跪拜 Guibai
← All articles
Frontend · AI Programming · Android

AI Agent Development Is Systems Engineering, Not an API Call

By 恋猫de小郭 ·
Read original on juejin.cn ↗ Google Translate ↗ Alt translation

Agent frameworks lower the boilerplate but leave the hard parts — tool reliability, state design, failure recovery, and safety — to the developer. Skipping the systems thinking produces demos that collapse under real workloads.

Summary

Agent development is not a matter of picking an SDK and calling an API. It requires assembling a custom engineering system that lets an LLM understand goals, decompose tasks, call tools, observe results, and loop until completion. The frameworks (LangGraph, CrewAI, OpenAI Agents SDK, Google ADK, Genkit) provide reusable building blocks — LLM abstraction, reasoning patterns, state graphs — but they don't solve the business closure problems: permission boundaries, failure recovery, data credibility, approval workflows, and cost control.

Every agent needs a designed set of tools with reliable interfaces and fallbacks, a memory strategy spanning short-term context and long-term vector retrieval, and an explicit reasoning pattern such as ReAct or Plan-and-Execute. State management and workflow orchestration decide when to call a model, when to retry a failed tool, and when to pause for human confirmation. Without this, agents forget where they are mid-task or fall into infinite loops.

Production readiness adds evaluation (LLM-as-Judge, tracing with LangSmith or Langfuse), sandboxing for code and browser agents, and guardrails against prompt injection. The article stresses that many tasks only need a fixed Workflow, not an agent. An agent earns its complexity only when the task path is uncertain, multi-step, and requires environmental feedback. The core skill is defining boundaries and success criteria before touching a framework.

Takeaways
Agent development is the engineering of tools, memory, reasoning, state management, and feedback loops around an LLM, not a single API integration.
Frameworks like LangGraph and OpenAI Agents SDK supply reusable building blocks but do not design the business logic, permission model, or failure-recovery strategy.
Tools must be designed with clear schemas, error handling, fallbacks, and a principle of least privilege — start with read-only, then write, then high-risk actions.
Memory splits into short-term (conversation history) and long-term (vector database with embeddings); hybrid retrieval (semantic + BM25) is needed for precision.
Reasoning patterns such as ReAct, Plan-and-Execute, and Reflexion must be explicitly prompted or templated; the model does not automatically know how to think.
State management and workflow orchestration prevent agents from losing their place mid-task; LangGraph’s graph-plus-checkpointer pattern is popular for this.
Human-in-the-loop checkpoints — pre-execution confirmation, uncertainty pauses, result review — are essential because agents are never 100% autonomous.
Sandboxing (Docker, microVM, cloud sandboxes) is mandatory for code, browser, and file-operation agents to isolate execution from the host.
Guardrails must treat external content as data, not instructions, and intercept sensitive tool calls at the program layer, not just in prompts.
Observability requires tracing every decision, tool call, token cost, and error; without it, debugging an agent is guesswork.
Many tasks only need a fixed Workflow; an Agent is justified only when the path is uncertain, multi-step, and requires environmental feedback.
Multi-agent setups add communication cost and debugging difficulty; a single strong agent with well-defined tools is often more reliable.
Conclusions

Most agent failures in production trace back to unreliable tools, not model intelligence — API timeouts, format changes, and rate limits break the loop.

The gap between a demo agent and a production agent is almost entirely operational: checkpointing, cost control, audit trails, and human approval nodes.

Prompt injection is not a theoretical risk; real-world attacks have used Morse code in web pages to trick agents into transferring funds, proving that program-layer guardrails are non-negotiable.

The article’s emphasis on defining success criteria before building an agent is underappreciated: without a clear stopping condition, an agent cannot judge when a task is done.

Embedding choice is a hidden lever in agent performance — different models produce different coordinate systems, and language-specific scenarios amplify the accuracy gap.

The advice to let an agent read first, write second, and execute high-risk actions last is a practical security posture that many tutorials skip.

Concepts & terms
ReAct (Reason + Act)
A reasoning pattern where the model alternates between thinking about what to do next, executing an action (tool call), observing the result, and looping until the task is complete.
Human-in-the-Loop (HITL)
A design pattern where an agent pauses at critical steps — before a high-risk action, when uncertain, or after generating a result — and waits for human approval before continuing.
Agentic RAG
Retrieval-Augmented Generation extended with multi-turn retrieval: the agent can reformulate queries, read more documents, and decide independently that more information is needed, rather than a single search-and-answer cycle.
Prompt Injection
An attack where external content (a webpage, document, or email) contains instructions designed to override the agent’s system prompt, tricking it into revealing secrets or performing unauthorized actions.
Sandbox
An isolated execution environment (Docker container, microVM, or cloud sandbox) where an agent can run code, modify files, or operate a browser without affecting the host system or real user data.
Embedding
The process of converting text into a numerical vector that captures its semantic meaning, enabling similarity search in a vector database — like assigning GPS coordinates to words.
From the discussion

The conversation splits between the article's substance and the surrounding hype cycle. One side questions whether agent development roles are a real opportunity or just a gold rush fueled by course sellers and anxiety merchants on Douyin. The reply concedes short-term demand exists but doesn't endorse the hype. Other comments simply praise the article's quality.

Agent development roles are hard to evaluate because the market is saturated with paid courses and anxiety-driven marketing, making it unclear whether genuine demand exists or it's just a hype cycle.
Short-term demand for agent development skills is acknowledged as real, even if the long-term outlook remains uncertain.
The article is praised as a rare, thoughtful, and handwritten piece that stands out from typical content.
Featured comments
小林的编程开发日记

Brother Guo, are you bullish on agent development roles? Douyin is flooded with courses selling this kind of development tutorial now — it feels insane. Nine out of ten are just selling courses and spreading anxiety.

恋猫de小郭

It's not really about being bullish or not. It's just that demand is slightly higher in the short term.

小林的编程开发日记  → 恋猫de小郭

That's true. Training institutions and all those so-called 'big-factory architects' — when you click in, they're basically all selling courses.

See top comments, translated →
Source: juejin.cn ↗ Google Translate ↗ Backup ↗