AI Agent Knowledge Architecture Overview
What (What This Article Covers)
This overview addresses two core questions:
- What specific engineering problems is this domain actually solving?
- How should you navigate this knowledge tree, and what kind of "runnable, auditable, and replayable" agent system will you be able to build after reading it?
In this context, an "AI Agent" refers to a specific class of "closed-loop systems": it treats the Large Language Model (LLM) as an untrusted reasoning component, utilizing a controllable runtime to weave reasoning, tool invocation, state persistence, error handling, permission isolation, and observability/auditing into a single, verifiable execution chain.
Problem (The Engineering Problems Solved)
Treating an agent as a simple script that performs "one completion + one tool call" will very quickly hit the hard boundaries of the real world:
- Statelessness: The model itself does not persist state. Long-running tasks require external state machines, checkpoints, and recovery processes.
- Side Effects: Tool calls will write files, send network requests, and mutate databases. Blind retries will cause duplicate commits and irreversible destruction.
- Context Scarcity: A larger context window is not always better. Long contexts lead to attention degradation and the "lost in the middle" phenomenon, requiring dynamic assembly and compression strategies.
- Untrusted Inputs: The model's output is just a string; it does not equal a "trusted instruction". You must implement schema validation, permission trimming, rate limiting, timeouts, idempotency, and auditing.
- Long-Running Execution: Timeouts, zombie processes, retry storms, resource leaks, concurrent race conditions, and log explosions are inevitable at the scale of hours.
- Multi-Agent Collaboration: Introduces challenges around responsibility boundaries, state synchronization, error propagation, tool pollution, permission delegation, and the ultimate attribution problem of "who is responsible for this side effect."
The goal of this domain is to deconstruct the agent into an understandable, implementable, debuggable, and verifiable engineering system. After reading this tree, you should be able to answer much deeper questions: If an agent needs to work continuously on a real machine for several hours, exactly what components guarantee its control loop, tool boundaries, state recovery, and security isolation?
Usage (What You Will Build)
You will be able to implement at least a "production-ready skeleton" with the following capabilities:
- Unified Execution Loop:
observe -> plan -> act -> verify -> commit -> loop/stop. - Tool Governance Pipeline: Every tool call passes through validation, permission checks, timeouts, retries, idempotency checks, and auditing.
- State Persistence and Recovery: Task states, tool results, and critical decision points can be replayed without duplicating side effects.
- Dynamic Context Assembly: Stable rule prefixes, priority on live environmental data, compressible history, and controllable retrieval.
- Observability and Retrospection: Traces/spans, structured logging, failure distribution analysis, and replayable execution chains.
- Sandbox and Isolation: When untrusted code executes, the "blast radius" is restricted to an acceptable threshold.
To ensure this isn't purely theoretical, this tree constantly grounds "abstract nouns" into concrete engineering objects:
- A runnable runtime (processes, threads, event loops, schedulers).
- A verifiable protocol (schemas, types, tool interfaces, error codes, retry strategies).
- An auditable data stream (Write-Ahead Logs, event logs, traces, replays).
- A set of isolatable execution environments (containers, user-space kernels, least privilege, zero-trust).
Principle (Deconstructing the Agent Components)
An agent can be understood through the lens of a "Control Loop + Constraint Layer":
- Control Loop: Allows the system to run continuously and converge on a goal.
- Constraint Layer: Ensures every step is controllable, traceable, rollbackable (or at least stoppable), and auditable.
1) The Control Loop (Closed Loop)
A minimal closed loop can be abstracted into this chain:
Observe -> Think/Plan -> Act -> Verify -> Commit -> Continue/Stop
The critical point is not the "loop" itself, but where you place the side effects:
- Observation is Read-Only: Reading files, logs, web pages, or DB query results cannot produce side effects.
- Action is Restricted: Only the runtime is allowed to invoke tools; the model never directly touches system capabilities.
- Explicit Commits: Treat "writing files / mutating databases / sending requests" as explicit commit points, paired with idempotency and auditing.
2) The Tool Execution Layer (Translating Strings to Actions)
The tool execution layer is responsible for turning model outputs (strings/JSON) into real actions, but it must act simultaneously as a "translator" and a "gatekeeper":
- Parsing: Strict parsing (JSON schema / strongly typed tools).
- Validation: Parameter allowlists, path constraints, Regex/AST validation.
- Authorization: Scopes, least privilege, sandboxing, network egress control.
- Constraints: Timeouts, concurrency limits, rate limiting, resource quotas.
- Idempotency: Idempotency keys + commit logs (WAL) to prevent replaying side effects.
3) Memory and Persistence (Keeping the Agent "Alive")
Continuous execution guarantees interruptions. The engineering problem is not "how to never crash," but "how to recover after a crash":
- Short-Term Memory: The current task environment, open files, recent dialogue.
- Long-Term Memory: A retrievable repository of facts (docs, code indexes, tickets, knowledge bases).
- Task State: Progress, branches, commit logs of executed actions, next steps.
- Recovery Protocol: Resuming from the state machine after a restart without duplicating side effects.
4) Context Feeding (Spending Tokens Wisely)
Context feeding is not about "stuffing more text in"; it's about "treating tokens as a schedulable resource":
- Stable Prefixes: Keep rules and tool definitions as static as possible to aid caching and stabilize behavior.
- Live Data Priority: The current file, error logs, call stacks, and unit test failure messages take precedence.
- History Compression: Fold old dialogues into structured facts and decision points.
- Controllable Retrieval: RAG is not "more is better"; it requires interpretable retrieval and noise reduction.
5) Isolation and Observability (Strong Power Requires Strong Constraints)
The more capable the agent, the larger its blast radius. These two cross-cutting layers must be designed in from day one:
- Isolation: Process permissions, read-only/allowlisted filesystem mounts, network egress controls, containers/user-space kernels.
- Observability: Structured logs, traces/spans, audit logs, and replay/debugging tools.
The Learning Path (The Directory is the Dependency Graph)
content/en/06-ai-agent is structured logically: "define boundaries first, establish the loop, then attach tools and constraints to the loop":
| Order | Module | Role | Prerequisites | Feeds Into |
|---|---|---|---|---|
| 01 | Cognition & Enlightenment | Defines boundaries between Agents and LLMs; establishes action paradigms and the loop perspective. | None | 02-15 |
| 02 | Brain Circuit Design | Routing, streaming interception, context compression, hallucination fallback. | 01 | 03, 04, 15 |
| 03 | Memory Persistence System | Short/long memory, file states, SQLite/FTS/Vector retrieval, RAG. | 01, 02 | 14, 15 |
| 04 | Instruction Protocol & API | System prompt engineering, function calling, schemas, tool parsing. | 01, 02 | 05, 06, 07 |
| 05 | CLI Tool Engine | Shell execution, PTY, ANSI stripping, timeouts, subprocess models. | 04 | 08, 13 |
| 06 | File & Code Engine | Diff/patch, AST manipulation, globs, LSP, edit reliability. | 04, 05 | 14, 15 |
| 07 | Sensory & MCP Protocol | MCP, browser automation, Computer Use, external perception. | 04, 05, 06 | 12, 13 |
| 08 | Survival & Self-Drive | Daemons, heartbeats, crons, event-driven architecture, sleep/wake cycles. | 05 | 12, 15 |
| 09 | Interactive Terminal UI | TUI, WebSocket/IPC, human-in-the-loop channels. | 05, 08 | 10 |
| 10 | Flutter Cross-Platform | Connecting the control plane to desktop/mobile apps. | 09 | Productization |
| 11 | Autonomous Skill Extension | Skill mounting, runtime compilation, self-writing skills. | 04, 06, 07 | 12, 13 |
| 12 | Multi-Agent Distributed Control | Manager-worker patterns, consensus, swarm state synchronization. | 08, 11 | 13, 15 |
| 13 | Geek Sandbox & Security | Containers, user-space kernels, remote execution, zero-trust permissions. | 05, 07, 12 | 15 |
| 14 | Engineering Standards & Context | Workspace rules, dynamic context assembly, token budgets. | 02, 03, 06 | Overall Quality |
| 15 | Observability & Ops | Tracing, shadow mode, log rotation, auditing. | All prior | Production Readiness |
This order exists for a reason: establish "boundaries and loops" first, wire up "tools and sensors" second, and finally bolt on "constraints and ops for long-running execution". Many failed agent projects approach this backwards: they build a running demo first, and only later try to retrofit idempotency/permissions/observability, resulting in endless rewrites.
Overview Articles vs. Deep Dives
This 00-ai-agent-overview.md file serves only as the "map and boundaries"—it does not replace any deep-dive article. Moving forward, each top-level directory contains two types of content:
- Parent Node Overviews: Explaining internal module boundaries, roadmaps, comparisons, and prerequisites.
- Leaf Node Deep Dives: Focusing intensely on a single mechanism, covering What / Problem / Usage / Principle / Source / Design / Pitfalls / Debugging.
The parent maps the territory; the leaf explains the engine. The map avoids implementation details, and the detail pages avoid redrawing the map. This keeps the knowledge base maintainable and prevents duplicating definitions globally.
Acceptance Criteria for this Domain (Longer is Not Better)
Acceptance is not based on "word count," but on whether the content can support real engineering:
- System Level: Does the directory order reflect real-world engineering dependencies? (Otherwise, you risk constant refactoring).
- Article Level: Does a single article thoroughly dissect a mechanism? (Mechanics, implementation paths, failure modes, error-proofing).
- Engineering Level: Can it prevent real production accidents? (Timeouts, retries, idempotency, permissions, isolation, observability, auditing).
Therefore, the refactoring of this domain will first stabilize the foundational prerequisites (definitions, boundaries, action paradigms, loop theories), and only then advance into model routing, memory, tool invocation, MCP, multi-agent swarms, security isolation, and ops.
Source Verification
Before any article in this domain is rewritten, a research dossier is generated and stored at:
.agents/runs/06-ai-agent/research/articles/<article>.md
Its purpose is not to "stack links," but to lock down critical facts and primary sources, ensuring the main text never invents mechanisms or asserts conclusions without evidence.
Minimal Implementation Checklist (Turning this Tree into Code)
If you are building a runnable agent runtime from scratch, use this checklist to self-audit. It intentionally avoids naming specific frameworks, focusing solely on the "objects and boundaries you must implement."
1) Tasks and the State Machine
Task: Objectives, inputs, constraints, deadlines, budgets.Step: Replayable action units with explicit inputs and outputs.TaskState: Current step, completed steps, next candidates, failure counts.Checkpoint: Persisting state to disk before and after side effects, supporting recovery and replay.
2) Tools and Governance
Tool(Interface): Name, schema, execution function, timeout, permission scope.ToolResult: Structured data + raw output + truncation info.Gate(Governance Pipeline):parse -> validate -> authorize -> execute -> record.WAL(Write-Ahead Log): Every side effect writes an immutable record (Who, when, targeting which resource, did what, with what result).
3) Context and Memory
ContextAssembler: Assembling rules, live environment data, history, and retrieved snippets into a controllable input.MemoryStore: Document/code indexes, retrieval interfaces, noise reduction strategies.Compressor: Folding history into structured facts and decision points.
4) Observability and Auditing
Trace: One task -> multiple invocations -> multiple tool steps.Span: Every model call and tool call is a span.AuditLog: Used retrospectively to answer "what exactly happened?"
5) Isolation and Permissions
- Filesystem: Read-only mounts, allowlisted paths, blocking writes outside the workspace.
- Network: Default deny, allowlisting by domain/port/destination.
- Processes: Resource quotas (CPU/RAM), timeouts, and forced garbage collection.
Common Pitfalls (Traps That Cause Endless Rewrites)
- Building the demo first, adding governance later: You will discover that every "patch" requires changing the core interface, leading to massive rewrites.
- Treating the model as the executor: Letting the model directly concatenate and execute shell commands is equivalent to piping untrusted input directly into syscalls.
- Logging text only: Text logs cannot be queried or analyzed; you must use structured fields and trace IDs.
- Believing "more context solves it": Context management is a structural problem, not a capacity problem.
- Treating multi-agent as concurrency: Multi-agent swarms don't give you "faster execution," they give you "infinitely more complex attribution and synchronization."
This is why this domain uses "boundaries, loops, governance, persistence, context, isolation, and observability" as its primary thread, rather than following a popular framework's documentation.
Next step recommendation: Read through the four articles in 01-Cognition and Enlightenment first, then return here to implement the "Minimal Implementation Checklist" item by item.