1. Orchestration Patterns & Control Plane
(Plan • Decompose • Delegate • Synthesize)Orchestrator–Workers
- Lead agent decomposes goal
- Spawns scoped sub-agents
- Merges results, owns answer
Sequential Pipeline
- Prompt chaining, stage by stage
- Gate checks between stages
- Fail-fast on bad output
Parallel Fan-out
- Concurrent subtasks
- Barrier merge or pipeline
- Dedup + conflict resolution
Router / Handoff
- Classifier → specialist
- Typed handoff payloads
- Escalation on low confidence
Evaluator–Optimizer
- Generator drafts, critic scores
- Loop until pass or budget
- Adversarial verify panels
Hierarchical Teams
- Supervisors of supervisors
- Depth caps stop runaways
- Results roll up w/ provenance
Human-in-the-Loop Gates
- Plan approval pre-execution
- Action approval for mutations
- Trust tiers per action class
Frameworks & Runtimes
- Claude / OpenAI Agent SDKs
- LangGraph, CrewAI, AutoGen
- Google ADK, Temporal (durable)
2. Agent Runtime & State
(The agents themselves • Context • Memory • Budgets)Planner
- Goal → task graph
- Explicit success criteria
- Re-plans on new facts
Specialist Workers
- Coder, researcher, reviewer
- Role-scoped tool access
- Return data, not prose
Context Manager
- Window budgeting + compaction
- Spill large results to files
- Page back on demand
Memory
- Scratchpad + vector store
- Episodic run history
- Provenance tags on writes
State & Checkpoints
- Durable task state
- Resume / replay from journal
- Idempotent steps by design
Message Bus / Handoffs
- Typed JSON-Schema outputs
- Authenticated agent hops
- No implicit shared state
Budgets & Ceilings
- Token / cost / wall-clock caps
- Iteration + depth limits
- Kill-switch / pause authority
Evaluation & Tracing
- Full-trace observability
- Regression eval suites
- Drift + anomaly detection
3. Tools & Integration Surface
(Where agents touch the world — every arrow is a trust boundary)MCP Servers
- Standard tool protocol
- Discovery + typed schemas
- Vet like a dependency
Function Calling
- Typed JSON-Schema tools
- Argument validation pre-dispatch
- Corrective retries on bad args
RAG & Vector Stores
- Embeddings, chunk, rerank
- Retrieved text = untrusted
- Access-controlled collections
Code Execution
- Sandboxed interpreters
- Ephemeral containers / microVMs
- Egress blocked by default
Browser & Computer Use
- DOM automation, screenshots
- Page content = hostile until proven
- Domain allowlists
Shell & Filesystem
- Workspace-confined paths
- Allowlisted commands
- Approval for mutations
External APIs & SaaS
- Email, CRM, payments, cloud
- Outbound = exfil channel
- Scoped, short-lived tokens
Data Stores & Queues
- SQL / NoSQL / object storage
- Task queues, event buses
- Least-privilege connections
4. Security Control Plane
(Defense in depth — deterministic controls, not model promises)Identity & Least Privilege
- Per-agent service identities
- Scoped OAuth, short-lived creds
- Deny by default
Sandboxing & Isolation
- Containers / microVMs
- Workspace jail, RO mounts
- Network egress allowlists
Guardrails & IO Validation
- Injection classifiers
- Schema validation in + out
- URL / domain screening
Approval Gates (HITL)
- Human gate on irreversible acts
- Send / delete / pay / deploy
- Trust tiers per tool + args
Session Integrity
- Signed state + checkpoints
- Re-auth on resume / handoff
- Anomaly kill-switch
Secrets Management
- Vault-issued at call time
- Never in prompts or logs
- Rotation + revocation
Observability & Audit
- Full decision + tool traces
- Immutable audit trail
- Anomaly + cost monitors
Supply Chain + Policy
- Signed, pinned tool manifests
- MCP vetting, SBOM, scanning
- Central allow / deny / ask engine
5. Threat Landscape
(What attacks the stack — OWASP LLM Top 10 aligned)Prompt Injection
- Direct: jailbreaks in input
- Indirect: hostile text in pages, docs, tool results
Agentjacking
- Live agent seized mid-run
- Hijacked orchestrator executes attacker goals
- Persists via poisoned checkpoints
Tool Poisoning
- Malicious MCP servers
- Rug pull: descriptions mutate post-install
- Lookalike tools
Data Exfiltration
- Lethal trifecta: private data + untrusted content + outbound
- Exfil via URLs, emails, APIs
Excessive Agency
- Confused deputy misuses broad perms
- Over-scoped tokens
- Unneeded tools attached
Memory / RAG Poisoning
- Planted docs corrupt retrieval
- Persistent: re-fires every session
Identity Spoofing
- Agent-to-agent impersonation
- Stolen / replayed tokens
- Forged handoffs
Supply Chain
- Backdoored dependencies
- Poisoned models / weights
- Compromised registries
Resource Exhaustion
- Runaway delegation loops
- Cost bombs & quota burn
- Fork-bomb agent spawning