~/guide/chapters/10-ai-agentic $ cat README.md

Automationchapter 10 of 11
A workshop bench diagram. On the left, a stack of typed tool cards lists the name, input, preview mode, and risk class of the operations an agent may propose. In the middle, a rectangular pipeline runs from observe to reconcile, preview, constrain, verify, and record. A policy gate diamond sits in the middle of the pipeline, stamped human or policy. On the right, a ruled ledger page shows the invariant columns of an audit record: timestamp, operation class, target class, preview delta, decision, and verification. The ledger is marked example record synthetic. A first-person field note runs above.
Plate 05: The loop, field note. Open the interactive drawing.

Add local AI and an agentic operations harness

Local AI can keep sensitive work close to home, reduce latency, and make idle hardware useful when the model, retrieval, telemetry, and tools are configured without external egress. A bounded operations agent can also save real time on routine investigation and change work. Neither is a reason to hand an unbounded model a shell and hope.

Local inference defaults

  • Ollama: easiest default for one operator, broad hardware support, and local experimentation.
  • llama.cpp: lower-level portability, tuning, and a minimal OpenAI-compatible server across varied hardware.
  • vLLM: advanced multi-user throughput, batching, accelerator support, and API serving.
  • Open WebUI: optional interface, not the inference layer. Treat imported functions as executable code with access to the host and data.

Start with a direct runtime API. Add a provider-neutral gateway only when there are multiple backends, users, quotas, or cost controls to manage.

From scripts to an agentic harness

I did not start by giving an AI shell access. I first made the lab legible: source-of-truth inventory, structured commands, dry runs, health gates, and recovery paths. The agent came last.

The progression looked like this:

  1. Put operational standards and runbooks in version control.
  2. Keep credentials external and inject narrowly scoped identities at runtime.
  3. Wrap service APIs in one JSON-first CLI with stable success and error shapes.
  4. Resolve targets from authoritative inventory instead of remembered addresses.
  5. Cross-check inventory against live systems before declaring truth.
  6. Separate read-only discovery from mutating tools.
  7. Preview consequential work, require approval, then verify the live result.
  8. Bracket upgrades with smoke tests, recovery points, rollback gates, and convergence checks.
  9. Expose the same guarded operations through agent tools.
  10. Bound autonomous loops with an objective, iteration limit, durable state, and a human stop condition.
Plate 05, a workshop bench drawing. On the left, typed tool cards list the name, input, preview mode, and risk class of each operation. In the middle, a rectangular pipeline runs from observe to reconcile, preview, constrain, verify, and record, with a policy gate diamond in the center stamped human or policy. On the right, a ruled ledger page shows the invariant columns of an audit record.

Risk classes

Tool class Default behavior
Bounded, low-sensitivity health read Available without approval; least privilege and output limits
Sensitive or bulk read Redaction, row/time/cost limits, and approval when exposure warrants it
Reversible configuration change Exact preview, narrow target, explicit confirmation
Destructive or physical action Recovery path, exact confirmation, post-action proof
Broad autonomous loop Bounded objective, maximum iterations, durable audit state, human stop

Classify tools by data sensitivity and operational cost as well as mutability. Validate inputs and outputs. Apply least-privilege access, redaction, timeouts, row limits, and rate limits. Keep an audit trail. Assume retrieved content can contain hostile instructions. The model proposes; policy and typed tools constrain what can actually happen.

Measure value, not activity

Useful outcomes include faster fault isolation, fewer missed backups, consistent patching, current inventory, safer repetitive changes, and recovery evidence. Token usage, tool-call counts, and an agent that is “always running” are not value by themselves.

The aim is not autonomous infrastructure theater. It is a lab that exposes constrained, inspectable operations so an agent can help and prove the result.

Primary references

Next: Grow and share responsibly.

Leave with

A tool risk policy and one safe agent workflow.

Done when: The model proposes. Policy and typed tools constrain.

edit this chapter on GitHub →