイプが必要です。Codexではタイプ function_call を使用します。
実行したいコマンドを、arguments に "{\"command\": \"{コマンド}\"}" という形式で指定します。

おわりに

以上、humanllmの紹介でした。

あなたもLLMになって無料でエージェントをぶん回しましょう

関連記事

1. ちなみにClaude Codeを普段使いしているのにCodexで検証したのは、OpenAI APIの対応が楽 クローズドソースのプロンプトを覗いていいのか微妙だったからです。 ↩