Four Write Tools, Zero Confirmation, What Could Go Wrong

Agent Internals -- Part 2 So, in the first part we split one big agent into multiple specialist agents and set up model routing. It works but it's very far from anything that you would use in a prodcution system. This post covers the confirmation gate I (read me and llm) built to fix that: a pending action system that intercepts writes, asks the user, and only executes on explicit approval. The Problem The agentic loop from Part 1 calls tools automatically. Claude decides to call create_contact, the loop executes it, the contact exists in your CRM. There's no undo. This is fine for reads. It's not fine for writes, for two reasons: Claude hallucinates parameters. "Create a contact for Maria" might become create_contact({ name: "Maria", email: "[email protected]" }) -- where did that email come from? Claude inferred it. Confidently. Intent is ambiguous. "I should probably log a call with John" -- is that a request or thinking out loud? The specialist doesn't know. It has log_activity in