What Works and What Does not

On this article, you’ll find out how device design — not mannequin functionality — is the basis reason for most AI agent failures, and what concrete design patterns you possibly can apply to repair it.

Subjects we are going to cowl embrace:

Instrument design practices that enhance agent reliability, together with single-responsibility instruments, tight schemas, and structured error returns.
Widespread failure modes comparable to unfiltered API publicity, silent partial success, and overlapping device names that break real-world workloads.
Schema and error dealing with patterns that cut back hallucination and unreliable habits on the device boundary.

Let’s get into it.

AI Agent Tool Design: What Works and What Doesn't

AI Agent Instrument Design: What Works and What Doesn’t

Introduction

Most AI agent failures seem like mannequin errors: selecting the unsuitable device, passing dangerous arguments, or mishandling errors. However in observe, the mannequin is normally working with the interface it was given. The underlying difficulty is usually the device design itself.

A mannequin can solely purpose from the data uncovered by the device interface: the device identify, its description, the parameter schema, and the parameter descriptions. These particulars form how the mannequin interprets intent, plans actions, and executes duties. When the device design is unclear, incomplete, or loosely structured, failures change into predictable somewhat than unintended.

Issues like imprecise naming, ambiguous directions, inconsistent schemas, weak parameter definitions, and poor error dealing with all enhance the chance of failures. Stronger fashions can cut back some errors, however they can not reliably compensate for a flawed interface. This text covers:

Instrument design practices that enhance reliability
Failure modes that look wonderful in demos however break below actual workloads
Schema and error design that reduces hallucination on the device boundary

Every sample is paired with its failure counterpart, as a result of understanding why a design fails is as essential as understanding what to exchange it with.

What Works in AI Agent Instrument Design

1. One Instrument, One Duty

In most agent programs, a device ought to signify a single, clear operation. When one device handles a number of behaviors by an motion parameter, the mannequin should first work out which mode to invoke earlier than it may remedy the precise activity.

The distinction turns into clearer when evaluating a multi-action device towards devoted single-purpose instruments:

# Keep away from: action-based multi-behavior device @device def manage_customer( motion: str, customer_id: str | None = None, information: dict | None = None ): “”” motion: create | get | replace | delete | droop “”” … # Choose: single-responsibility instruments @device def create_customer(information: CustomerInput) -> Buyer: “””Create a brand new buyer file.””” … @device def get_customer(customer_id: str) -> Buyer: “””Retrieve a buyer by ID.””” … @device def suspend_customer(customer_id: str, purpose: str) -> SuspensionResult: “””Droop a buyer account.””” …

# Keep away from: action-based multi-behavior device

@device

def manage_customer(

motion: str,

customer_id: str | None = None,

information: dict | None = None

“”“

motion: create | get | replace | delete | droop

““”

...

# Choose: single-responsibility instruments

@device

def create_customer(information: CustomerInput) -> Buyer:

“”“Create a brand new buyer file.”“”

...

@device

def get_customer(customer_id: str) -> Buyer:

“”“Retrieve a buyer by ID.”“”

...

@device

def suspend_customer(customer_id: str, purpose: str) -> SuspensionResult:

“”“Droop a buyer account.”“”

...

One Instrument, One Duty

Single-responsibility instruments give the mannequin an unambiguous operate and provide you with cleaner error dealing with and simpler observability.

⚠️ Word: It is a helpful default somewhat than a common rule. Some domains — comparable to shell, filesystem, browser, or calendar instruments — could profit from a constrained multi-action interface as a result of the motion area itself is a part of the underlying abstraction.

2. Schemas That Make Invalid States Inconceivable

In tool-calling brokers, the mannequin constructs device name arguments by reasoning out of your schema.

A free schema means the mannequin guesses at constraints.
A decent schema encodes these constraints so no guessing is required.

Right here’s an instance:

from pydantic import BaseModel, Discipline from enum import Enum class Precedence(str, Enum): LOW = “low” MEDIUM = “medium” HIGH = “excessive” class CreateTaskInput(BaseModel): title: str = Discipline( description=”Brief, actionable activity title. Use crucial kind: ‘Evaluation PR’, not ‘PR Evaluation’.”, min_length=5, max_length=100 ) precedence: Precedence = Discipline( description=”Job precedence. Use HIGH just for blockers affecting different work.”, default=Precedence.MEDIUM ) due_date: str = Discipline( description=”Due date in ISO 8601 format: YYYY-MM-DD. Have to be a future date.”, sample=r”^d{4}-d{2}-d{2}$” )

from pydantic import BaseModel, Discipline

from enum import Enum

class Precedence(str, Enum):

LOW = “low”

MEDIUM = “medium”

HIGH = “excessive”

class CreateTaskInput(BaseModel):

title: str = Discipline(

description=“Brief, actionable activity title. Use crucial kind: ‘Evaluation PR’, not ‘PR Evaluation’.”,

min_length=5,

max_length=100

)

precedence: Precedence = Discipline(

description=“Job precedence. Use HIGH just for blockers affecting different work.”,

default=Precedence.MEDIUM

)

due_date: str = Discipline(

description=“Due date in ISO 8601 format: YYYY-MM-DD. Have to be a future date.”,

sample=r“^d{4}-d{2}-d{2}$”

)

Enums are significantly helpful for fields with a small set of legitimate values as a result of they eradicate a category of plausible-but-invalid outputs. Validation failures floor on the device boundary somewhat than as cryptic downstream errors.

3. Descriptions That Outline Scope, Not Simply Function

Instrument descriptions are model-facing documentation. They should do two issues: clarify when to make use of the device, and clarify when to not. Most descriptions solely do the primary.

# Weak: explains what it does, not when to not use it “””Seek for paperwork within the information base.””” # Sturdy: defines function, scope, and limits “”” Search the interior information base for paperwork, insurance policies, and reference materials. Use this when the consumer asks about firm procedures, product specs, or documented workflows. Do NOT use this for real-time information (costs, availability, present standing) — use get_live_data() as an alternative. Returns as much as 5 outcomes ranked by relevance. If no outcomes are returned, the data is just not within the information base. “””

# Weak: explains what it does, not when to not use it

“”“Seek for paperwork within the information base.”“”

# Sturdy: defines function, scope, and limits

“”“

Search the interior information base for paperwork, insurance policies, and reference materials.

Use this when the consumer asks about firm procedures, product specs, or documented workflows.

Do NOT use this for real-time information (costs, availability, present standing) — use get_live_data() as an alternative.

Returns as much as 5 outcomes ranked by relevance. If no outcomes are returned, the data is just not within the information base.

““”

With out the disambiguation, the mannequin infers scope from the device identify alone, which is usually a dependable supply of choice errors at scale. A superb device definition consists of clear boundaries from different instruments, not simply utilization directions.

4. Structured, Actionable Error Returns

When a device fails, the mannequin reads the error and decides what to do subsequent. An unhandled exception or stack hint produces noise-driven follow-up habits. A structured error offers the mannequin one thing to department on.

Structured errors shouldn’t solely report what failed but in addition assist the agent resolve what to do subsequent. A superb error format makes retry habits specific and offers the mannequin a transparent restoration path:

class ToolError(BaseModel): error_code: str # machine-readable, for the mannequin to department on message: str # human-readable description recoverable: bool # can the agent retry? suggested_action: str # what the agent ought to do subsequent # Document not discovered: retryable return ToolError( error_code=”RECORD_NOT_FOUND”, message=”No consumer file discovered with ID ‘usr_123’.”, recoverable=True, suggested_action=”Use list_users() to get legitimate consumer IDs earlier than calling get_user().” ) # Quota exceeded: not retryable return ToolError( error_code=”QUOTA_EXCEEDED”, message=”API quota for this device has been reached for as we speak.”, recoverable=False, suggested_action=”Notify the consumer and cease. Don’t retry this device as we speak.” )

class ToolError(BaseModel):

error_code: str # machine-readable, for the mannequin to department on

message: str # human-readable description

recoverable: bool # can the agent retry?

suggested_action: str # what the agent ought to do subsequent

# Document not discovered: retryable

return ToolError(

error_code=“RECORD_NOT_FOUND”,

message=“No consumer file discovered with ID ‘usr_123’.”,

recoverable=True,

suggested_action=“Use list_users() to get legitimate consumer IDs earlier than calling get_user().”

)

# Quota exceeded: not retryable

return ToolError(

error_code=“QUOTA_EXCEEDED”,

message=“API quota for this device has been reached for as we speak.”,

recoverable=False,

suggested_action=“Notify the consumer and cease. Don’t retry this device as we speak.”

)

The recoverable flag and suggested_action subject are what change agent habits. With out them, fashions retry non-retryable errors or abandon recoverable ones.

5. Idempotent State-Altering Operations

Each device that mutates state — creates a file, sends a message, transfers funds — should be protected to name twice. In observe, brokers retry, networks fail, and the LLM loop could difficulty a second name as a result of affirmation of the primary by no means arrived.

A easy option to stop duplicate unintended effects is to require an idempotency key for each write operation:

@device def send_email( to: str, topic: str, physique: str, idempotency_key: str = Discipline( description=”Distinctive key for this ship operation. Use a hash of recipient + topic + timestamp. “ “Similar key on retry returns the unique end result with out re-sending.” ) ) -> dict: “””Ship an e-mail. Idempotent: the identical idempotency_key is not going to set off a second ship.””” current = idempotency_store.get(idempotency_key) if current: return current end result = email_service.ship(to=to, topic=topic, physique=physique) idempotency_store.set(idempotency_key, end result, ttl=86400) return end result

@device

def send_email(

to: str,

topic: str,

physique: str,

idempotency_key: str = Discipline(

description=“Distinctive key for this ship operation. Use a hash of recipient + topic + timestamp. “

“Similar key on retry returns the unique end result with out re-sending.”

)

) -> dict:

“”“Ship an e-mail. Idempotent: the identical idempotency_key is not going to set off a second ship.”“”

current = idempotency_store.get(idempotency_key)

if current:

return current

end result = email_service.ship(to=to, topic=topic, physique=physique)

idempotency_store.set(idempotency_key, end result, ttl=86400)

return end result

With out idempotency ensures, transient failures can simply flip into duplicate actions.

What Doesn’t Work in AI Agent Instrument Design

1. Skinny Wrappers Round Unfiltered APIs

Pointing an agent at a REST API and surfacing it as a device is the most typical shortcut and the most typical supply of manufacturing failures. APIs constructed for builders usually expose way more element than brokers really want. Responses come full of a whole bunch of fields, even when solely a handful are related. They depend on pagination, use opaque inside IDs with little contextual which means, and return error codes that require deep area information to interpret.

A purpose-built wrapper handles pagination internally, initiatives solely the fields the agent wants, and maps API errors to the structured ToolError format mentioned above. The agent by no means constructs API paths or manages pages; it receives typed objects it may purpose about.

That mentioned, over-wrapping may also be dangerous. If each endpoint turns into a separate, narrowly outlined device with no shared construction, the device floor can change into fragmented and more durable for the mannequin to navigate. The aim is just not maximal abstraction, however a constant, agent-friendly abstraction layer.

2. Loading All Instruments Into Each Context

Accuracy degrades because the device catalog grows. LongFuncEval, a 2025 examine on tool-calling efficiency throughout lengthy contexts, discovered efficiency drops considerably because the device catalog dimension elevated — even in fashions with 128K context home windows. Loading each device into each system immediate compounds this by consuming token price range earlier than any activity content material is processed.

Dynamic device loading addresses each issues. Decide which instruments are related to the present step and embrace solely these:

STEP_TOOL_MAP = { “analysis”: [“search_documents”, “search_web”, “get_url_content”], “write”: [“create_document”, “update_document”, “format_text”], “ship”: [“send_email”, “post_to_slack”, “create_calendar_event”], } def get_tools_for_step(step_type: str, available_tools: record) -> record: relevant_names = STEP_TOOL_MAP.get(step_type, []) return [t for t in available_tools if t.name in relevant_names]

STEP_TOOL_MAP = {

“analysis”: [“search_documents”, “search_web”, “get_url_content”],

“write”: [“create_document”, “update_document”, “format_text”],

“ship”: [“send_email”, “post_to_slack”, “create_calendar_event”],

}

def get_tools_for_step(step_type: str, available_tools: record) -> record:

relevant_names = STEP_TOOL_MAP.get(step_type, [])

return [t for t in available_tools if t.name in relevant_names]

Dynamic Instrument Loading

Exposing solely a small, related subset of instruments at every step — somewhat than the total toolset — usually improves choice accuracy and reduces per-call token price.

3. Silent Partial Success

Partial success turns into an issue when a device completes solely a part of the requested work however returns a response that appears totally profitable. The agent continues execution with an incomplete or deceptive view of the system state.

This normally occurs when instruments suppress inside failures and return solely the profitable portion of the end result:

# This model silently misleads the agent @device def bulk_create_tasks(duties: record) -> dict: created = [] for activity in duties: strive: end result = task_api.create(activity) created.append(end result.id) besides Exception: cross # silent failure: that is the bug return {“created”: created} # This model makes partial success specific @device def bulk_create_tasks(duties: record) -> BulkCreateResult: created, failed = [], [] for activity in duties: strive: created.append(task_api.create(activity).id) besides TaskCreationError as e: failed.append({“enter”: activity.title, “purpose”: str(e)}) return BulkCreateResult( created_ids=created, failed_items=failed, success=len(failed) == 0, partial_success=len(created) > 0 and len(failed) > 0 )

# This model silently misleads the agent

@device

def bulk_create_tasks(duties: record) -> dict:

created = []

for activity in duties:

strive:

end result = task_api.create(activity)

created.append(end result.id)

besides Exception:

cross # silent failure: that is the bug

return {“created”: created}

# This model makes partial success specific

@device

def bulk_create_tasks(duties: record) -> BulkCreateResult:

created, failed = [], []

for activity in duties:

strive:

created.append(task_api.create(activity).id)

besides TaskCreationError as e:

failed.append({“enter”: activity.title, “purpose”: str(e)})

return BulkCreateResult(

created_ids=created,

failed_items=failed,

success=len(failed) == 0,

partial_success=len(created) > 0 and len(failed) > 0

)

The partial_success flag offers the mannequin one thing to department on: retry the failed gadgets, floor the partial end result to the consumer, or halt the workflow.

4. Overlapping Instrument Names and Descriptions

When two instruments do related issues, the mannequin causes about which to make use of on each name. That reasoning prices tokens and introduces errors. Some widespread examples embrace:

search_documents and find_documents with equivalent function
get_user and fetch_user_profile with unclear variations
create_task, add_task, and new_task as three instruments for one operation

In such instances, renaming alone isn’t the repair. Each device wants a function that may be described regardless of different instruments within the set. If an outline requires “in contrast to X, this one…” to make sense, that’s a design downside. Instrument sprawl — too many instruments with overlapping scope — is a supply of unreliable agent habits in enterprise deployments.

5. Harmful Actions With no Affirmation Gate

Any device that takes an irreversible motion — deleting data, messaging actual customers, executing monetary transactions — wants a structural two-step affirmation, not an in-prompt “are you positive?” A staged method introduces an specific affirmation boundary that reduces the danger of unintended or unauthorized execution.

The most secure sample is to separate staging from execution and require a short-lived affirmation token between the 2 steps:

@device def stage_deletion(record_ids: record[str], purpose: str) -> StagedDeletion: “””Stage data for deletion. Does NOT delete something. Returns a affirmation token that expires in 60 seconds. Name confirm_deletion() with this token to proceed.””” token = generate_deletion_token(record_ids) staged_deletions[token] = {“ids”: record_ids, “expires”: now() + 60} return StagedDeletion(token=token, records_to_delete=len(record_ids), expires_in_seconds=60) @device def confirm_deletion(token: str) -> DeletionResult: “””Execute a staged deletion. IRREVERSIBLE. Verify solely after specific consumer approval.””” staged = staged_deletions.get(token) if not staged or staged[“expires”] < now(): elevate ValueError(“Token invalid or expired. Stage the deletion once more.”) # proceed

@device

def stage_deletion(record_ids: record[str], purpose: str) -> StagedDeletion:

“”“Stage data for deletion. Does NOT delete something.

Returns a affirmation token that expires in 60 seconds.

Name confirm_deletion() with this token to proceed.”“”

token = generate_deletion_token(record_ids)

staged_deletions[token] = {“ids”: record_ids, “expires”: now() + 60}

return StagedDeletion(token=token, records_to_delete=len(record_ids), expires_in_seconds=60)

@device

def confirm_deletion(token: str) -> DeletionResult:

“”“Execute a staged deletion. IRREVERSIBLE. Verify solely after specific consumer approval.”“”

staged = staged_deletions.get(token)

if not staged or staged[“expires”] < now():

elevate ValueError(“Token invalid or expired. Stage the deletion once more.”)

# proceed

Destructive Actions Without a Confirmation Gate

Harmful Actions With no Affirmation Gate

Two distinct device calls imply the mannequin can not full a harmful operation in a single reasoning step, which is the purpose.

⚠️ Word: Two-step security flows, nevertheless, are sometimes not adequate on their very own in lots of programs. Even when staging and affirmation are used, further safeguards — comparable to short-lived, single-use tokens, strict session binding, and replay safety — are essential to forestall token reuse, leakage, or cross-session execution that may bypass the meant security boundary.

AI Agent Instrument Design Selections at a Look

Each row represents a key determination in AI agent device design:

Design Space	Works	Doesn’t Work
Instrument Scope	Single accountability per device	Motion-parameter instruments like `manage_database(motion="create")`
Schema	Tight: enums, validators, typed fields	Unfastened: free strings, untyped dicts
Descriptions	Embody scope boundaries and when to not use	Joyful path solely
Write Operations	Idempotent with idempotency keys	Hearth-and-forget, no retry security
Error Returns	Structured: `error_code`, `recoverable`, `suggested_action`	Unhandled exceptions or untyped strings
Instrument Depend	Dynamic loading per step	All instruments in each context
API Wrapping	Function-built wrapper with agent-facing schema	Unfiltered API publicity
Partial Success	Specific `partial_success` subject in return	Silent exception swallowing
Harmful Actions	Two-step staging + affirmation	Single-call delete/ship/execute
Instrument Overlap	Semantically distinct, audited earlier than deploy	Comparable names and descriptions competing

Writing efficient instruments for AI brokers — utilizing AI brokers from Anthropic is a helpful reference on device design.

Vector RAG Isn’t Sufficient — I Constructed a Context Graph Layer for Multi-Agent Reminiscence

Clustering Unstructured Textual content with LLM Embeddings and HDBSCAN

Subjects we are going to cowl embrace:

Instrument design practices that enhance agent reliability, together with single-responsibility instruments, tight schemas, and structured error returns.
Widespread failure modes comparable to unfiltered API publicity, silent partial success, and overlapping device names that break real-world workloads.
Schema and error dealing with patterns that cut back hallucination and unreliable habits on the device boundary.

Let’s get into it.

AI Agent Instrument Design: What Works and What Doesn’t

Introduction

Instrument design practices that enhance reliability
Failure modes that look wonderful in demos however break below actual workloads
Schema and error design that reduces hallucination on the device boundary

Every sample is paired with its failure counterpart, as a result of understanding why a design fails is as essential as understanding what to exchange it with.

What Works in AI Agent Instrument Design

1. One Instrument, One Duty

The distinction turns into clearer when evaluating a multi-action device towards devoted single-purpose instruments:

# Keep away from: action-based multi-behavior device

@device

def manage_customer(

motion: str,

customer_id: str | None = None,

information: dict | None = None

“”“

motion: create | get | replace | delete | droop

““”

...

# Choose: single-responsibility instruments

@device

def create_customer(information: CustomerInput) -> Buyer:

“”“Create a brand new buyer file.”“”

...

@device

def get_customer(customer_id: str) -> Buyer:

“”“Retrieve a buyer by ID.”“”

...

@device

def suspend_customer(customer_id: str, purpose: str) -> SuspensionResult:

“”“Droop a buyer account.”“”

...

One Instrument, One Duty

Single-responsibility instruments give the mannequin an unambiguous operate and provide you with cleaner error dealing with and simpler observability.

2. Schemas That Make Invalid States Inconceivable

In tool-calling brokers, the mannequin constructs device name arguments by reasoning out of your schema.

A free schema means the mannequin guesses at constraints.
A decent schema encodes these constraints so no guessing is required.

Right here’s an instance:

from pydantic import BaseModel, Discipline

from enum import Enum

class Precedence(str, Enum):

LOW = “low”

MEDIUM = “medium”

HIGH = “excessive”

class CreateTaskInput(BaseModel):

title: str = Discipline(

description=“Brief, actionable activity title. Use crucial kind: ‘Evaluation PR’, not ‘PR Evaluation’.”,

min_length=5,

max_length=100

)

precedence: Precedence = Discipline(

description=“Job precedence. Use HIGH just for blockers affecting different work.”,

default=Precedence.MEDIUM

)

due_date: str = Discipline(

description=“Due date in ISO 8601 format: YYYY-MM-DD. Have to be a future date.”,

sample=r“^d{4}-d{2}-d{2}$”

)

3. Descriptions That Outline Scope, Not Simply Function

Instrument descriptions are model-facing documentation. They should do two issues: clarify when to make use of the device, and clarify when to not. Most descriptions solely do the primary.

# Weak: explains what it does, not when to not use it

“”“Seek for paperwork within the information base.”“”

# Sturdy: defines function, scope, and limits

“”“

Search the interior information base for paperwork, insurance policies, and reference materials.

Use this when the consumer asks about firm procedures, product specs, or documented workflows.

Do NOT use this for real-time information (costs, availability, present standing) — use get_live_data() as an alternative.

Returns as much as 5 outcomes ranked by relevance. If no outcomes are returned, the data is just not within the information base.

““”

4. Structured, Actionable Error Returns

class ToolError(BaseModel):

error_code: str # machine-readable, for the mannequin to department on

message: str # human-readable description

recoverable: bool # can the agent retry?

suggested_action: str # what the agent ought to do subsequent

# Document not discovered: retryable

return ToolError(

error_code=“RECORD_NOT_FOUND”,

message=“No consumer file discovered with ID ‘usr_123’.”,

recoverable=True,

suggested_action=“Use list_users() to get legitimate consumer IDs earlier than calling get_user().”

)

# Quota exceeded: not retryable

return ToolError(

error_code=“QUOTA_EXCEEDED”,

message=“API quota for this device has been reached for as we speak.”,

recoverable=False,

suggested_action=“Notify the consumer and cease. Don’t retry this device as we speak.”

)

The recoverable flag and suggested_action subject are what change agent habits. With out them, fashions retry non-retryable errors or abandon recoverable ones.

5. Idempotent State-Altering Operations

A easy option to stop duplicate unintended effects is to require an idempotency key for each write operation:

@device

def send_email(

to: str,

topic: str,

physique: str,

idempotency_key: str = Discipline(

description=“Distinctive key for this ship operation. Use a hash of recipient + topic + timestamp. “

“Similar key on retry returns the unique end result with out re-sending.”

)

) -> dict:

“”“Ship an e-mail. Idempotent: the identical idempotency_key is not going to set off a second ship.”“”

current = idempotency_store.get(idempotency_key)

if current:

return current

end result = email_service.ship(to=to, topic=topic, physique=physique)

idempotency_store.set(idempotency_key, end result, ttl=86400)

return end result

With out idempotency ensures, transient failures can simply flip into duplicate actions.

What Doesn’t Work in AI Agent Instrument Design

1. Skinny Wrappers Round Unfiltered APIs

2. Loading All Instruments Into Each Context

Dynamic device loading addresses each issues. Decide which instruments are related to the present step and embrace solely these:

STEP_TOOL_MAP = {

“analysis”: [“search_documents”, “search_web”, “get_url_content”],

“write”: [“create_document”, “update_document”, “format_text”],

“ship”: [“send_email”, “post_to_slack”, “create_calendar_event”],

}

def get_tools_for_step(step_type: str, available_tools: record) -> record:

relevant_names = STEP_TOOL_MAP.get(step_type, [])

return [t for t in available_tools if t.name in relevant_names]

Dynamic Instrument Loading

Exposing solely a small, related subset of instruments at every step — somewhat than the total toolset — usually improves choice accuracy and reduces per-call token price.

3. Silent Partial Success

This normally occurs when instruments suppress inside failures and return solely the profitable portion of the end result:

# This model silently misleads the agent

@device

def bulk_create_tasks(duties: record) -> dict:

created = []

for activity in duties:

strive:

end result = task_api.create(activity)

created.append(end result.id)

besides Exception:

cross # silent failure: that is the bug

return {“created”: created}

# This model makes partial success specific

@device

def bulk_create_tasks(duties: record) -> BulkCreateResult:

created, failed = [], []

for activity in duties:

strive:

created.append(task_api.create(activity).id)

besides TaskCreationError as e:

failed.append({“enter”: activity.title, “purpose”: str(e)})

return BulkCreateResult(

created_ids=created,

failed_items=failed,

success=len(failed) == 0,

partial_success=len(created) > 0 and len(failed) > 0

)

The partial_success flag offers the mannequin one thing to department on: retry the failed gadgets, floor the partial end result to the consumer, or halt the workflow.

4. Overlapping Instrument Names and Descriptions

When two instruments do related issues, the mannequin causes about which to make use of on each name. That reasoning prices tokens and introduces errors. Some widespread examples embrace:

search_documents and find_documents with equivalent function
get_user and fetch_user_profile with unclear variations
create_task, add_task, and new_task as three instruments for one operation

5. Harmful Actions With no Affirmation Gate

The most secure sample is to separate staging from execution and require a short-lived affirmation token between the 2 steps:

@device

def stage_deletion(record_ids: record[str], purpose: str) -> StagedDeletion:

“”“Stage data for deletion. Does NOT delete something.

Returns a affirmation token that expires in 60 seconds.

Name confirm_deletion() with this token to proceed.”“”

token = generate_deletion_token(record_ids)

staged_deletions[token] = {“ids”: record_ids, “expires”: now() + 60}

return StagedDeletion(token=token, records_to_delete=len(record_ids), expires_in_seconds=60)

@device

def confirm_deletion(token: str) -> DeletionResult:

“”“Execute a staged deletion. IRREVERSIBLE. Verify solely after specific consumer approval.”“”

staged = staged_deletions.get(token)

if not staged or staged[“expires”] < now():

elevate ValueError(“Token invalid or expired. Stage the deletion once more.”)

# proceed

Harmful Actions With no Affirmation Gate

Two distinct device calls imply the mannequin can not full a harmful operation in a single reasoning step, which is the purpose.

AI Agent Instrument Design Selections at a Look

Each row represents a key determination in AI agent device design:

Design Space	Works	Doesn’t Work
Instrument Scope	Single accountability per device	Motion-parameter instruments like `manage_database(motion="create")`
Schema	Tight: enums, validators, typed fields	Unfastened: free strings, untyped dicts
Descriptions	Embody scope boundaries and when to not use	Joyful path solely
Write Operations	Idempotent with idempotency keys	Hearth-and-forget, no retry security
Error Returns	Structured: `error_code`, `recoverable`, `suggested_action`	Unhandled exceptions or untyped strings
Instrument Depend	Dynamic loading per step	All instruments in each context
API Wrapping	Function-built wrapper with agent-facing schema	Unfiltered API publicity
Partial Success	Specific `partial_success` subject in return	Silent exception swallowing
Harmful Actions	Two-step staging + affirmation	Single-call delete/ship/execute
Instrument Overlap	Semantically distinct, audited earlier than deploy	Comparable names and descriptions competing