[Design Proposal] Agents Are Not Just Applications — A Model for Managing Digital Workers #686
nadheesh
started this conversation in
Design Proposals
Replies: 1 comment
-
|
The “digital worker” framing is useful because it pushes agent management beyond deployment metadata. I would turn that into a lifecycle object with explicit state transitions. A practical lifecycle could be:
The key difference from managing applications is that the agent should carry both operational state and accountability state. A service can be healthy while an agent is still unacceptable because its tool use, memory, cost, or decision rationale drifted outside its approved purpose. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Problem
AI agents are different from applications — but the platforms we use to run them treat them as if they aren't.
AI agents decide, act, and adapt. They use tools on behalf of people. They spend money — LLM tokens, compute, API calls. They can make mistakes with real consequences. They work alongside humans, sometimes replacing them, sometimes augmenting them. This is fundamentally different from a web service that waits for a request and returns a response.
The industry is in the middle of a shift:
Agent identity is not "an application with some tokens." An application has an endpoint. An agent has a history — what it's done, what it's learned, who it's accountable to, how much it's spent. Its identity grows over time. You don't ask "who owns this API?" or "what did this API learn last month?" — but you absolutely ask those questions about an agent.
Agents can't be shared like APIs. With APIs, you share the deployment — everyone calls the same endpoint, same code, same state. With agents, you can't. Team A needs their GitHub connected with strict merge approval. Team B needs their GitHub with relaxed rules and different context. Everyone wants the same capability, but loaded with their own tools, their own context, their own governance. You share the blueprint, not the running agent.
Organizations adopting agents are asking questions that no app platform was ever designed to answer:
Today, our platform cannot answer any of these questions — because it models agents as containers, not as workers. There is no concept of an agent's identity, no owner accountable for its behavior, no budget that spans its work, no way to define what it's allowed to do. Developers build agents as one-off scripts. Teams cannot reuse them. Nobody governs them.
The missing abstraction is the managed digital worker: a capability that sits between a dumb application and a fully autonomous employee — with identity, boundaries, accountability, and a lifecycle managed by the platform.
This proposal defines what it means to build a platform for managed digital workers — not just a container runtime with an AI label.
User Stories
As an agent developer, I want to publish an agent as a reusable blueprint — defining its capabilities and what owners can configure — so that any team can deploy it for their own purposes without touching my code.
As an agent owner, I want to onboard an agent into my organization — giving it context about my world, connecting it to my tools, and setting the boundaries of what it's allowed to do — so that it works for my team like a new hire, not a piece of infrastructure.
As a platform admin, I want to register tools and models, set org-wide policies and budget ceilings — so that every agent deployed in my organization operates within governed boundaries.
Existing Solutions
None of the existing platforms fully address the managed digital worker problem. We evaluate them against two questions: (1) Can a developer publish a reusable agent blueprint? (2) Can an owner onboard it — with their own tools, context, and governance — without touching the code?
Agent platforms — how they run agents:
OpenAI Agents SDK / Assistants API: Treats agents as chat assistants backed by a thread store. No developer/owner separation — the same person who builds it deploys it. No governance model. No way to publish an agent as a reusable capability for other teams to onboard.
AWS Bedrock AgentCore: Infrastructure-level agent deployment with an Agent Registry (preview 2026) for discovery. The registry catalogs live agents, MCP servers, and tools — but it's a discovery layer for already-running services, not a blueprint catalog. Owner "configuration" is infrastructure configuration (IAM, Lambda), not organizational context. Tools are first-class registry citizens alongside agents.
Google Cloud Agent Marketplace / Agent Finder: Partners publish Agent Cards (JSON metadata conforming to the A2A protocol) to Google Cloud Marketplace. Customers can add agents to their Gemini Enterprise environment. Closest to a public agent marketplace, but agents run on the partner's infrastructure — the customer connects to a running service, not deploying their own instance.
Microsoft Agent Store + Copilot Studio: Partners build agents and publish to the Agent Store within Microsoft 365 Copilot. Employees discover and install agents with one click. But the consumer is an end-user, not an owner configuring for a team — there's no blueprint/profile split or governance layer.
LangGraph Platform (LangChain): Closest technically — framework-agnostic containers, supports webhooks and cron, stateful checkpointing. Has an internal Agent Registry for org-wide discovery. Supports multiple Assistants (configured variants of a deployed graph with different prompts/models/tools). But still developer-centric: no owner configuration layer, no governance model, no identity or accountability built into the platform.
Paperclip: Introduces the right intuition — agents as persistent, proactive workers that accumulate knowledge over time. Combines heartbeat (cron) and interactive (chat) on the same agent with shared state. But it's a single-tenant product, not a platform where developers publish blueprints for other teams to onboard.
Agent marketplaces — how they publish and share:
Salesforce AgentExchange: Closest to our model. Partners publish four artifact types: Actions (atomic capabilities), Topics (bundles of actions + instructions), Prompt Templates, and Agent Templates (full agents). A customer installs a template and it becomes their agent — running in their org, with their data, permissions, and identity. Mandatory security review. Native MCP and A2A support. The key difference: locked to the Salesforce platform.
CrewAI Marketplace: Builders publish crew templates, agent definitions, and tools (separately). Consumer installs, configures env vars and connections. Revenue sharing for enterprise-adopted templates. Tools are independently publishable via a Tool Repository. Close to our model but tied to the CrewAI framework and lacks governance.
Relevance AI Marketplace: 1,000+ free agents from verified builders. Consumer clones a listing into their project — full modification access after cloning. No-code. But no governance, no identity, no blueprint/profile separation.
Tool registries — how they handle tools:
Smithery: "Docker Hub for MCP" — 7,000+ MCP servers. Publish tool providers, not agents. Agents consume tools from here. Open community publishing. Under 1 minute to install via CLI.
Composio: 850+ toolkits, 11,000+ tools. Managed auth (OAuth handled by Composio). Exposed via MCP or direct APIs. Tools are the only artifact — no agent publishing. Handles credential management and API versioning automatically.
Analogous patterns from infrastructure:
Helm / Artifact Hub: The strongest analogy. A chart (parameterized package) is published to Artifact Hub. An operator installs it with their own
values.yaml. The chart is immutable; all customization happens through the values file. Our blueprint/profile split follows the same pattern.Terraform Registry: Modules published with input variables. Consumer provides variable values. Module author defines the shape; consumer fills in the parameters. Versioning via semver.
What no platform solves: The full publish → catalog → onboard-as-your-own-worker lifecycle with governance. Salesforce comes closest but is platform-locked. AWS and Google have registries but for discovery of running services, not blueprint deployment. Helm has the right artifact model but for infrastructure, not agents. Our proposal combines Helm's blueprint model with Salesforce's install-as-yours pattern and adds the governance layer that no current agent platform provides.
Proposed Solution
Overview
The solution has two parts that map directly to the two user stories.
For developers — the blueprint model. An agent is published as a reusable blueprint: code, a spec (
agent.yaml), and a declaration of what owners can configure. The spec declares the agent's requirements — which tools it needs (registered in the Tool Gateway), what state it uses, what parameters owners can set. Developers build the capability once and publish it to the Agent Catalog — the platform's internal registry of available blueprints.For owners — the onboarding model. An owner browses the Agent Catalog, picks a blueprint, and creates a deployment — the platform's equivalent of hiring and onboarding. Through the console, the owner configures the agent profile: connects tools from the Tool Gateway, picks a model from the LLM Gateway, sets triggers, provides context, and sets budget limits. The result is a governed, accountable digital worker operating within that team's world — without the owner writing a line of code.
For platform admins — org-wide policies. Platform administrators register tools (API endpoints, MCP servers) in the Tool Gateway, configure model providers in the LLM Gateway, and set org-wide policies: default budget ceilings, governance baselines, and compliance rules. These are configured through the platform console and apply across the organization.
The Agent Catalog connects the two stories:
The Agent Catalog is an internal blueprint registry — not a public marketplace. Unlike AWS's Agent Registry (which catalogs already-running services) or Google's Agent Finder (which connects to partner-hosted agents), our catalog stores blueprints that aren't running yet — like Helm's Artifact Hub stores charts or Docker Hub stores images. Teams within the organization discover blueprints and deploy them as their own agents with their own identity, tools, and governance.
Key Definitions
The agent profile is what makes this work technically. Instead of forcing agents into types (API agent, Job agent, Chat agent), the platform defines each agent as blueprint + agent profile. The blueprint is the code — what the agent can do. The agent profile is how it operates, remembers, and learns — when it wakes up, what it remembers, how it improves from its own history, what guardrails apply.
This is necessary because real agents — Devin, Claude Code, Paperclip — don't fit one type. They compose multiple behaviors within the same agent. The agent profile lets an owner activate a cron heartbeat AND a chat interface on the same deployment, with shared state, without any code changes.
Three configuration levels — each narrows the scope of what the next level can do:
agent.yamlPlatform sets the guardrails. Owner operates within them. Developer builds the capability that both configure.
Key insight: All triggers within a deployment share the same state, identity, and credentials. A trigger is a door into the same room, not a different room. This enables the Paperclip heartbeat+chat pattern natively: one agent, one deployment, two entry points, shared memory.
Design
Agent Profile Properties
Triggers — how invocations arrive
A deployment can have multiple active triggers simultaneously. The agent code receives identical input regardless of which trigger fired. Each trigger carries its own execution and concurrency settings — because the same agent may be short-lived for a chat message but long-lived for a manual deep-analysis run.
chatwebhookcronmanualapiExecution — per-trigger, not global. A binary choice that determines the execution contract:
Concurrency — per-trigger, not global. Controls the request queuing strategy when multiple invocations arrive:
exclusiveper-userconcurrentExample — same agent, different execution and concurrency per trigger:
State — what survives between runs
State is defined by scope — who can see it — not by duration (short-term vs long-term). Two independent scopes, either or both can be enabled:
An agent with neither scope is stateless — each run is independent. An agent with both scopes gets shared knowledge (deployment) AND per-user conversations (user). The Paperclip heartbeat+chat pattern needs exactly this:
State is what creates behavioral "autonomy." A cron-triggered agent with no state is a scheduled script. The same agent with deployment-scoped state is a heartbeat agent — it remembers what it found last time, tracks trends, builds knowledge.
Learning — how the agent improves over time
Learning is how the agent's knowledge grows beyond what the developer coded and the owner configured. Two mechanisms, either or both can be enabled:
Hot-path learning is agent-driven — the code decides what to remember. Offline learning is platform-driven — the platform mines patterns from execution history that no single run could see.
Context graph: Offline trace analysis produces structured knowledge, not flat key-value memories:
The context graph is scoped the same way as state — deployment-scoped (shared patterns) and user-scoped (per-user preferences). It feeds into the agent's knowledge alongside hot-path memories, but the agent code doesn't need to do anything — the platform populates it automatically.
Interface — does the platform provide a user-facing surface?
Every agent is an HTTP service with
POST /invoke— that's the transport, not the interface. This property is about what user-facing surface the platform provides on top:headlesschat-uiMultiple interfaces are additive, not exclusive. A Devin-style agent might expose
chat-ui(for the human to monitor and give feedback) andheadless(for automated webhook triggers).Tools — what the agent connects to (via Tool Gateway)
The platform's Tool Gateway is where admins register external services — API endpoints, MCP servers, OAuth apps — as named tools. Each registered tool exposes actions that the platform knows about and can govern. A connection is a Tool Gateway concept: a registered instance of a tool with its credentials and endpoint configuration (e.g.,
team-backend-githubis a connection to thegithubtool with Team Backend's credentials).The developer declares which tools the agent needs in
agent.yaml(requires.tools). The owner connects tool instances (connections) from the Tool Gateway and sets per-action governance (auto-approve, requires-approval, or disabled). The platform validates, injects credentials as env vars, and enforces action governance at runtime.Actions are not magic strings — they come from the Tool Gateway registration. The platform can validate and enforce because it knows what each action means. The owner never sees vault paths or API keys; they pick tools from a dropdown in the console.
Note: tools that are internal to the agent code (e.g.,
parse_diff(), custom utility functions) are part of the blueprint — they don't need to be declared inagent.yamlbecause the platform has nothing to provide or govern for them.Model — which LLM the agent uses (via LLM Gateway)
The platform's LLM Gateway is where admins register model providers. The owner picks a model from the gateway for each deployment. The platform routes all LLM traffic through the gateway, which handles:
The agent code doesn't need to know the provider — it reads
AMP_LLM_BASE_URLandMODEL_NAMEfrom env vars, and the gateway handles routing.Governance — budget and org policies
Governance is what the platform actively enforces at runtime — not just configuration passed through to the agent.
Entity Model
agent.yaml+ image. Declares requirements and parameter shapes. Published to the Agent Catalog.Agent Blueprint (
agent.yaml)The blueprint spec is what the developer ships alongside agent code. It declares what the agent can do and what owners need to configure — but it does not configure the agent profile itself. That's the owner's job.
The developer declares what the agent needs (
requires.tools,requires.state), what owners can configure (parameters), and suggested governance defaults for tool actions. They do not decide triggers, execution mode, concurrency, interface, learning, model, or budget — those are the owner's decisions within platform policies.Owner Deployment Config
The owner takes a blueprint and creates a deployment through the console — configuring the agent profile for their team's needs. This is the onboarding step: connecting tools, picking a model, providing context, setting boundaries.
The developer builds the what and suggests governance defaults. The owner decides the how, when, and within what limits — overriding defaults where their team needs different rules, all within guardrails set by the platform admin.
Console experience — the owner never writes YAML. The console renders the blueprint's requirements as a guided onboarding flow:
File-sourced parameters: Any parameter can have
source: file, loading the content of a file shipped with the agent. This is how behavioral instructions, prompt templates, or configuration documents reach the agent — as env vars that the developer's code explicitly reads and places in LLM context. The platform never injects file content into LLM calls directly.Why not proxy injection for instructions?
Platform-Injected Environment
The platform injects everything the agent needs as env vars — tool credentials, LLM gateway endpoint, identity, and platform APIs. The agent code never manages credentials or knows about vault paths.
LLM Gateway routes all LLM traffic, enforces the deployment's budget, and tracks token usage per run.
Agent compliance levels — how well the agent code cooperates with the gateway (this is about developer discipline, not platform configuration):
AMP_LLM_BASE_URL,AMP_LLM_API_KEY,MODEL_NAMEfrom envTool Gateway manages tool connections — credentials, access validation, and action-level governance. When an agent calls a tool action, the platform can intercept and enforce approval gates before the call proceeds.
State in Practice — Code Example
The heartbeat+chat pattern combines both state scopes in one deployment:
Same deployment. Same code. Cron writes to shared memory. Chat reads shared + writes per-user. When offline learning is enabled, the platform also builds a context graph from completed run traces — the agent queries this alongside hot-path memories without extracting patterns itself.
System Architecture
Agent Lifecycle
Data Model Changes
agentstableagent.yamlspec)speccolumn (JSONB) — requirements, parameter shapes, schemasdeploymentstabletriggers(JSONB),learning(JSONB),interface(JSONB),parameters(JSONB),budget(JSONB)agent_configurationsdeployment_toolstabletrigger_configtableagent_runstabledeployment_budgetstableagent_memorytableOut of Scope
Alternatives Considered
agent.mdconceptOpen Questions
statelessagent withlong-livedtrigger, orchattrigger withexclusiveconcurrency)? Or treat all combinations as valid?agent.yaml? CLI tool, API, or console?Milestones
agent.yamlparser + validator. Agent Catalog (publish, version, browse blueprints). Parameter injection via env vars. File-sourced parameters. Manual trigger. Run tracking. Tool Gateway integration (connect tools, inject credentials). LLM Gateway integration (model routing, basic cost tracking).Dependencies:
agent.yamlspec parsing added)Appendix A: Externally Hosted Agents
The blueprint + profile model assumes the platform can enforce the profile — inject credentials, intercept tool calls, route LLM traffic, enforce budget. For platform-hosted agents this is straightforward: the platform controls the runtime.
But what about externally hosted agents — agents running on someone else's infrastructure?
The Challenge
An externally hosted agent is someone else's container, running somewhere else. The platform controls nothing about its runtime. So how do you enforce a profile on something you don't run?
The Answer: Gateway-Centric Enforcement
The platform doesn't need to control the runtime — it needs to control the doors. The profile is enforced at the gateways, not at the agent.
The key mechanism: credentials never leave the gateways. An externally hosted agent receives a gateway-scoped token, not raw API keys. Every tool call and every LLM call must go through the platform's gateways — because that's the only place the credentials work.
An externally hosted agent and a platform-hosted agent go through the exact same gateways — same governance, same budget enforcement, same audit trail. The profile works identically in both cases.
What You Lose
Agents that bypass the gateways entirely — hardcoding their own API keys and calling tools directly (the minimal compliance level). But that's a deliberate trade-off: if you want platform governance, you go through the gateway. If you don't, the platform has no visibility, and the owner is told exactly that.
This is the same trade-off Kubernetes makes with sidecar proxies — a pod can bypass the service mesh, but then it loses observability, mTLS, and traffic policies. The platform makes the governed path easy and the ungoverned path visible.
Beta Was this translation helpful? Give feedback.
All reactions