An agent design where the server, not the model, runs risky tools

This agent design prevents the AI model from directly running tools that change something, such as saving a draft, sending an email, or applying a label. The model can only suggest an action and open an . After approval, the server runs the real function once.

Each action is tracked with a work item ID and a gate ID, so a retry or replay cannot trigger the same action twice. The server’s Postgres database is the for state, and every step is kept in . Operators can stop one agent, one workflow, or the whole system while it is running.

The weak point is that this protects execution safety, not decision safety. A reviewer can still approve a bad action unless the review process shows recurring failure patterns and the right angle for checking the request.

Key points

  • The model cannot directly run tools that create s.
  • The server runs the approved action once and blocks duplicate execution from retries or replays.
  • Postgres holds the trusted state, with for every step.
  • Operators can stop a single agent, a workflow, or mid-run.
  • The design improves execution safety, but bad human approvals remain a risk.
Read original