Subject 05 · Builds on everything above
Agents & Tooling
An agent is a prompted model given tools, retrieval, and a plan. Agents, tool use and MCP, retrieval, skills, workflows, rules, and the harnesses they run in.
28 pages across 7 topics
AI agents
A prompted model that plans and acts.
- Chatbot or agent? A chatbot is a single turn: you ask, it answers, done. An agent runs a loop, controlling how the work unfolds rather than following a fixed script.
- Workflows vs agents A workflow is a track laid down in advance; an agent lays its own track as it goes. Most production systems are workflows, and that is usually the right call.
- The three ingredients Every agent, however it is built, comes down to three parts: a model that does the reasoning, tools that let it act, and instructions that hold the goal and the rules.
- The agent loop Put the ingredients together and you get the loop that defines an agent: reason, act, observe, repeat. This cycle is what lets an agent handle open-ended work.
- Strengths and failures Agents shine on open-ended tasks with many small steps. The catch is arithmetic: reliability compounds, so the chance of finishing a long task cleanly drops fast.
Tool use & MCP
How a model calls the outside world.
- Tool use A language model only emits text on its own. Tool use hands it a menu of functions: the model proposes a structured call, your code runs the actual function, and the result comes back for the model to read.
- Why MCP exists With M models and N tools, tool use forced roughly M times N fragile custom integrations. MCP collapses that: a tool exposes itself once, and any MCP-aware model can use it, like a USB-C port for AI.
- MCP architecture MCP has three roles: a host (the AI application), a client inside it, and a server that exposes tools, resources, and prompts. The pieces talk over JSON-RPC, and the standard now spans OpenAI and Google.
- MCP authorization Connecting a model to your real tools means connecting it to your real data and actions. MCP's authorization rests on OAuth 2.1, but confused-deputy attacks, token leakage, and prompt injection through poisoned tool descriptions are specific risks to contain.
RAG & retrieval
Answering from your own data.
- RAG two phases Retrieval-augmented generation (RAG) lets a model answer from your own data by fetching relevant text and adding it to the prompt. It always runs in two phases: index your documents once offline, then retrieve the closest chunks at question time.
- Embeddings & similarity Embeddings turn text into vectors so passages with similar meaning land near each other. Documents and queries must use the same model, and retrieval becomes a nearest-neighbor search for the top-K closest chunks.
- Grounding & failures RAG's promise is grounding: answers anchored to retrieved, citable text hallucinate less. But it only helps if retrieval surfaces the right passage, which is why most RAG failures trace back to retrieval, not the model.
Skills
Packaged, reusable know-how.
- Inside a Skill A skill is a reusable, packaged capability an AI agent loads when it needs it: a folder built around a single instructions file, with optional scripts, references, and assets alongside.
- Progressive Disclosure Skills scale through progressive disclosure: the agent loads a skill in levels, so a large library costs almost nothing in context until one becomes relevant.
- Skill, Tool, or Prompt These three get confused: a one-off prompt is retyped each turn, a tool gives the agent access to a capability, and a skill gives it the procedural method for using that capability well.
- An Open Standard Skills are published as an open standard rather than a single-vendor feature, and several products support them, including Cursor and GitHub Copilot.
Workflows & orchestration
Making multi-step AI reliable.
- Why reliability matters A workflow connects models and tools along defined paths so a multi-step task stays predictable. Reliability is the core problem because it compounds: per-step success multiplies, so a long chain of even good steps decays fast.
- Structural fixes Three structural fixes bend the reliability curve: keep chains short, add gates that check each result before the next step runs, and retry failed steps so a likely failure becomes a rare one.
- Orchestration patterns The main orchestration patterns are sequential chaining, parallel fan-out and fan-in, handoff and routing to a specialist, hierarchical orchestrator-workers, and the evaluator-optimizer loop.
- Durable execution Durable-execution systems persist the state of a job so a failed step can retry from where it stopped rather than restarting the whole thing, which is what makes retry math pay off in production.
Rules & guardrails
The limits around an agent.
- Rules vs prompt A system prompt sets who the agent is and how it behaves every turn. Rules and guardrails are enforced boundaries on what it can actually do. One steers; the other constrains.
- Least privilege The first guardrail is access. Give the agent only what the current task requires, scoped per tool, preferring short-lived credentials so a mistake or hijack cannot reach beyond a small blast radius.
- Decide vs act A reliable pattern splits deciding to act from doing it. The agent proposes an action; an independent check validates it against policy and permissions before it executes.
- Runtime guardrails Runtime guardrails inspect what flows in and out, filtering inputs and validating outputs before use. They defend against excessive agency: identity abuse, privilege abuse, and rogue-agent behavior.
AI harnesses
The software a model runs inside.
- Harness anatomy An AI harness is the software around a language model that turns it into an agent: the loop that runs it, the tools it can call, the memory it carries, and the permissions that contain it. The model is the engine; the harness is the car.
- Form factors AI harnesses come in three shapes: CLI agents live in the terminal and reward scripting, IDE agents work inside your editor with the lowest friction, and cloud or async agents run remotely so you can hand off a task and walk away.
- Autonomy ladder The autonomy ladder compares harnesses by how much they do on their own, from autocomplete, to approving each step, to plan-then-execute, to fire-and-forget background agents. Higher rungs trade oversight for throughput.
- Harnesses compared There is no single best coding harness. Reviews give Claude Code the edge on whole-codebase context, Codex on large autonomous tasks, and GitHub Copilot for teams already on GitHub Enterprise. The right one depends on where you work and how much autonomy you trust.