InfraWeaveDocs
Core concepts

Agents, models & tools

Agent composition, alias-based model routing, and the governed tool layer.

Agents

An Agent is a versioned composition: a workflow (or node) plus its model alias, prompts, tool permissions, and guardrail bindings. Like workflows, agent versions are immutable — you publish a new version and flip the pointer. That makes "which agent answered this?" a precise, auditable question: (agent_id, version) pins everything the agent could see and do.

Model routing

Agents never hard-code a provider model. They bind a model alias (tier-1-reasoning, fast-cheap, …) that the router resolves per call:

  1. The alias resolves to a concrete (provider, model_id, model_version).
  2. Layered configuration applies: platform defaults → tenant → agent → experiment → request. A tenant can pin models; an experiment can flip a variant; nothing redeploys.
  3. The call is budget-checked, credential-injected (provider keys are fetched just-in-time — never held by agent code), and dispatched.
  4. On provider failure the resolved fallback chain is walked.
  5. Every call mints provenance — (model_id, model_version, output_id) — plus token counts and cost, joined to the run's trace.

Tools

Tools are governed in two planes:

  • The registry (definition plane) is the system of record: every agent-callable tool — MCP server, OpenAPI operation, native function — is registered with its schema and owner. Definitions are versioned and immutable; schema drift quarantines a tool automatically.
  • The gateway (invocation plane) is the single enforcement point every call crosses. Agents never speak HTTP/MCP directly. Per invocation, the gateway enforces — at one logical point — the concerns an agent must not be trusted with:
CheckWhat it does
Agent allowlistThe agent may only call tools its manifest declares.
Access controlPer-resource permission check (execute) before anything else.
PolicyTenant policy + approval gates evaluate the invocation context.
Schema validationArguments validate against the registered JSON Schema.
Rate limitsPer-tenant × per-tool budgets.
Credential injectionSecrets are injected just-in-time, invisibly to the agent.
Output guardrailsTool responses are classified before the agent sees them.
AuditEvery invocation — including denials — is recorded.

Guardrails

Content safety wraps every LLM-mediated boundary in three layers: input classification, instruction/data separation, and output classification (including tool responses). The guardrail engine fails closed — a classifier outage is a trip, not a pass. Rule sets are platform-governed with per-tenant additions.

Secrets

The vault stores credentials once, envelope-encrypted per tenant. Agents reference secrets by name; values are injected at invocation time with scoped policies and never appear in prompts, traces, or logs. API keys are shown once at creation.

On this page