Enterprise Agent

A production-grade agent with full governance: approval gates, budget limits, MCP server integration, data classification, and organizational policies.

schema_version: "1.0.0"

metadata:
  id: "customer-service-agent"
  name: "Customer Service Agent"
  version: "2.1.0"
  description: "Enterprise agent with full governance"
  labels:
    team: "customer-support"
    environment: "production"
    cost-center: "cs-001"
  annotations:
    owner: "cs-team@example.com"
    oncall: "cs-oncall"
  data_classification: "confidential"
  namespace: "org.example"

interface:
  input:
    type: object
    properties:
      request:
        type: string
    required: [request]
  output:
    type: object
    properties:
      response:
        type: string
    required: [response]

memory:
  required: true

execution_policy:
  id: agf.react
  config:
    instructions: |
      You are a customer service agent for Example Corp.
      Follow company policies when handling customer requests.
      Escalate to a human when unsure.
    model: "gemini-2.0-flash"
    provider: "google"
    max_steps: 15
    tool_choice: auto

action_space:
  local_tools:
    - alias: database_query
      description: "Query the customer database"
      approval:
        message_template: "Agent wants to run a database query: {{tool_args.query}}"
        condition:
          args_match:
            operation:
              in: ["DELETE", "UPDATE", "DROP"]

  mcp_servers:
    - alias: internal_api
      server_ref: org.example.internal-api
      description: "Internal API server"
      allowed_tools:
        - name: "get_user"
        - name: "update_user"
          approval: true

constraints:
  tighten_only_invariant: true
  budget:
    max_token_usage: 500000
    max_duration_seconds: 600
  limits:
    max_llm_calls: 100
    max_tool_calls: 200
    max_delegation_depth: 3
  governance_policies:
    - policy_ref: "org.example.data-access-policy"
      required: true
      description: "Corporate data access governance"
    - policy_ref: "org.example.pii-handling"
      required: true

Enterprise Features

Data Classification

data_classification: "confidential"

Declares the sensitivity level of data the agent handles. Runtimes and governance systems use this for audit logging, access control, and compliance.

Namespace

namespace: "org.example"

Scopes the agent within an organizational hierarchy. Useful for large deployments with multiple teams and policy domains.

Memory

memory:
  required: true

Declares that this agent requires persistent memory across invocations. The runtime must provide a memory implementation.

Approval Gates

Approval gates require human confirmation before executing sensitive operations:

local_tools:
  - alias: database_query
    description: "Query the customer database"
    approval:
      message_template: "Agent wants to run a database query: {{tool_args.query}}"
      condition:
        args_match:
          operation:
            in: ["DELETE", "UPDATE", "DROP"]

Field	Description
`message_template`	Message shown to the approver (supports `{{tool_args.*}}` interpolation)
`condition.args_match`	Only require approval when arguments match the pattern

In this example, SELECT queries run automatically, but DELETE, UPDATE, and DROP require human approval.

MCP Server Integration

mcp_servers:
  - alias: internal_api
    server_ref: org.example.internal-api
    description: "Internal API server"
    allowed_tools:
      - name: "get_user"
      - name: "update_user"
        approval: true

MCP (Model Context Protocol) servers provide tools over a standardized protocol. The allowed_tools list acts as a whitelist — the agent can only use the tools you explicitly allow. Individual tools can require approval.

Budget and Limits

constraints:
  budget:
    max_token_usage: 500000
    max_duration_seconds: 600
  limits:
    max_llm_calls: 100
    max_tool_calls: 200
    max_delegation_depth: 3

Constraint	Description
`max_token_usage`	Total token budget across all LLM calls
`max_duration_seconds`	Wall-clock timeout
`max_llm_calls`	Maximum number of LLM API calls
`max_tool_calls`	Maximum number of tool invocations
`max_delegation_depth`	How many levels deep sub-agents can delegate

Tighten-Only Invariant

tighten_only_invariant: true

When enabled, child agents can only tighten constraints — never loosen them. A child cannot set max_token_usage: 1000000 if the parent allows only 500000. This ensures governance policies are enforced through the entire agent hierarchy.

Governance Policies

governance_policies:
  - policy_ref: "org.example.data-access-policy"
    required: true
    description: "Corporate data access governance"

References to external policy documents that the runtime must enforce. The required: true flag means the agent cannot run if the policy is not loaded.

Inspect the Definition

info

The agf CLI will be publicly available soon. See the CLI Reference for the command reference. You can validate this example now using the Playground.

agf inspect customer-service-agent.agf.yaml
# customer-service-agent v2.1.0
# ├── policy: agf.react (gemini-2.0-flash, max_steps=15)
# ├── tools: database_query (approval: conditional)
# ├── mcp: internal_api (get_user, update_user)
# ├── budget: 500k tokens, 600s
# └── governance: 2 policies

Enterprise Features​

Data Classification​

Namespace​

Memory​

Approval Gates​

MCP Server Integration​

Budget and Limits​

Tighten-Only Invariant​

Governance Policies​

Inspect the Definition​