An agent design where the server, not the model, runs risky tools
This agent design prevents the AI model from directly running tools that change something, such as saving a draft, sending an email, or applying a label. The model can only suggest an action and open an . After approval, the server runs the real function once.
Each action is tracked with a work item ID and a gate ID, so a retry or replay cannot trigger the same action twice. The server’s Postgres database is the for state, and every step is kept in . Operators can stop one agent, one workflow, or the whole system while it is running.
The weak point is that this protects execution safety, not decision safety. A reviewer can still approve a bad action unless the review process shows recurring failure patterns and the right angle for checking the request.
Key points
- The model cannot directly run tools that create s.
- The server runs the approved action once and blocks duplicate execution from retries or replays.
- Postgres holds the trusted state, with for every step.
- Operators can stop a single agent, a workflow, or mid-run.
- The design improves execution safety, but bad human approvals remain a risk.