<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Herbert</title>
    <description>The latest articles on DEV Community by Herbert (@herbert26).</description>
    <link>https://dev.to/herbert26</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3903740%2F41eeef1e-d4df-485e-9244-385fd1ade72d.jpg</url>
      <title>DEV Community: Herbert</title>
      <link>https://dev.to/herbert26</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/herbert26"/>
    <language>en</language>
    <item>
      <title>How a Solo Founder Built a Shared Support Inbox</title>
      <dc:creator>Herbert</dc:creator>
      <pubDate>Tue, 07 Jul 2026 13:44:00 +0000</pubDate>
      <link>https://dev.to/herbert26/how-a-solo-founder-built-a-shared-support-inbox-1e79</link>
      <guid>https://dev.to/herbert26/how-a-solo-founder-built-a-shared-support-inbox-1e79</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fg0fhmic4r7hhsvsheyea.jpeg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fg0fhmic4r7hhsvsheyea.jpeg" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Five inboxes, four people, zero support@ that anyone actually reads. The founder hadn’t slept through a weekend in eight months.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;The job: answer customer mail across a 4-person founder team&lt;/p&gt;

&lt;p&gt;The fear: the deal that got lost because nobody read hello@&lt;/p&gt;

&lt;p&gt;What worked: sync every inbox into one folder; whoever is on-call reads the folder, not five mail clients&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  The setup founders never admit to in pitch decks
&lt;/h2&gt;

&lt;p&gt;They were a 4-person SaaS startup at about $30k MRR. No support hire yet. No dedicated support@ workflow. Just a handful of addresses that existed because the domain registrar made it easy to create them.&lt;/p&gt;

&lt;p&gt;The reality looked like this:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;founders@ forwarded into three different personal Gmail accounts. Two people had it muted.&lt;/li&gt;
&lt;li&gt;support@ existed. It lasted about two weeks before it became “later.”&lt;/li&gt;
&lt;li&gt;hello@ was the contact form address, plus an auto-forward into the founder’s Gmail.&lt;/li&gt;
&lt;li&gt;billing@ was, in practice, the email tied to Stripe. It was personal.&lt;/li&gt;
&lt;li&gt;And customers had started DM’ing the founder on LinkedIn when email felt slow.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Two pains showed up fast:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Leads were scattered.&lt;/strong&gt; They’d definitely lost some. They just didn’t know which ones.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Nobody owned the company inbox.&lt;/strong&gt; It was everyone’s, which meant it was nobody’s.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;If you’ve lived through founder-led customer support, this should feel uncomfortably familiar.&lt;/p&gt;

&lt;h2&gt;
  
  
  The three things we ruled out, and the exact reason
&lt;/h2&gt;

&lt;p&gt;Each option looked reasonable until it met the founder reality. Nobody was going to live in a new UI.&lt;/p&gt;

&lt;h3&gt;
  
  
  1) Just buy a help desk (Help Scout / Front / Zendesk)
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;The move:&lt;/strong&gt; forward everything into a shared inbox tool and call it “support.”&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How it fails:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Cost wasn’t the real problem. Adoption was. A founder won’t keep a second app open 24/7 just to be “in the queue.”&lt;/li&gt;
&lt;li&gt;The team still replied from Gmail most of the time, so the real conversation stayed in personal inboxes.&lt;/li&gt;
&lt;li&gt;Historical threads didn’t magically reappear inside the new tool. The mess just gained another surface.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Verdict:&lt;/strong&gt; A great product once a team already has a support culture. Founders don’t.&lt;/p&gt;

&lt;h3&gt;
  
  
  2) Set up Gmail filters plus a shared label
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;The move:&lt;/strong&gt; forward everything into one Gmail account and share the password.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How it fails:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;It’s a security and operations trap. Google explicitly recommends avoiding shared accounts, in part because one failed security challenge can lock everyone out (see &lt;a href="https://knowledge.workspace.google.com/admin/users/avoid-sharing-an-account-among-users" rel="noopener noreferrer"&gt;Google Workspace Admin Help: Avoid sharing an account among users&lt;/a&gt;).&lt;/li&gt;
&lt;li&gt;Offboarding becomes panic: who still knows the password?&lt;/li&gt;
&lt;li&gt;Two people reply to the same customer and you only notice after the customer replies with “uh… which answer is correct?”&lt;/li&gt;
&lt;li&gt;There’s no clean audit of who did what.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Verdict:&lt;/strong&gt; Free, until you pay for it with a lockout or a double-reply. It’s a Gmail shared inbox alternative in the worst possible sense.&lt;/p&gt;

&lt;h3&gt;
  
  
  3) Drop a Slack channel that ingests email
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;The move:&lt;/strong&gt; push inbound mail into #support via Zapier or a built-in integration.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How it fails:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Slack is a great notification layer. It’s a poor system of record. On the free plan, history is capped and older data is purged (see &lt;a href="https://slack.com/help/articles/27204752526611-Feature-limitations-on-the-free-version-of-Slack" rel="noopener noreferrer"&gt;Slack Help Center: Feature limitations on the free version of Slack&lt;/a&gt;).&lt;/li&gt;
&lt;li&gt;Threads and long conversations become awkward. Attachments become “where did that PDF go?”&lt;/li&gt;
&lt;li&gt;Replies still happen in email, which means state is still split.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Verdict:&lt;/strong&gt; A faster bell, not a source of truth.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key Takeaway&lt;/strong&gt;: All three options keep the source of truth inside a mail client or a chat app. They rearrange the mess. They don’t normalize it.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  What actually worked: a shared inbox for startup support as a folder
&lt;/h2&gt;

&lt;blockquote&gt;
&lt;p&gt;Your inbox becomes a folder. On-call reads files, not five mail clients.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;The pattern is three layers. Only one layer touches email credentials.&lt;/p&gt;

&lt;h3&gt;
  
  
  Layer 1: at each inbox, a thin export job
&lt;/h3&gt;

&lt;p&gt;Each inbox got a small export job that runs on a schedule:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Pull new messages&lt;/li&gt;
&lt;li&gt;Write each message as a Markdown file (with structured frontmatter)&lt;/li&gt;
&lt;li&gt;Maintain a rolling &lt;code&gt;messages.csv&lt;/code&gt; for sorting and lightweight stats&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The point of this layer is narrow. It’s the only place that ever touches mail credentials.&lt;/p&gt;

&lt;h3&gt;
  
  
  Layer 2: in the workspace, normalize to one tree
&lt;/h3&gt;

&lt;p&gt;Everything lands in one directory shape:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;One path everyone knows&lt;/li&gt;
&lt;li&gt;One format humans and agents can read&lt;/li&gt;
&lt;li&gt;One “table of contents” file for the day&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A sane default is:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;/support/inbox/&amp;lt;YYYY-MM-DD&amp;gt;/&lt;/code&gt; for raw inbound&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;messages.csv&lt;/code&gt; as a sortable index&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;threads/&lt;/code&gt; to keep long conversations readable&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;index.md&lt;/code&gt; as the on-call’s briefing&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Because it’s a folder, you get version history and diffs. Not because you set up a help desk, but because you stopped treating support as a set of private clients.&lt;/p&gt;

&lt;p&gt;The reasoning for “folder, not another SaaS surface” is the same one behind &lt;a href="https://dev.to/en/blog/why-agents-need-a-workspace-not-another-filesystem-trick"&gt;Why agents need a workspace, not another filesystem trick&lt;/a&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Layer 3: the on-call reads the folder, not the inbox
&lt;/h3&gt;

&lt;p&gt;The operational change was simple: the on-call stops “checking email.” They check the folder.&lt;/p&gt;

&lt;p&gt;Access is scoped:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Read: &lt;code&gt;/support/inbox/&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;Write: &lt;code&gt;/support/replies/&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Rotation is just swapping that access. Offboarding is clean. Nobody shares a mailbox password.&lt;/p&gt;

&lt;p&gt;If you want a name for this, it’s a support inbox handoff process where ownership follows scope, not a person’s inbox.&lt;/p&gt;

&lt;p&gt;(That access model is what an “Access Point” is for: a least-privilege entry point with an explicit scope. See &lt;a href="https://dev.to/en/agent-auth"&gt;Agent auth&lt;/a&gt;.)&lt;/p&gt;

&lt;h2&gt;
  
  
  What it looks like inside the workspace
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1) The folder tree
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;/support/
├── inbox/
│   ├── 2026-06-23/
│   │   ├── 0001-acme-corp-onboarding-question.md
│   │   ├── 0002-billing-pro-plan-upgrade.md
│   │   ├── 0003-lead-from-pricing-page.md
│   │   └── ...
│   ├── 2026-06-22/
│   └── messages.csv
├── threads/
│   └── thread-abc123.md
├── leads.csv
├── replies/
│   └── 0002-reply.md
├── index.md
└── CHANGELOG.md
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h3&gt;
  
  
  2) A single mail file
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;---
from: jane@acme-corp.com
to: support@yourco.com
date: 2026-06-23T08:14:00Z
thread_id: thread-abc123
source_inbox: founders-gmail
status: unread
labels: [onboarding, enterprise-lead]
---
Hi team,
We’re evaluating your product for our 40-person ops team. A couple of
quick questions before we book a demo: ...
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That frontmatter is the bridge. It keeps the email readable for humans, and structured enough for agents to sort, tag, and draft replies.&lt;/p&gt;

&lt;h3&gt;
  
  
  3) The on-call’s index.md
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;# Support index, 2026-06-23

- New messages: 17
- Unreplied threads: 6
- SLA breaches (24h): 1

## On-call
- Primary: Alex
- Handoff: 17:00

## Triage list
1) thread-abc123, enterprise lead, asked for demo times
2) thread-def456, billing issue, card declined
3) thread-ghi789, onboarding question, blocked
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;It’s a morning briefing, not a mail client.&lt;/p&gt;

&lt;h3&gt;
  
  
  4) Where audit and handoff live
&lt;/h3&gt;

&lt;p&gt;Once support becomes files, “who changed what” becomes cheap.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Replies are drafts with diffs.&lt;/li&gt;
&lt;li&gt;Handoffs are a file update, not a Slack message.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That’s the same audit-and-rollback logic described in &lt;a href="https://dev.to/en/blog/from-isolated-team-agents-to-unified-enterprise-agent-harness"&gt;From isolated team agents to unified enterprise agent harness&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why this answers both pains at once
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Original pain&lt;/th&gt;
&lt;th&gt;Layer that resolves it&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;“Leads are scattered”&lt;/td&gt;
&lt;td&gt;Layer 2: everything lands in one tree; leads.csv becomes a single source&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;“Nobody owns the company inbox”&lt;/td&gt;
&lt;td&gt;Layer 3: on-call ownership follows scoped access, not a shared password&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;“We’ve definitely lost some”&lt;/td&gt;
&lt;td&gt;Layer 1 plus folder history: yesterday’s email is still there, searchable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;“Threading breaks across forwards”&lt;/td&gt;
&lt;td&gt;Layer 2: threads are aggregated by thread_id, not by whoever forwarded what&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  Side-by-side: help desk vs shared inbox vs Slack vs folder
&lt;/h2&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;Help desk SaaS&lt;/th&gt;
&lt;th&gt;Shared Gmail&lt;/th&gt;
&lt;th&gt;Slack-from-mail&lt;/th&gt;
&lt;th&gt;Folder pattern&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Founder lives in this UI&lt;/td&gt;
&lt;td&gt;no&lt;/td&gt;
&lt;td&gt;partial&lt;/td&gt;
&lt;td&gt;partial&lt;/td&gt;
&lt;td&gt;no, they read files&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Multi-actor handoff&lt;/td&gt;
&lt;td&gt;yes (paid plan)&lt;/td&gt;
&lt;td&gt;hacky&lt;/td&gt;
&lt;td&gt;weak&lt;/td&gt;
&lt;td&gt;clean (scope swap)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Audit trail&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;no&lt;/td&gt;
&lt;td&gt;partial&lt;/td&gt;
&lt;td&gt;yes (history + diffs)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Lead historicals captured&lt;/td&gt;
&lt;td&gt;depends&lt;/td&gt;
&lt;td&gt;depends&lt;/td&gt;
&lt;td&gt;no&lt;/td&gt;
&lt;td&gt;yes (backfill possible)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AI triage and drafting&lt;/td&gt;
&lt;td&gt;locked-in vendor&lt;/td&gt;
&lt;td&gt;none&lt;/td&gt;
&lt;td&gt;weak&lt;/td&gt;
&lt;td&gt;folder over MCP&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cost to add a 5th teammate&lt;/td&gt;
&lt;td&gt;+seat&lt;/td&gt;
&lt;td&gt;share password&lt;/td&gt;
&lt;td&gt;+Slack seat&lt;/td&gt;
&lt;td&gt;+access scope&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cost to rotate someone out&lt;/td&gt;
&lt;td&gt;revoke seat&lt;/td&gt;
&lt;td&gt;change password&lt;/td&gt;
&lt;td&gt;revoke channel&lt;/td&gt;
&lt;td&gt;revoke scope&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Setup time&lt;/td&gt;
&lt;td&gt;days + adoption&lt;/td&gt;
&lt;td&gt;minutes + chaos&lt;/td&gt;
&lt;td&gt;minutes&lt;/td&gt;
&lt;td&gt;a weekend&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  When this pattern does NOT fit
&lt;/h2&gt;

&lt;p&gt;This isn’t a religion. It’s a bridge.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;High-volume support (500+ inbound/day) wants a real help desk.&lt;/li&gt;
&lt;li&gt;If customers expect complex SLAs, assignment logic, multilingual routing, and CSAT workflows, a folder won’t replace those features.&lt;/li&gt;
&lt;li&gt;Strongly regulated industries may need stricter chain-of-custody guarantees than “version history.” You can layer controls on top, but the folder alone isn’t enough.&lt;/li&gt;
&lt;li&gt;If the team already runs happily inside Help Scout or Front, don’t churn your process just to be clever.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The point isn’t “folder beats help desk.” It’s “before you can afford a help desk culture, you still need to not lose leads.”&lt;/p&gt;

&lt;h2&gt;
  
  
  The template: tpl-support-mail
&lt;/h2&gt;

&lt;p&gt;This template is the portable part:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;ingest.sh&lt;/code&gt;: per-inbox export job (Gmail to Markdown and CSV, then write into the workspace)&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;/support/&lt;/code&gt; directory skeleton&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;index.md&lt;/code&gt; template (counts, on-call, top threads)&lt;/li&gt;
&lt;li&gt;Reply pipeline (draft replies as files, keep a clean audit trail)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The full template is shipping as a drop-in Context Base entry. Start there: &lt;a href="https://dev.to/en/context-base"&gt;Context Base&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  The pattern behind both stories
&lt;/h2&gt;

&lt;p&gt;Two posts. Two sources.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;A logistics shipment DB&lt;/li&gt;
&lt;li&gt;Four personal email accounts&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Same three layers:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;A thin extractor that’s the only thing holding the source credential&lt;/li&gt;
&lt;li&gt;A normalized folder in the workspace, with an &lt;code&gt;index.md&lt;/code&gt; as the table of contents&lt;/li&gt;
&lt;li&gt;A scoped Access Point for whoever reads the folder (human, agent, or both)&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;That’s what “Templates” means here: not “a connector,” not “an integration.” A directory shape plus an extractor plus an index.&lt;/p&gt;

&lt;p&gt;If you missed the first entry, it’s here: &lt;a href="https://dev.to/en/blog/how-a-logistics-team-plugged-ai-into-their-warehouse-db"&gt;How a logistics team plugged AI into their warehouse DB&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Doesn’t this just recreate a help desk, badly?
&lt;/h3&gt;

&lt;p&gt;No. A help desk is an app with a workflow. This is a folder that becomes the source of truth. You can layer a help desk later if you outgrow the bridge.&lt;/p&gt;

&lt;h3&gt;
  
  
  What about replies? Doesn’t the on-call still need a mail client?
&lt;/h3&gt;

&lt;p&gt;Sometimes, yes. The difference is the drafting and the state live in files. The mail client becomes a transport, not the system.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can an AI auto-reply?
&lt;/h3&gt;

&lt;p&gt;It can draft the same way a human does: by reading the folder and writing into &lt;code&gt;/support/replies/&lt;/code&gt;. Mount the folder over MCP and keep the same audit trail. See &lt;a href="https://dev.to/en/mcp"&gt;MCP&lt;/a&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Threading is hard. Will this break?
&lt;/h3&gt;

&lt;p&gt;It can be imperfect, but it’s recoverable. A carried &lt;code&gt;thread_id&lt;/code&gt; in frontmatter gives you something you can group and grep.&lt;/p&gt;

&lt;h3&gt;
  
  
  What about attachments?
&lt;/h3&gt;

&lt;p&gt;Store them alongside the &lt;code&gt;.md&lt;/code&gt; file and reference them from frontmatter. Version history then applies to the case, not just the message.&lt;/p&gt;

&lt;h3&gt;
  
  
  Is this GDPR-safe if we’re in the EU?
&lt;/h3&gt;

&lt;p&gt;The pattern can be compatible. Deployment and retention are the real levers. If residency matters, self-hosting and policy controls matter more than the folder shape.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>How a Logistics Team Plugged AI Into Their Warehouse DB</title>
      <dc:creator>Herbert</dc:creator>
      <pubDate>Sun, 05 Jul 2026 05:42:28 +0000</pubDate>
      <link>https://dev.to/herbert26/how-a-logistics-team-plugged-ai-into-their-warehouse-db-4d09</link>
      <guid>https://dev.to/herbert26/how-a-logistics-team-plugged-ai-into-their-warehouse-db-4d09</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fu7wncvcpipc4zgjoh55d.jpeg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fu7wncvcpipc4zgjoh55d.jpeg" alt=" " width="800" height="800"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h1&gt;
  
  
  How to plug AI into a database safely (without touching the DB)
&lt;/h1&gt;




&lt;p&gt;Their shipment data had lived in Postgres for ten years. The board wanted AI on it by Q3. Their first instinct was also the thing keeping the data lead awake at night: give the model the connection string.&lt;/p&gt;

&lt;h2&gt;
  
  
  The 3 a.m. question every logistics digital lead asks in 2026
&lt;/h2&gt;

&lt;p&gt;We met them as a 50-truck freight forwarder with a very ordinary warehouse stack—an &lt;strong&gt;ai for logistics database&lt;/strong&gt; story if there ever was one.&lt;/p&gt;

&lt;p&gt;One Postgres instance. Ten years of habits. Four tables everyone knew by name: &lt;code&gt;shipments&lt;/code&gt;, &lt;code&gt;customers&lt;/code&gt;, &lt;code&gt;fleet&lt;/code&gt;, &lt;code&gt;billing&lt;/code&gt;.&lt;/p&gt;

&lt;p&gt;The business request sounded simple:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Customer service wanted faster “where is my shipment?” answers.&lt;/li&gt;
&lt;li&gt;Dispatch wanted post-mortems that didn’t take a day.&lt;/li&gt;
&lt;li&gt;Ops wanted SLA warnings before a missed ETA became a phone call.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The data lead had two problems, and neither was theoretical.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;“I don’t know how to connect AI to a database.”&lt;/li&gt;
&lt;li&gt;“I’m not handing an LLM a connection string.”&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;So we did what teams do when the stakes are high. We listed the obvious options, then ruled them out one by one.&lt;/p&gt;

&lt;h2&gt;
  
  
  The three things we ruled out — and the exact reason
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1) Just give the agent a DB CLI
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;What it looks like:&lt;/strong&gt; create a read-only database user, point an agent at &lt;code&gt;psql&lt;/code&gt;, and let it write SQL.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How it fails:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;“Read-only” is a role concept. The model doesn’t feel the risk. It will happily generate a query that’s logically wrong even if it can’t write.&lt;/li&gt;
&lt;li&gt;Restricting to &lt;code&gt;SELECT&lt;/code&gt; doesn’t prevent an outage. A Cartesian join or a bad filter can still torch performance.&lt;/li&gt;
&lt;li&gt;Prompt injection is real. Security researchers have documented “prompt-to-SQL injection attacks in LLM-integrated applications” in the wild (&lt;a href="https://dl.acm.org/doi/10.1109/ICSE55347.2025.00007" rel="noopener noreferrer"&gt;ICSE/ACM, 2025&lt;/a&gt;). A malicious instruction that slips into the agent’s context can steer it toward unsafe output.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Verdict:&lt;/strong&gt; reads safely until it doesn’t.&lt;/p&gt;

&lt;h3&gt;
  
  
  2) Build a custom API in front of the DB
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;What it looks like:&lt;/strong&gt; create endpoints per table or query (&lt;code&gt;/shipments/{id}&lt;/code&gt;, &lt;code&gt;/customers/search&lt;/code&gt;), write an OpenAPI spec, and let the model call the API instead of SQL.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How it fails:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The spec becomes a product. Somebody owns it. Somebody maintains it.&lt;/li&gt;
&lt;li&gt;Schema changes now touch three places: tables, endpoints, and the descriptions the agent depends on.&lt;/li&gt;
&lt;li&gt;Every new agent (support agent, dispatch agent, compliance agent) pushes you toward another round of endpoints.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Verdict:&lt;/strong&gt; you don’t have a logistics product anymore. You have an API team.&lt;/p&gt;

&lt;h3&gt;
  
  
  3) Bolt on yet another DB → MCP server
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;What it looks like:&lt;/strong&gt; deploy middleware that exposes the database through an MCP server. The agent talks MCP; the server talks to Postgres.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How it fails:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;It’s another layer to buy or build: SSO, monitoring, audit, patching.&lt;/li&gt;
&lt;li&gt;The MCP server still holds production credentials. If that layer is compromised, the database is still exposed.&lt;/li&gt;
&lt;li&gt;It doesn’t solve schema drift. It just changes where the drift shows up.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Verdict:&lt;/strong&gt; another vendor in the path. The risk is still on the database.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key takeaway&lt;/strong&gt;: All three “obvious” solutions change the middle layer. None of them change the blast radius. They still let the AI touch the database.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  How to plug AI into database safely: a DB sandbox + a CSV folder
&lt;/h2&gt;

&lt;blockquote&gt;
&lt;p&gt;A DB sandbox on your warehouse DB — sync views to CSV in a folder, AI stays in the sandbox.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;“Sandbox” is overloaded, and that matters here.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;One meaning is infrastructure: where code runs (Docker vs Cloudflare and so on). If you want that layer, see &lt;a href="https://www.puppyone.ai/en/blog/puppyone-sandbox-docker-vs-cloudflare" rel="noopener noreferrer"&gt;puppyone sandbox: Docker vs Cloudflare&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;The other meaning is &lt;strong&gt;data blast radius&lt;/strong&gt;. That’s the sandbox this post is about.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The pattern that shipped had three layers. It’s the same idea behind the &lt;strong&gt;warehouse database ai integration&lt;/strong&gt; phrase people keep searching for, just implemented with a smaller blast radius.&lt;/p&gt;

&lt;p&gt;Some teams call this a &lt;strong&gt;db sandbox for ai&lt;/strong&gt;. The label matters less than the boundary.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fj6mrknxgfvof4kwfyk5j.jpeg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fj6mrknxgfvof4kwfyk5j.jpeg" alt="Three-layer pattern: views → CSV folder → agent reads files (no DB credentials)" width="800" height="533"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Layer 1 — In the database: read-only views
&lt;/h3&gt;

&lt;p&gt;They didn’t expose tables. They exposed &lt;em&gt;views&lt;/em&gt;—specifically &lt;strong&gt;read-only views for ai agents&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;In Postgres, that meant an &lt;code&gt;analytics&lt;/code&gt; schema with a small set of curated surfaces. One example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;CREATE VIEW analytics.shipments_recent AS
  SELECT id, status, origin, destination, eta, updated_at
  FROM shipments
  WHERE updated_at &amp;gt;= now() - interval '90 days';
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Two design rules made these views act like a contract:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;If a column was PII, it didn’t enter the view.&lt;/li&gt;
&lt;li&gt;If a column was “prod-only” (useful to humans, dangerous to leak), it didn’t enter the view either.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This isn’t a novel idea; it’s a boring one, and boring is good. Many database security guides recommend least privilege, and views are a common way to restrict surface area and abstract underlying tables. Some systems even support explicit column restrictions at the view/table level (see Teradata’s docs on &lt;a href="https://docs.teradata.com/r/Enterprise_IntelliFlex_VMware/Security-Administration/Creating-Users-and-Granting-Privileges/Other-Options-for-Restricting-Database-Access/Restricting-User-Access-by-Column-in-a-Table-or-View" rel="noopener noreferrer"&gt;restricting access by column in a table or view&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;One more boundary mattered: the customer’s DBA owned this layer. The workspace never touched the DB.&lt;/p&gt;

&lt;h3&gt;
  
  
  Layer 2 — Nightly ingest: views → CSV → workspace folder
&lt;/h3&gt;

&lt;p&gt;A small ingest script was the &lt;em&gt;only&lt;/em&gt; thing allowed to talk to Postgres. That’s the whole point of &lt;strong&gt;ai without database credentials&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;It ran on their side (on-prem cron or CI). It used the read-only user to export each view, then pushed the output into a folder—a &lt;strong&gt;csv folder ai agent&lt;/strong&gt; contract, not an API surface.&lt;/p&gt;

&lt;p&gt;Illustrative skeleton:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;set -euo pipefail

OUT=out
mkdir -p "$OUT"

for view in shipments_recent shipments_late fleet_status customer_billing; do
  psql -U ai_readonly -c "\\copy analytics.$view TO '$OUT/$view.csv' CSV HEADER"
  # write into the workspace folder (illustrative)
  puppyone fs write /warehouse/views/$view.csv --from $OUT/$view.csv
done

puppyone fs write /warehouse/index.md --from $OUT/index.md
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Two guardrails are doing most of the work:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The script is a single, auditable integration point. If they ever want to stop the flow, they stop the cron.&lt;/li&gt;
&lt;li&gt;The write permission is scoped. The ingest can write to &lt;code&gt;/warehouse/views/&lt;/code&gt;. It can’t spray files elsewhere.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you’ve lived through “RAG sprawl,” this will feel familiar. The point is to make the contract &lt;em&gt;boring&lt;/em&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Layer 3 — The agent: reads a folder, not a database
&lt;/h3&gt;

&lt;p&gt;The agent never sees a host, a port, a password, or even the fact that Postgres exists.&lt;/p&gt;

&lt;p&gt;It only sees:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;a folder of CSV snapshots (your &lt;strong&gt;shipment data ai&lt;/strong&gt; context snapshot)&lt;/li&gt;
&lt;li&gt;an &lt;code&gt;index.md&lt;/code&gt; that explains what’s in the folder&lt;/li&gt;
&lt;li&gt;a scoped Access Point that allows read operations and nothing else&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;When the agent needs to access the workspace, it does so through an explicit interface (MCP is one of them; see &lt;a href="https://www.puppyone.ai/en/mcp" rel="noopener noreferrer"&gt;MCP&lt;/a&gt;).&lt;/p&gt;

&lt;h2&gt;
  
  
  What it looks like inside the workspace
&lt;/h2&gt;

&lt;h3&gt;
  
  
  The folder
&lt;/h3&gt;

&lt;p&gt;Inside their workspace, the contract looked like this:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;/warehouse/
├── views/
│   ├── shipments_recent.csv      # last 90 days, 12 cols, ~40k rows
│   ├── shipments_late.csv        # SLA breach &amp;gt; 0, refreshed nightly
│   ├── fleet_status.csv          # truck_id → last_seen, fuel, status
│   └── customer_billing.csv      # invoice header, NO line items
├── index.md                      # what each CSV is, schema, freshness
└── CHANGELOG.md                  # version history auto-fills
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The reason this is a &lt;em&gt;folder&lt;/em&gt; and not “another database” is that agents need something humans can inspect, diff, and roll back.&lt;/p&gt;

&lt;p&gt;A folder plus Markdown gives you an agent-readable map. That’s the argument in &lt;a href="https://www.puppyone.ai/en/blog/why-agents-need-a-workspace-not-another-filesystem-trick" rel="noopener noreferrer"&gt;Why agents need a workspace (not another filesystem trick)&lt;/a&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  The index.md (the map)
&lt;/h3&gt;

&lt;p&gt;The &lt;code&gt;index.md&lt;/code&gt; did what database introspection never does for an LLM: it explained intent.&lt;/p&gt;

&lt;p&gt;A minimal example:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;# Warehouse views

## shipments_recent.csv
Purpose: Customer-service lookups and weekly SLA review.
Freshness: nightly at 02:00 local time.
Schema:
- id (uuid)
- status (text)
- origin (text)
- destination (text)
- eta (timestamp)
- updated_at (timestamp)
Caveats:
- excludes cancelled shipments
- origin/destination are normalized codes, not raw addresses
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Agents don’t need more tables. They need &lt;strong&gt;a map&lt;/strong&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  The Access Point
&lt;/h3&gt;

&lt;p&gt;The agent got an Access Point scoped to &lt;code&gt;/warehouse/views/&lt;/code&gt; with read-only mode.&lt;/p&gt;

&lt;p&gt;If you want the mechanics of that boundary—what tools can be allowed, what “scope” really means—start at &lt;a href="https://www.puppyone.ai/en/agent-auth" rel="noopener noreferrer"&gt;Agent auth&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The important part is what the agent did &lt;em&gt;not&lt;/em&gt; get:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;no Postgres URI&lt;/li&gt;
&lt;li&gt;no SSH key&lt;/li&gt;
&lt;li&gt;no VPN creds&lt;/li&gt;
&lt;li&gt;no “just this once” admin token&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Why this answers both pains — at once
&lt;/h2&gt;

&lt;p&gt;They didn’t “connect AI to the DB.” They moved the problem.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The integration problem became: “export views to files.”&lt;/li&gt;
&lt;li&gt;The safety problem became: “the agent can’t touch the database.”&lt;/li&gt;
&lt;/ul&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Original pain&lt;/th&gt;
&lt;th&gt;Layer that resolves it&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;“We don’t know how to connect AI to a DB”&lt;/td&gt;
&lt;td&gt;Layer 2 — there’s no connection. The agent reads files.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;“I’m terrified the agent will drop a table”&lt;/td&gt;
&lt;td&gt;Layer 1 + Layer 3 — the agent has no DB credential at all.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;“We don’t want a fragile API team”&lt;/td&gt;
&lt;td&gt;The CSV folder is the contract. Schema change = re-run ingest.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;“We can’t trust audit on this”&lt;/td&gt;
&lt;td&gt;Workspace access can be logged; context changes can be versioned and rolled back.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;That last row is where this starts to feel like a real production pattern.&lt;/p&gt;

&lt;p&gt;If you’re running multiple agents, audit and rollback aren’t “nice-to-haves.” They’re how you sleep.&lt;/p&gt;

&lt;p&gt;The longer read is &lt;a href="https://www.puppyone.ai/en/blog/from-isolated-team-agents-to-unified-enterprise-agent-harness" rel="noopener noreferrer"&gt;From isolated team agents to a unified enterprise agent harness&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Side-by-side: the four options
&lt;/h2&gt;

&lt;p&gt;This is the table the data lead saved. It’s the fastest way to explain the &lt;strong&gt;logistics ai use case&lt;/strong&gt; to security and operations in one page.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;Direct DB CLI&lt;/th&gt;
&lt;th&gt;Custom API&lt;/th&gt;
&lt;th&gt;DB → MCP&lt;/th&gt;
&lt;th&gt;DB sandbox + CSV folder&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Agent holds DB credential&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;no&lt;/td&gt;
&lt;td&gt;no (MCP does)&lt;/td&gt;
&lt;td&gt;no&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Risk of destructive SQL&lt;/td&gt;
&lt;td&gt;high&lt;/td&gt;
&lt;td&gt;low&lt;/td&gt;
&lt;td&gt;low&lt;/td&gt;
&lt;td&gt;none&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Effort to add a new agent&lt;/td&gt;
&lt;td&gt;re-grant DB role&lt;/td&gt;
&lt;td&gt;new endpoints&lt;/td&gt;
&lt;td&gt;new MCP scope&lt;/td&gt;
&lt;td&gt;re-use folder, new Access Point&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Schema drift handling&lt;/td&gt;
&lt;td&gt;breaks queries&lt;/td&gt;
&lt;td&gt;breaks contract&lt;/td&gt;
&lt;td&gt;breaks tools&lt;/td&gt;
&lt;td&gt;re-run ingest&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Audit trail&lt;/td&gt;
&lt;td&gt;DB logs only&lt;/td&gt;
&lt;td&gt;API logs&lt;/td&gt;
&lt;td&gt;MCP logs&lt;/td&gt;
&lt;td&gt;workspace version + audit&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Rollback bad context&lt;/td&gt;
&lt;td&gt;DB restore&lt;/td&gt;
&lt;td&gt;n/a&lt;/td&gt;
&lt;td&gt;n/a&lt;/td&gt;
&lt;td&gt;workspace rollback&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Real-time freshness&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;yes&lt;/td&gt;
&lt;td&gt;nightly / hourly (trade-off)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Setup time&lt;/td&gt;
&lt;td&gt;1 day, scary&lt;/td&gt;
&lt;td&gt;4–8 weeks&lt;/td&gt;
&lt;td&gt;1–2 weeks&lt;/td&gt;
&lt;td&gt;a weekend&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h2&gt;
  
  
  When this pattern does NOT fit
&lt;/h2&gt;

&lt;p&gt;This isn’t “always do this.” It’s “ship safely when you’re scared.”&lt;/p&gt;

&lt;p&gt;It’s the wrong pattern when:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;You need sub-minute freshness. That’s a streaming / materialized view problem.&lt;/li&gt;
&lt;li&gt;Your data is TB-scale. CSV stops being kind. Move to Parquet or a warehouse-native approach.&lt;/li&gt;
&lt;li&gt;The agent must write back into the database. Write-back should be a different door with explicit approvals.&lt;/li&gt;
&lt;li&gt;You only have one or two stable queries. A dashboard might be the right tool.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The point of this post isn’t that a CSV folder beats a database. It’s that when you’re scared of plugging AI into your DB, you can change the blast radius and ship anyway.&lt;/p&gt;

&lt;h2&gt;
  
  
  The template: tpl-logistics-db template
&lt;/h2&gt;

&lt;p&gt;They packaged the pattern as a small template they could copy between environments:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;code&gt;views.sql&lt;/code&gt; — a recommended Postgres view skeleton&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;ingest.sh&lt;/code&gt; — a nightly script (views → CSV → folder)&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;/warehouse/&lt;/code&gt; directory skeleton&lt;/li&gt;
&lt;li&gt;
&lt;code&gt;index.md&lt;/code&gt; template with placeholders for freshness, schema, and caveats&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If your team already thinks in terms of governed context, this slots naturally into a Context Base.&lt;/p&gt;

&lt;p&gt;See the Context Base page for how teams organize these snapshots so agents can use them without turning your data stack into a science project.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1) Why CSV and not Parquet or JSON?
&lt;/h3&gt;

&lt;p&gt;CSV is the lowest common denominator: humans can open it, and models read it fluently. Parquet is a better choice once size becomes the bottleneck—Dremio’s piece on &lt;a href="https://www.dremio.com/blog/evolving-the-data-lake-from-csv-json-to-parquet-to-apache-iceberg/" rel="noopener noreferrer"&gt;evolving from CSV/JSON to Parquet&lt;/a&gt; explains the trade.&lt;/p&gt;

&lt;p&gt;If you want a practical performance view, DuckDB’s benchmark-y essay on &lt;a href="https://duckdb.org/2024/12/05/csv-files-dethroning-parquet-or-not.html" rel="noopener noreferrer"&gt;CSV vs Parquet (2024)&lt;/a&gt; is a good sanity check.&lt;/p&gt;

&lt;h3&gt;
  
  
  2) Why not just give the agent a vector DB?
&lt;/h3&gt;

&lt;p&gt;That’s a different problem. Vector retrieval is great for fuzzy semantic matching. Shipment lookups and SLA slices are structured questions.&lt;/p&gt;

&lt;p&gt;The longer answer is in &lt;a href="https://www.puppyone.ai/en/blog/vector-database-vs-context-base" rel="noopener noreferrer"&gt;Vector database vs Context Base&lt;/a&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  3) How does the AI know which CSV to read?
&lt;/h3&gt;

&lt;p&gt;&lt;code&gt;index.md&lt;/code&gt;. It’s the table-of-contents the workspace serves. The agent reads it first, then chooses the right snapshot.&lt;/p&gt;

&lt;h3&gt;
  
  
  4) Doesn’t a nightly sync mean stale data?
&lt;/h3&gt;

&lt;p&gt;Yes. That’s the trade-off you’re paying for safety.&lt;/p&gt;

&lt;p&gt;Run it hourly. Run it every 15 minutes. Trigger it on events if you need tighter freshness. Just keep the boundary: the agent still reads files.&lt;/p&gt;

&lt;h3&gt;
  
  
  5) What about multi-agent setups (dispatcher + customer-service + analytics)?
&lt;/h3&gt;

&lt;p&gt;Give each agent its own Access Point, scoped to the smallest folder it needs.&lt;/p&gt;

&lt;p&gt;If you’re evaluating multi-agent setups more broadly, start at &lt;a href="https://www.puppyone.ai/en/blog/hermes-agent-vs-agent-harness-enterprise-needs" rel="noopener noreferrer"&gt;Hermes agent vs agent harness: enterprise needs&lt;/a&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  6) Can the agent write back to the DB?
&lt;/h3&gt;

&lt;p&gt;Not with this pattern. That’s intentional.&lt;/p&gt;

&lt;p&gt;Write-back is a different door: explicit permissions, approvals, and a narrower interface. This post is about getting AI on the data without gambling the database.&lt;/p&gt;

&lt;h2&gt;
  
  
  Next steps
&lt;/h2&gt;

&lt;p&gt;If you’re trying to make this pattern repeatable across teams—same folder contract, different data sources—start by formalizing your context layer.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Explore how a Context Base organizes governed snapshots: &lt;a href="https://www.puppyone.ai/en/context-base" rel="noopener noreferrer"&gt;Context Base&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;If you need self-hosted or VPC deployment, see &lt;a href="https://www.puppyone.ai/en/open-source" rel="noopener noreferrer"&gt;Open source&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;(For readers searching for the “&lt;strong&gt;puppyone db pattern&lt;/strong&gt;”: the important idea isn’t the brand. It’s the boundary—agents get files, never the DB.)&lt;/p&gt;

</description>
    </item>
    <item>
      <title>Context Drive: The Missing Storage Layer for AI Agents</title>
      <dc:creator>Herbert</dc:creator>
      <pubDate>Thu, 02 Jul 2026 14:52:00 +0000</pubDate>
      <link>https://dev.to/herbert26/context-drive-the-missing-storage-layer-for-ai-agents-56ek</link>
      <guid>https://dev.to/herbert26/context-drive-the-missing-storage-layer-for-ai-agents-56ek</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fjykv3gj8f3lrnou8lrq8.jpeg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fjykv3gj8f3lrnou8lrq8.jpeg" alt=" " width="800" height="533"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Every compute workload that matures eventually gets its own storage layer. Databases got SQL. Web apps got blob storage. ML pipelines got feature stores. Vector search got vector databases. AI agents are getting one too. We call it a context drive: a file-based, versioned, governed cloud drive for agent context. This post is why it has to exist, and why it has to look the way it does.&lt;/p&gt;

&lt;p&gt;What follows isn’t a product pitch. It’s an infrastructure argument: if you’re building agents that run daily, touch real systems, and are expected to be explainable, you’ll eventually need a canonical place where their “working knowledge” lives—durably, permissionably, and with history.&lt;/p&gt;

&lt;h2&gt;
  
  
  The pattern: workloads grow up by getting a storage layer
&lt;/h2&gt;

&lt;p&gt;Software categories don’t appear because someone coin-flips a name. They appear when a new workload becomes common enough that the same operational problem shows up everywhere.&lt;/p&gt;

&lt;p&gt;In the 1980s, business data stopped fitting in ad‑hoc files and spreadsheets. Relational databases turned “data storage” into a repeatable discipline.&lt;/p&gt;

&lt;p&gt;In the 2000s, the web turned media into a default workload. Images, video, logs, and backups needed storage that scaled without pretending everything was a table. Object storage, popularized by services like &lt;a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html" rel="noopener noreferrer"&gt;Amazon S3 (AWS docs)&lt;/a&gt;, became the place where unstructured blobs could live reliably.&lt;/p&gt;

&lt;p&gt;In the 2015+ era, ML teams learned the hard way that “features” aren’t just data—they’re reusable, governed artifacts that have to stay consistent across training and serving. That pain produced feature stores as a dedicated layer (Databricks’ definition in &lt;a href="https://www.databricks.com/blog/what-is-a-feature-store-complete-guide-ml-feature-engineering" rel="noopener noreferrer"&gt;What is a Feature Store?&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;In the 2020+ era, similarity search became a primitive. Embeddings needed systems that were built around approximate nearest neighbor indexing and metadata filters. Vector databases showed up to operationalize that.&lt;/p&gt;

&lt;p&gt;2025+ is the same story: agent context is now the recurring workload.&lt;/p&gt;

&lt;p&gt;A workload becomes a category when enough teams hit the same operational ceiling at the same time. AI agent context has hit that ceiling.&lt;/p&gt;

&lt;h2&gt;
  
  
  Three signs the ceiling has been hit
&lt;/h2&gt;

&lt;p&gt;You don’t need deep architecture debates to spot a missing layer. You can hear it in the same three complaints, repeated across teams, tooling choices, and model providers.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;1) “Every agent rebuilds its own memory from scratch.”&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;When every new agent begins by reinventing how it stores and reuses context, you’re not looking at a prompt problem. You’re looking at a missing storage primitive.&lt;/p&gt;

&lt;p&gt;A reusable layer shows up when teams stop asking “what prompt template do you use?” and start asking “where does your context live?”&lt;/p&gt;

&lt;p&gt;Concretely: the same concepts get reimplemented per agent—naming, chunking, summarization, retention rules, and “what counts as canonical.” Then the team adds a second agent, and the two systems drift. Then a third agent reads the wrong “latest summary” and produces a confidently wrong action. The failure mode isn’t intelligence; it’s entropy.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;2) “Nobody can answer what the agent read.”&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The moment an agent matters, the postmortem begins. And the first question is always the same: what did it see?&lt;/p&gt;

&lt;p&gt;If you can’t reproduce an agent’s inputs—what context it read, which version, under which identity—then you don’t have an operational system. You have a demo with good days and bad days.&lt;/p&gt;

&lt;p&gt;Auditability is not a compliance feature. It is the minimum requirement for debugging production agents.&lt;/p&gt;

&lt;p&gt;And it’s not only about failures. Teams that want to improve an agent need a feedback loop: “When it did X, it had read Y, but it should have read Z.” Without a stable, reviewable record of context, improvement becomes guesswork.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;3) “Vector DBs are being asked to be filesystems.”&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;When teams use a vector database as the canonical store for documents, they eventually run into basic questions that vector search was never designed to answer: What is the latest version? Who changed it? Can we diff it? Can we roll it back? Who is allowed to read it?&lt;/p&gt;

&lt;p&gt;If your vector DB breaks the moment you ask it to behave like &lt;code&gt;cat&lt;/code&gt;, &lt;code&gt;diff&lt;/code&gt;, rollback, or permissions, the stack has a layer mismatch.&lt;/p&gt;

&lt;p&gt;Vector databases solve retrieval. They do not solve ownership of the underlying artifacts.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why it has to be file-shaped, not vector-shaped
&lt;/h2&gt;

&lt;p&gt;A context drive is not a prettier database. It is a decision about the canonical form of agent context.&lt;/p&gt;

&lt;p&gt;Files win because they are the one interface humans and agents both understand.&lt;/p&gt;

&lt;p&gt;A file can be read. It can be reviewed. It can be diffed. It can be versioned. It can be permissioned. It can be moved across systems without losing meaning. A file is also the most honest boundary for governance: you can point to it, name it, and explain who touched it.&lt;/p&gt;

&lt;p&gt;That is why the canonical layer has to look like a filesystem, even if the implementation underneath is distributed.&lt;/p&gt;

&lt;p&gt;Vectors don’t have that property.&lt;/p&gt;

&lt;p&gt;Vectors are an index over content, not the content itself. You don’t use a search engine as your database. You don’t store your source of truth in the same structure you use to retrieve it quickly.&lt;/p&gt;

&lt;p&gt;There’s also a quiet technical tax in “vector-shaped storage”: you convert rich documents into chunks and embeddings, then pretend you can reconstruct the original truth later. That is a lossy transform—and every loss turns into downstream entropy: missing clauses, broken provenance, unclear ownership, and hard-to-explain behavior.&lt;/p&gt;

&lt;p&gt;Vectors find the document. The drive stores it. They are not the same layer, and conflating them is the most expensive mistake of the 2024–2025 agent stack.&lt;/p&gt;

&lt;h2&gt;
  
  
  Three principles a context drive must obey
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Context is an artifact, not a side effect.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;If context only exists inside a session buffer or a transient tool call, it can’t be reviewed, shared, rolled back, or improved. Treat context like you treat build outputs: explicit files with names, structure, and ownership.&lt;/p&gt;

&lt;p&gt;A useful mental model: prompts and tool calls are the “runtime.” Context files are the “compiled artifacts.” You can rerun the runtime; you can’t debug it unless the artifacts are stable.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Every read and write is a governed event.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Agent context isn’t “data access.” It is behavior. Every read and write needs a scoped identity, a version boundary, and an audit trail as native attributes—not bolted on after the first incident.&lt;/p&gt;

&lt;p&gt;That means governance isn’t a separate admin panel. It’s embedded in the primitive: “this agent identity read these files at these versions” and “this agent identity wrote a new version of this file, with a diff you can review.”&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;The drive doesn’t replace memory or RAG. It gives them somewhere durable to point at.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Memory is an access pattern. RAG is a consumption pattern. A context drive is the storage substrate that makes those patterns reliable, portable, and reproducible across agents and across time.&lt;/p&gt;

&lt;p&gt;This is why “AI agent memory” works in prototypes and breaks in production: memory needs a durable substrate.&lt;/p&gt;

&lt;h2&gt;
  
  
  What it looks like in practice
&lt;/h2&gt;

&lt;p&gt;The simplest way to understand a context drive is to imagine a project repo and a shared drive had a child—then add agent identities and audit logs.&lt;/p&gt;

&lt;p&gt;You might have:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;A human-readable folder like &lt;code&gt;policies/&lt;/code&gt; containing the current compliance rules in Markdown.&lt;/li&gt;
&lt;li&gt;A machine-friendly folder like &lt;code&gt;state/&lt;/code&gt; containing compact JSON snapshots of “known facts” the agent relies on.&lt;/li&gt;
&lt;li&gt;An &lt;code&gt;events/&lt;/code&gt; folder with append-only logs that explain how a state file was derived.&lt;/li&gt;
&lt;li&gt;A &lt;code&gt;summaries/&lt;/code&gt; folder where an agent writes periodic digests that can be reviewed and corrected.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Not every team will choose the same structure, and that’s the point: files allow you to pick boundaries that match your workflow. The key is that the boundaries are explicit, reviewable, and versioned.&lt;/p&gt;

&lt;h2&gt;
  
  
  Minimal architecture for a real context drive
&lt;/h2&gt;

&lt;p&gt;To stay useful beyond the first demo, the storage layer has to support a few boring, production-grade operations. The list below isn’t exhaustive, but it’s the minimum set that tends to show up once agents write anything you care about.&lt;/p&gt;

&lt;h3&gt;
  
  
  Canonical artifacts, derived indexes
&lt;/h3&gt;

&lt;p&gt;Store canonical context as files (Markdown, JSON, raw attachments). Build search indexes—vectors, keywords, metadata—as &lt;em&gt;derived&lt;/em&gt; views.&lt;/p&gt;

&lt;p&gt;If the index is wrong, you rebuild it. If the file is wrong, you fix it and version it. That separation is what keeps debugging sane.&lt;/p&gt;

&lt;h3&gt;
  
  
  Identity and access at the file boundary
&lt;/h3&gt;

&lt;p&gt;Agents don’t just need “API keys.” They need scoped, reviewable access:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;This agent can read &lt;code&gt;customers/public/&lt;/code&gt; but cannot see &lt;code&gt;customers/enterprise/&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;This agent can write only to &lt;code&gt;summaries/weekly/&lt;/code&gt; and &lt;code&gt;drafts/&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;This agent can never read &lt;code&gt;secrets/&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The important part is that access rules map cleanly onto file paths and that reads/writes are logged with an identity you can reason about.&lt;/p&gt;

&lt;h3&gt;
  
  
  Versioning that matches agent behavior
&lt;/h3&gt;

&lt;p&gt;Agent writes are different from human edits. They’re frequent, sometimes noisy, and often incremental. A context drive needs version semantics that make review cheap:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Every write produces a new version (or commit).&lt;/li&gt;
&lt;li&gt;Diffs are first-class so humans can approve or revert.&lt;/li&gt;
&lt;li&gt;Rollback is easy and fast.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;When rollback is painful, teams stop letting agents write. When rollback is trivial, teams start letting agents do real work.&lt;/p&gt;

&lt;h3&gt;
  
  
  Append-only audit logs
&lt;/h3&gt;

&lt;p&gt;If you’re serious about running agents, you will eventually need to answer questions like:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Which files did the agent read before it sent that email?&lt;/li&gt;
&lt;li&gt;What changed between the “good run” and the “bad run”?&lt;/li&gt;
&lt;li&gt;Which identity wrote this line of policy?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That’s why audit logs must exist as native events—ideally in a form you can query, export, and retain.&lt;/p&gt;

&lt;h2&gt;
  
  
  What this is not
&lt;/h2&gt;

&lt;p&gt;Clear category boundaries are part of making a category real.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;“Isn’t this just RAG?”&lt;/strong&gt; No. RAG is consumption. The drive is storage.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;“Isn’t this just memory?”&lt;/strong&gt; No. Memory is one access pattern over the drive.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;“Isn’t this just S3?”&lt;/strong&gt; No. Object storage does not model agent identity, version semantics for agent-authored changes, or context-shaped governance. It stores blobs; it doesn’t make context operational.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;“Isn’t this just MCP?”&lt;/strong&gt; No. MCP is transport. The drive is what exists on the other side of the protocol.&lt;/p&gt;

&lt;p&gt;For the practical comparison with memory, RAG, and context windows, see &lt;a href="https://www.puppyone.ai/en/blog/ai-agent-context-management-where-context-should-live" rel="noopener noreferrer"&gt;AI Agent Context Management: Where Context Should Live →&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why we’re betting on this
&lt;/h2&gt;

&lt;p&gt;We’ve spent the last two years watching the same pattern repeat: as soon as an agent graduates from “assistant” to “worker,” context stops being a prompt ingredient and starts behaving like a production artifact.&lt;/p&gt;

&lt;p&gt;Once multiple agents collaborate—or one agent runs repeatedly over weeks—the hardest part isn’t model quality. It’s making sure every run has the right context, and that humans can explain and govern what happened.&lt;/p&gt;

&lt;p&gt;We don’t think this is a tooling gap. It’s a missing layer.&lt;/p&gt;

&lt;p&gt;That’s why we’re building puppyone as a context drive: a governed, versioned place where agent-readable context artifacts can live, so retrieval, memory, and orchestration have something durable to reference.&lt;/p&gt;

&lt;p&gt;If you want a concrete example of what that looks like, puppyone is building exactly this: a Context Space that syncs from your existing tools, transforms content into agent-readable files, and exposes it through controlled access points with version history and audit trails. (If you’re curious, start at &lt;a href="https://www.puppyone.ai" rel="noopener noreferrer"&gt;puppyone.ai&lt;/a&gt;.)&lt;/p&gt;

&lt;p&gt;If you want the broader infrastructure argument for multi-agent systems, see &lt;a href="https://www.puppyone.ai/en/blog/puppyone-3-context-infrastructure-multi-agent" rel="noopener noreferrer"&gt;puppyone 3 context infrastructure multi agent&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  A practical adoption checklist
&lt;/h2&gt;

&lt;p&gt;If you’re reading this while building agents, here’s a quick way to tell whether you’re already “past the ceiling.”&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;You have more than one agent&lt;/strong&gt; that needs to share context, or one agent that runs repeatedly over weeks.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;You’ve had at least one incident&lt;/strong&gt; where the agent behaved oddly and nobody could reproduce its inputs.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;You’ve started writing glue code&lt;/strong&gt; to move knowledge between Notion/Slack/docs/repos and whatever your agent framework expects.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;You’re debating where the source of truth lives&lt;/strong&gt; for “facts” the agent should rely on.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If two or more are true, you’re very likely in context-drive territory.&lt;/p&gt;

&lt;h2&gt;
  
  
  Closing: A claim, not a question
&lt;/h2&gt;

&lt;p&gt;The next decade of agent infrastructure won’t be decided by who has the smartest model. It will be decided by who has the cleanest place to put their context. We’re calling that place a context drive. We don’t think the name is the important part—we think the layer is.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;h3&gt;
  
  
  What is a context drive in one sentence?
&lt;/h3&gt;

&lt;p&gt;A context drive is a file-shaped, versioned, governed storage layer where agent context lives as durable artifacts that can be reviewed, shared, and rolled back.&lt;/p&gt;

&lt;h3&gt;
  
  
  How is a context drive different from RAG?
&lt;/h3&gt;

&lt;p&gt;RAG is a &lt;em&gt;consumption&lt;/em&gt; pattern—how an agent pulls relevant information into a run. A context drive is &lt;em&gt;storage&lt;/em&gt;—the canonical place the underlying artifacts live, with versions and access controls.&lt;/p&gt;

&lt;h3&gt;
  
  
  Why not store everything in a vector database?
&lt;/h3&gt;

&lt;p&gt;Vector databases are great for retrieval, but they aren’t designed to be the source of truth for artifacts. Once you need “latest version,” diffs, rollback, and file-level permissions, you’re asking the index to behave like a filesystem.&lt;/p&gt;

&lt;h3&gt;
  
  
  What kinds of files belong in a context drive?
&lt;/h3&gt;

&lt;p&gt;Typically a mix of human-readable documents (like Markdown policies), machine-friendly state (like compact JSON), append-only event logs for traceability, and periodic summaries that can be reviewed and corrected.&lt;/p&gt;

&lt;h3&gt;
  
  
  What does “governed reads and writes” mean for agents?
&lt;/h3&gt;

&lt;p&gt;It means every access happens under a scoped identity with explicit permissions, and every read/write is recorded so you can answer “what did the agent see?” and “what changed?” later.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does a context drive replace agent memory?
&lt;/h3&gt;

&lt;p&gt;No. Memory is an access pattern over stored artifacts. A context drive provides the durable substrate so memory can be portable, reviewable, and reproducible over time.&lt;/p&gt;

&lt;h3&gt;
  
  
  When do teams usually need this layer?
&lt;/h3&gt;

&lt;p&gt;When you have multiple agents sharing context, or a single agent that runs repeatedly over weeks—and especially once you’ve had an incident where behavior couldn’t be reproduced because the inputs weren’t captured as stable artifacts.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>AI Agent Context Management: Where Context Should Live</title>
      <dc:creator>Herbert</dc:creator>
      <pubDate>Wed, 01 Jul 2026 06:08:02 +0000</pubDate>
      <link>https://dev.to/herbert26/ai-agent-context-management-where-context-should-live-1kil</link>
      <guid>https://dev.to/herbert26/ai-agent-context-management-where-context-should-live-1kil</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fd3rbzozymlxdtlci7tj6.jpeg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fd3rbzozymlxdtlci7tj6.jpeg" alt=" " width="800" height="533"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key Takeaways&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Most “agent amnesia” is a storage problem: the context dies with the session.&lt;/li&gt;
&lt;li&gt;Bigger context windows help with single-run reasoning, but they don’t create cross-session continuity.&lt;/li&gt;
&lt;li&gt;RAG is a retrieval method, not a governance layer.&lt;/li&gt;
&lt;li&gt;Embedding-only memory is hard to audit, hard to version, and often hard to make predictable.&lt;/li&gt;
&lt;li&gt;A file-based context drive is emerging as the storage layer for agent context management: durable, versioned, and reusable across agents.&lt;/li&gt;
&lt;/ul&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Why agents keep “forgetting” between runs
&lt;/h2&gt;

&lt;p&gt;AI agents can feel impressively competent inside a single task. They can reason, call tools, write code, and produce coherent output. Then the run ends and the next session starts, and suddenly the agent is back to asking the same questions, repeating the same mistakes, and behaving like it never met you.&lt;/p&gt;

&lt;p&gt;This is not mainly a “model got smarter” problem. It’s an &lt;strong&gt;agent context management&lt;/strong&gt; problem: where does the agent’s context live, how does it persist, and how does the agent reliably get the right slice of it at the right time?&lt;/p&gt;

&lt;p&gt;If your system’s answer is “it lives in the chat history,” you’ve already seen the failure mode. The history either doesn’t exist in the next run, or it’s too long, too noisy, and too expensive to load. If your answer is “we’ll just use RAG,” you’ll quickly discover that retrieval alone can’t guarantee governance, traceability, or repeatability.&lt;/p&gt;

&lt;p&gt;In 2026, the winning architecture is increasingly layered. &lt;strong&gt;Memory, RAG, and context windows are consumption mechanisms.&lt;/strong&gt; You still need a storage layer designed for context itself. That storage layer looks a lot like a cloud drive, but built for agents.&lt;/p&gt;

&lt;h2&gt;
  
  
  What is agent context (and why it keeps disappearing)
&lt;/h2&gt;

&lt;p&gt;At any moment, an agent’s behavior is driven by what the model can currently see.&lt;/p&gt;

&lt;p&gt;Anthropic defines &lt;strong&gt;context&lt;/strong&gt; as “the set of tokens included when sampling from a large-language model (LLM)” in &lt;a href="https://www.anthropic.com/engineering/effective-context-engineering-for-ai-agents" rel="noopener noreferrer"&gt;Anthropic’s Effective context engineering for AI agents (2025)&lt;/a&gt;. In other words: &lt;strong&gt;context is everything you put in the model’s active input for this turn&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;In practice, agent context includes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;system instructions (policies, persona, constraints)&lt;/li&gt;
&lt;li&gt;conversation history (what the user asked, what the agent answered)&lt;/li&gt;
&lt;li&gt;retrieved knowledge (documents, snippets, summaries)&lt;/li&gt;
&lt;li&gt;tool outputs (API results, database rows, error logs)&lt;/li&gt;
&lt;li&gt;state the agent must maintain (IDs, decisions made, files created, progress)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;It’s useful to separate three “where does it live?” forms:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Context window (temporary)&lt;/strong&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;ul&gt;
&lt;li&gt;The model’s active working space for one run.&lt;/li&gt;
&lt;li&gt;It’s powerful for reasoning, but it evaporates when the session ends.&lt;/li&gt;
&lt;/ul&gt;

&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Memory (durable, but selective)&lt;/strong&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;ul&gt;
&lt;li&gt;Information the agent writes out and persists outside the window.&lt;/li&gt;
&lt;li&gt;In the Claude cookbook, memory is described as structured note-taking: “the agent writes to persistent external storage so it can track progress across tasks and sessions without keeping everything in active context” in &lt;a href="https://platform.claude.com/cookbook/tool-use-context-engineering-context-engineering-tools" rel="noopener noreferrer"&gt;Context engineering: memory, compaction, and tool clearing (Anthropic)&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;External knowledge (RAG)&lt;/strong&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;ul&gt;
&lt;li&gt;Documents stored elsewhere (wikis, tickets, docs, repos) that are retrieved on demand.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The core reason agents “forget” is simple: by default, &lt;strong&gt;most context is only inside the context window&lt;/strong&gt;. When the run ends, that context disappears unless your system explicitly persists it.&lt;/p&gt;

&lt;p&gt;This is why teams started talking about &lt;strong&gt;stateful agents&lt;/strong&gt;. Not because stateless agents are dumb, but because real work requires durable state.&lt;/p&gt;

&lt;h2&gt;
  
  
  AI agent memory and stateful agents: the current approaches
&lt;/h2&gt;

&lt;p&gt;When people say “ai agent memory,” they often mean wildly different things. Two useful buckets:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Short-term memory&lt;/strong&gt;: what’s still in the current context window (recent turns, tool outputs, retrieved snippets).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Long-term memory&lt;/strong&gt;: anything that survives session boundaries: notes, files, databases, event logs, durable identifiers.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Today’s most common approaches to long-term memory look like quick patches. They work until they don’t.&lt;/p&gt;

&lt;h3&gt;
  
  
  1) Stuff more history into a bigger context window
&lt;/h3&gt;

&lt;p&gt;The first instinct is to buy a model with a larger context window and paste more history into it.&lt;/p&gt;

&lt;p&gt;This helps with a narrow problem: truncation. But it introduces other failure modes. As Anthropic emphasizes, context is a finite resource with diminishing returns, and long contexts can degrade performance in practice.&lt;/p&gt;

&lt;p&gt;There’s also a fundamental mismatch: a larger context window still doesn’t guarantee the history will exist in the next session. If your app doesn’t reliably load the right prior context, the model has nothing to “remember.”&lt;/p&gt;

&lt;h3&gt;
  
  
  2) Vectorize memory (memory as embeddings)
&lt;/h3&gt;

&lt;p&gt;A more scalable approach is embedding-based memory: store interactions, facts, and artifacts as vectors; retrieve semantically similar items when needed.&lt;/p&gt;

&lt;p&gt;This can work well for “find related things” problems. But it’s weak at the exact traits decision-stage teams care about:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Predictability&lt;/strong&gt;: similarity search can be surprisingly non-deterministic at the edges.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Auditability&lt;/strong&gt;: it’s hard to explain why a specific chunk came back.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Versioning&lt;/strong&gt;: when content changes, you often need re-embedding, re-indexing, and re-evaluating the retrieval surface.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;At BOFU, these aren’t academic complaints. If an agent makes a wrong choice, someone will ask: what did it read, which version, under what permission, and why?&lt;/p&gt;

&lt;h3&gt;
  
  
  3) Store state in a KV store or database
&lt;/h3&gt;

&lt;p&gt;Teams sometimes treat agent state as application state:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;key-value records&lt;/li&gt;
&lt;li&gt;relational tables&lt;/li&gt;
&lt;li&gt;event logs&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is necessary, but it’s not sufficient for agent context. Traditional databases are great for facts and transactions. They are not designed to store the messy mix of:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;human-readable notes&lt;/li&gt;
&lt;li&gt;structured JSON&lt;/li&gt;
&lt;li&gt;task artifacts&lt;/li&gt;
&lt;li&gt;prompts&lt;/li&gt;
&lt;li&gt;intermediate outputs&lt;/li&gt;
&lt;li&gt;evidence bundles&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;They also don’t automatically solve multi-agent reuse, where different agents need the same context, but through different access boundaries.&lt;/p&gt;

&lt;h3&gt;
  
  
  The pattern behind the patches
&lt;/h3&gt;

&lt;p&gt;All three approaches are trying to solve one missing piece: &lt;strong&gt;a storage layer designed for context artifacts&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;If you want the practitioner version of this argument, the broader framing is in &lt;a href="https://www.puppyone.ai/en/blog/context-engineering-when-rag-is-not-enough" rel="noopener noreferrer"&gt;context engineering when RAG isn’t enough&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Context drive vs memory vs RAG vs context window
&lt;/h2&gt;

&lt;p&gt;These concepts aren’t mutually exclusive. They’re layered.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The &lt;strong&gt;context window&lt;/strong&gt; is where the model reasons.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Memory&lt;/strong&gt; is what you choose to persist.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;RAG&lt;/strong&gt; is a way to fetch knowledge on demand.&lt;/li&gt;
&lt;li&gt;A &lt;strong&gt;context drive&lt;/strong&gt; is the storage layer where context artifacts live so agents can retrieve, share, and govern them.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Here’s the cleanest boundary table.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;Context Window&lt;/th&gt;
&lt;th&gt;Memory&lt;/th&gt;
&lt;th&gt;RAG&lt;/th&gt;
&lt;th&gt;Context Drive (context cloud drive)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Nature&lt;/td&gt;
&lt;td&gt;Temporary buffer&lt;/td&gt;
&lt;td&gt;State/notes/embeddings&lt;/td&gt;
&lt;td&gt;External knowledge retrieval&lt;/td&gt;
&lt;td&gt;File-based persistent context storage&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Durability&lt;/td&gt;
&lt;td&gt;None&lt;/td&gt;
&lt;td&gt;Limited&lt;/td&gt;
&lt;td&gt;Document-level&lt;/td&gt;
&lt;td&gt;Durable + versioned&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Reuse (multi-agent)&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Weak&lt;/td&gt;
&lt;td&gt;Partial&lt;/td&gt;
&lt;td&gt;Yes, any agent can read/write on demand&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Auditable/governed&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;td&gt;Hard&lt;/td&gt;
&lt;td&gt;Partial&lt;/td&gt;
&lt;td&gt;Yes (visible files, control, history)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Best for&lt;/td&gt;
&lt;td&gt;Single-run reasoning&lt;/td&gt;
&lt;td&gt;Session continuity&lt;/td&gt;
&lt;td&gt;Knowledge Q&amp;amp;A&lt;/td&gt;
&lt;td&gt;Cross-task + cross-agent context sharing&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;The critical claim: &lt;strong&gt;a context drive is the base layer; memory/RAG/window are consumption modes.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;In other words: if you keep debating “RAG vs memory,” you might be missing the real question. Where does the durable context live, in a form agents can safely consume?&lt;/p&gt;

&lt;h2&gt;
  
  
  Introducing the context drive: a cloud drive for agent context
&lt;/h2&gt;

&lt;p&gt;A context drive is a file-based cloud storage layer where an AI agent’s context is persisted, versioned, and retrieved on demand. The way a cloud drive stores files for people, a context drive stores context for agents.&lt;/p&gt;

&lt;p&gt;This definition matters because it turns a fuzzy problem (“the agent forgets”) into infrastructure primitives you can build and buy:&lt;/p&gt;

&lt;h3&gt;
  
  
  1) Store: context becomes files, not a black box
&lt;/h3&gt;

&lt;p&gt;When context is stored as files (Markdown, JSON, raw artifacts), it becomes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;readable by humans&lt;/li&gt;
&lt;li&gt;usable by agents&lt;/li&gt;
&lt;li&gt;searchable by both&lt;/li&gt;
&lt;li&gt;portable across toolchains&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;It also makes “memory” explicit. Not whatever your embeddings happen to surface, but concrete artifacts: a plan, a decision record, an evidence bundle, a customer profile.&lt;/p&gt;

&lt;p&gt;This file-centric pattern shows up in research on long-horizon agents as well. FS-Researcher describes the file system as “durable external memory” and “a shared coordination medium across agents and sessions” in &lt;a href="https://arxiv.org/abs/2602.01566" rel="noopener noreferrer"&gt;FS-Researcher (arXiv:2602.01566)&lt;/a&gt;. InfiAgent similarly argues for explicitly separating persistent task state from bounded reasoning context through a file-centric state abstraction in &lt;a href="https://arxiv.org/html/2601.03204" rel="noopener noreferrer"&gt;InfiAgent (arXiv:2601.03204)&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The point isn’t “files are magical.” It’s that files are a practical, widely compatible format for persisted context.&lt;/p&gt;

&lt;h3&gt;
  
  
  2) Versioning and governance: context needs change control
&lt;/h3&gt;

&lt;p&gt;At decision stage, the hardest part isn’t storing context. It’s controlling it:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What changed?&lt;/li&gt;
&lt;li&gt;Who changed it?&lt;/li&gt;
&lt;li&gt;Which version did the agent use?&lt;/li&gt;
&lt;li&gt;Can we roll it back?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is where “memory as embeddings” often fails the enterprise test. It can store similarity, but it struggles to store governance.&lt;/p&gt;

&lt;p&gt;Large context windows don’t solve this either. They can hold more tokens, but they don’t add:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;version history&lt;/li&gt;
&lt;li&gt;approval trails&lt;/li&gt;
&lt;li&gt;least-privilege boundaries&lt;/li&gt;
&lt;li&gt;rollback primitives&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  3) Retrieval and reuse: any agent can pull the right slice
&lt;/h3&gt;

&lt;p&gt;A context drive doesn’t replace RAG. It enables better RAG.&lt;/p&gt;

&lt;p&gt;Instead of retrieving from an ungoverned document pile, retrieval can target:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;curated, structured artifacts&lt;/li&gt;
&lt;li&gt;known file paths&lt;/li&gt;
&lt;li&gt;versioned snapshots&lt;/li&gt;
&lt;li&gt;scoped folders tied to an agent identity&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This makes “agent context management” less like improvisation, more like operations.&lt;/p&gt;

&lt;p&gt;For teams evaluating whether to build or buy this layer, the tradeoffs are covered in &lt;a href="https://www.puppyone.ai/en/blog/build-vs-buy-agent-context-platform" rel="noopener noreferrer"&gt;build vs buy an agent context platform&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  What this looks like in practice (enterprise)
&lt;/h2&gt;

&lt;p&gt;Enterprise buyers tend to ask the same questions, phrased a few different ways:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Where should we store an AI agent’s context?&lt;/li&gt;
&lt;li&gt;What’s the best place to store backups of AI agents?&lt;/li&gt;
&lt;li&gt;Who can access it?&lt;/li&gt;
&lt;li&gt;Can we audit it?&lt;/li&gt;
&lt;li&gt;Can we roll back bad writes?&lt;/li&gt;
&lt;li&gt;How do we avoid “one agent poisoned the context for everyone”?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A context drive answers those questions with governance primitives:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;centralized storage&lt;/strong&gt;: one place where “context artifacts” live&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;scoped access&lt;/strong&gt;: each agent sees only what it is allowed to see&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;version control&lt;/strong&gt;: every write is diffable and reversible&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;audit logs&lt;/strong&gt;: read and write traces are inspectable&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That’s the difference between “we have memory” and “we have a governed context layer.”&lt;/p&gt;

&lt;p&gt;One concrete implementation is &lt;strong&gt;puppyone&lt;/strong&gt;. In its documentation, it positions itself as “A Context File System built for AI agents” and highlights connectors, version control and rollback, per-agent identity views, audit logs, and multiple access channels in &lt;a href="https://www.puppyone.ai/en/docs" rel="noopener noreferrer"&gt;puppyone docs&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;If you want the architectural framing for multi-agent teams, this is the most direct entry point: &lt;a href="https://www.puppyone.ai/en/blog/puppyone-3-context-infrastructure-multi-agent" rel="noopener noreferrer"&gt;puppyone 3 context infrastructure for multi-agent teams&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;h3&gt;
  
  
  What is agent context?
&lt;/h3&gt;

&lt;p&gt;Agent context is the full set of information an agent can “see” at a given moment: instructions, conversation history, retrieved docs, tool results, and state. In practice it’s whatever your system loads into the model’s active input, plus any external artifacts the agent can read during execution.&lt;/p&gt;

&lt;h3&gt;
  
  
  What’s the difference between agent memory and agent context?
&lt;/h3&gt;

&lt;p&gt;Agent context is what the model sees right now. Agent memory is what your system persists outside the context window so it can survive resets and be pulled back later. Memory is selective; context is the current, assembled bundle used for this step.&lt;/p&gt;

&lt;h3&gt;
  
  
  Is a context drive the same as RAG?
&lt;/h3&gt;

&lt;p&gt;No. RAG is a retrieval method: find relevant information and inject it into the context window. A context drive is a storage layer: it holds the context artifacts (files, snapshots, task outputs) that RAG and memory systems can retrieve from in a governed way.&lt;/p&gt;

&lt;h3&gt;
  
  
  Where should I store an AI agent’s context?
&lt;/h3&gt;

&lt;p&gt;Store durable context outside the context window, in a governed system that supports versioning, access control, and audit logs. Use the context window for active reasoning, and use retrieval to pull only the slice needed for the current step.&lt;/p&gt;

&lt;h3&gt;
  
  
  Does a bigger context window solve the memory problem?
&lt;/h3&gt;

&lt;p&gt;It helps with single-session recall, but it doesn’t create cross-session persistence. Long contexts can also degrade performance as they fill up (“lost in the middle”). Durable memory requires explicit storage outside the window, plus a policy for what to persist and how to retrieve it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Next steps
&lt;/h2&gt;

&lt;p&gt;If your agents are failing because the right context isn’t consistently available, treat it as infrastructure, not prompting. Start by writing down which context must be durable (policies, decisions, IDs, artifacts), then choose a storage layer that supports scoping, versioning, and audit.&lt;/p&gt;

&lt;p&gt;If you’re evaluating a file-based context drive in production, &lt;strong&gt;puppyone&lt;/strong&gt; is built for that layer: a governed context file system for agents with scoped access points, versioned writes, and auditability. You can start with one workflow and expand once you can prove the failure path is recoverable.&lt;/p&gt;

</description>
    </item>
    <item>
      <title>SaaS ingestion for AI agents: from raw APIs to governed context snapshots</title>
      <dc:creator>Herbert</dc:creator>
      <pubDate>Mon, 18 May 2026 12:01:48 +0000</pubDate>
      <link>https://dev.to/herbert26/saas-ingestion-for-ai-agents-from-raw-apis-to-governed-context-snapshots-l9j</link>
      <guid>https://dev.to/herbert26/saas-ingestion-for-ai-agents-from-raw-apis-to-governed-context-snapshots-l9j</guid>
      <description>&lt;p&gt;If you’re wiring Notion, Slack, and Gmail into agents, “ingestion” is often treated like a data plumbing problem: pull text, chunk it, embed it, ship it.&lt;/p&gt;

&lt;p&gt;In production, that framing breaks fast.&lt;/p&gt;

&lt;p&gt;A safer definition is this:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Ingestion is the process of producing a context snapshot that agents can safely consume&lt;/strong&gt;—agent-readable, permission-scoped, traceable, reproducible, and rollback-friendly.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;This post is a decision-stage checklist for building that kind of ingestion layer. The goal isn’t novelty. It’s making sure your system can answer hard questions later:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;&lt;em&gt;What exactly did the agent see?&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;Was it allowed to see it?&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;What changed since last week?&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;Can we roll back a bad write or a bad sync?&lt;/em&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Key takeaways
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Treat ingestion as &lt;strong&gt;producing a context snapshot agents can safely consume&lt;/strong&gt;, not “loading docs” into a vector store.&lt;/li&gt;
&lt;li&gt;Version snapshots and log provenance so you can &lt;strong&gt;diff, replay, and investigate&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;Least privilege is non-negotiable: scope connectors tightly and &lt;strong&gt;re-check authorization at retrieval time&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;If you can’t propagate deletes and permission revocations, your system will eventually leak.&lt;/li&gt;
&lt;li&gt;A governed workspace makes rollbacks and audits possible when SaaS sources keep changing.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  SaaS ingestion for AI agents starts with a snapshot contract
&lt;/h2&gt;

&lt;p&gt;Before you build connectors, decide what your “context snapshot” actually is&lt;/p&gt;

&lt;p&gt;A context snapshot is the unit of context you can hand to an agent &lt;strong&gt;without also handing it the entire SaaS surface area&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;In practice, that means your ingestion pipeline produces artifacts with:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;A stable identity&lt;/strong&gt; (object ID + source system + path)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A version&lt;/strong&gt; (or content hash) so you can diff and replay&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;An “as-of” timestamp&lt;/strong&gt; (“this snapshot reflects Notion/Slack/Gmail up to T”)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A permission envelope&lt;/strong&gt; (what identities can read/write which paths)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Provenance metadata&lt;/strong&gt; (where it came from, and how it was transformed)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you can’t label and replay snapshots, you don’t have ingestion—you have an always-moving target.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key Takeaway&lt;/strong&gt;: “Fresh” is negotiable. “Authorized and reproducible” is not.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  The main failure modes of SaaS ingestion (and what to do about them)
&lt;/h2&gt;

&lt;h3&gt;
  
  
  1) Over-privileged connectors
&lt;/h3&gt;

&lt;p&gt;The first breach pattern is mundane: you connect a tool with broader scopes than you intended, because it was the fastest way to get data moving.&lt;/p&gt;

&lt;p&gt;OAuth 2.0 was designed to avoid this exact outcome: access tokens can denote &lt;strong&gt;specific scope and lifetime&lt;/strong&gt;, so third-party apps get limited delegated access rather than reusing user credentials (see &lt;a href="https://datatracker.ietf.org/doc/html/rfc6749" rel="noopener noreferrer"&gt;OAuth 2.0 RFC 6749 (2012)&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What to implement&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Scope connectors to the smallest possible surface area (workspace/channel/mailbox/folder).&lt;/li&gt;
&lt;li&gt;Separate &lt;strong&gt;read-only ingestion identities&lt;/strong&gt; from any identity that can write back.&lt;/li&gt;
&lt;li&gt;Prefer short-lived credentials and make revocation easy.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;What failure looks like&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;“The ingestion service quietly became an org-wide admin.”&lt;/li&gt;
&lt;li&gt;“We can’t confidently say which Slack channels were indexed.”&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  2) Permissions drift after indexing
&lt;/h3&gt;

&lt;p&gt;SaaS permissions are dynamic. People leave. Channels go private. Notion pages get restricted. Gmail delegations change.&lt;/p&gt;

&lt;p&gt;If your pipeline only checked permissions &lt;strong&gt;at ingest time&lt;/strong&gt;, it will eventually serve content a user (or agent) is no longer authorized to see.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What to implement&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Treat permission updates and deletions as first-class sync events.&lt;/li&gt;
&lt;li&gt;At retrieval time, apply &lt;strong&gt;authorization filters using current identity state&lt;/strong&gt; (fail closed when ambiguous).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;What failure looks like&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;“The agent cited a page that was restricted last month.”&lt;/li&gt;
&lt;li&gt;“A deleted Slack message still shows up in answers.”&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  3) Snapshot inconsistency across tools
&lt;/h3&gt;

&lt;p&gt;If Notion syncs hourly, Slack syncs every 5 minutes, and Gmail syncs daily, your “workspace” is a mixed timeline. Agents will stitch together conclusions from different realities.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What to implement&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Define snapshot boundaries explicitly (per source, per workspace, per sync batch).&lt;/li&gt;
&lt;li&gt;Use snapshot IDs and store “as-of” timestamps.&lt;/li&gt;
&lt;li&gt;For high-stakes workflows, support “read-consistent rebuilds” on a schedule.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;What failure looks like&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;“The agent referenced a Slack thread that assumed a Notion spec revision that didn’t exist yet.”&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  4) You ingested untrusted instructions
&lt;/h3&gt;

&lt;p&gt;Ingestion isn’t just about content. It’s about &lt;strong&gt;threat surface&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;The AWS Security team explicitly calls out the risk of ingesting documents that contain hidden or malicious sequences and recommends adding filtering and review steps in the pipeline—up to using format breakers/OCR extraction and classifiers to detect undesirable content (see &lt;a href="https://aws.amazon.com/blogs/security/securing-the-rag-ingestion-pipeline-filtering-mechanisms/" rel="noopener noreferrer"&gt;AWS Security Blog: Securing the RAG ingestion pipeline (2024)&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What to implement&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Run sensitive-data detection and redaction before indexing.&lt;/li&gt;
&lt;li&gt;Route suspicious documents to human review.&lt;/li&gt;
&lt;li&gt;Preserve source pointers so users can inspect what the model used.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;What failure looks like&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;“A single hostile doc altered agent behavior.”&lt;/li&gt;
&lt;li&gt;“We can’t prove which sources the answer came from.”&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  A minimal, production-ready ingestion spec
&lt;/h2&gt;

&lt;p&gt;If you want “minimal viable governance” without building a bureaucracy, start here.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 1: Normalize SaaS content into agent-readable files
&lt;/h3&gt;

&lt;p&gt;Your agent can’t reason reliably over raw SaaS JSON blobs.&lt;/p&gt;

&lt;p&gt;Instead, normalize each system into a small set of predictable file types:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Notion pages/databases → Markdown + structured JSON metadata&lt;/li&gt;
&lt;li&gt;Slack channels/threads → thread files with message boundaries + timestamps&lt;/li&gt;
&lt;li&gt;Gmail threads → thread files with quoted-text handling + attachment references&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The output shouldn’t look like a human knowledge base. It should look like something a tool can traverse, diff, and cite.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 2: Attach an ACL envelope to every snapshot
&lt;/h3&gt;

&lt;p&gt;Treat authorization as part of the artifact.&lt;/p&gt;

&lt;p&gt;A clean pattern is a two-layer model:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Tool permissions&lt;/strong&gt;: what operations are allowed (read/write/delete)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Path permissions&lt;/strong&gt;: what the identity can see in the first place&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;One practical property of this model is that unauthorized paths can be made invisible to the agent rather than “visible but forbidden.”&lt;/p&gt;

&lt;p&gt;If you want a concrete reference implementation of the idea, puppyone documents File Level Security as a two-layer model (tools + paths) in its permissions docs: &lt;a href="https://www.puppyone.ai/en/docs/auth-for-agents/permissions" rel="noopener noreferrer"&gt;File Level Security permissions&lt;/a&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 3: Version everything that can change behavior
&lt;/h3&gt;

&lt;p&gt;Versioning is not just “nice for audits.” It’s how you avoid non-reproducible agent behavior.&lt;/p&gt;

&lt;p&gt;If you already use Git for code, treat this as &lt;strong&gt;version control for context&lt;/strong&gt;: the ability to diff what an agent consumed, tag a snapshot, and roll back when a sync or write goes wrong.&lt;/p&gt;

&lt;p&gt;At minimum version:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;normalized content snapshot&lt;/li&gt;
&lt;li&gt;parsing/normalization code version&lt;/li&gt;
&lt;li&gt;embedding model version (if applicable)&lt;/li&gt;
&lt;li&gt;retrieval configuration changes&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Step 4: Log what matters (and keep it queryable)
&lt;/h3&gt;

&lt;p&gt;Your audit trail should be able to answer:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;which identity ingested what&lt;/li&gt;
&lt;li&gt;which connector scopes were granted&lt;/li&gt;
&lt;li&gt;what content was excluded (and why)&lt;/li&gt;
&lt;li&gt;which snapshot IDs were used in a specific answer&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you only store the final answer, you’ve lost the evidence.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Pro Tip&lt;/strong&gt;: Log ingestion events separately from retrieval events. They answer different questions during an incident.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Reference architecture: “connect once, govern centrally, distribute many times”
&lt;/h2&gt;

&lt;p&gt;A workable decision-stage architecture usually has four components:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Connectors&lt;/strong&gt; (Notion/Slack/Gmail) running with least privilege&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Normalizer&lt;/strong&gt; that produces agent-readable files + metadata&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Governed workspace&lt;/strong&gt; that enforces path/tool permissions and keeps versions + diffs&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Retrieval layer&lt;/strong&gt; that applies query-time authorization and chooses what to show the agent&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;This is where many teams accidentally rebuild a network drive.&lt;/p&gt;

&lt;p&gt;A shared drive is optimized for humans browsing files.&lt;/p&gt;

&lt;p&gt;A governed context workspace is optimized for agents &lt;strong&gt;consuming snapshots safely&lt;/strong&gt;: consistent interfaces, scoped access, and traceability tied to the artifacts.&lt;/p&gt;

&lt;p&gt;If you want a concrete example of what “agent-readable + governed” can look like, puppyone’s developer overview describes exposing the same governed workspace via MCP/REST/CLI/Bash through access points: &lt;a href="https://www.puppyone.ai/en/developers" rel="noopener noreferrer"&gt;developers: access points&lt;/a&gt;. That pattern is useful when you have multiple runtimes and want the same permission model everywhere.&lt;/p&gt;

&lt;p&gt;And if your source of truth includes Notion, the idea of mirroring selected pages/databases into a file-shaped context layer is described on the Notion integration page: &lt;a href="https://www.puppyone.ai/en/integrations/notion" rel="noopener noreferrer"&gt;Notion integration&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;(Notice the subtle but important design choice: you’re not building “one more place for humans to store docs.” You’re producing governed snapshots so agents stop hitting raw SaaS APIs directly.)&lt;/p&gt;

&lt;h2&gt;
  
  
  A decision-stage checklist you can hand to security
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Connectors run with least-privilege scopes (and can be revoked quickly)&lt;/li&gt;
&lt;li&gt;Ingestion outputs are &lt;strong&gt;context snapshots&lt;/strong&gt; with IDs, versions, and “as-of” timestamps&lt;/li&gt;
&lt;li&gt;Each snapshot has a permission envelope (identity → allowed tools + paths)&lt;/li&gt;
&lt;li&gt;Deletes and permission revocations propagate (tombstones are fine; retrievable content is not)&lt;/li&gt;
&lt;li&gt;Retrieval enforces authorization again at query time (fail closed)&lt;/li&gt;
&lt;li&gt;Sensitive-data filtering/redaction is in the pipeline&lt;/li&gt;
&lt;li&gt;Audit logs exist for ingestion events and retrieval events&lt;/li&gt;
&lt;li&gt;You can diff two snapshots and explain changes&lt;/li&gt;
&lt;li&gt;You can roll back bad writes or bad sync batches&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Next steps
&lt;/h2&gt;

&lt;p&gt;If you’re implementing this now, start by writing down your snapshot contract: &lt;strong&gt;what gets mirrored, how it’s normalized, what the “as-of” guarantee is, and how revocation works&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;Once that contract is explicit, the tool choice becomes much easier.&lt;/p&gt;

&lt;p&gt;If you want a concrete implementation example, &lt;a href="https://www.puppyone.ai/en" rel="noopener noreferrer"&gt;puppyone&lt;/a&gt; is one way to build a governed context workspace that keeps permissions and version history attached to the files agents read and write.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>productivity</category>
    </item>
    <item>
      <title>Beyond Claude for Excel: The Real Office AI Agent Stack for 2026</title>
      <dc:creator>Herbert</dc:creator>
      <pubDate>Sun, 10 May 2026 14:53:12 +0000</pubDate>
      <link>https://dev.to/herbert26/beyond-claude-for-excel-the-real-office-ai-agent-stack-for-2026-1lij</link>
      <guid>https://dev.to/herbert26/beyond-claude-for-excel-the-real-office-ai-agent-stack-for-2026-1lij</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;TL;DR:&lt;/strong&gt; For 2026 office productivity, don’t pick “the best Excel assistant.” Pick the stack that matches your workflow: in-app agents for single-tool tasks, MCP + connectors for cross-tool work, and a governed file workspace with scoped access + version history when multiple agents must collaborate safely.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;p&gt;Claude inside Excel is real now. On May 7, Anthropic moved Claude for Excel (plus Word and PowerPoint) into general availability for paid plans—an explicit bet that “AI in Office” will be experienced as a sidebar where work already happens (&lt;a href="https://support.claude.com/en/articles/12650343-use-claude-for-excel" rel="noopener noreferrer"&gt;Anthropic’s “Use Claude for Excel” (2026)&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;If you live in spreadsheets all day, that’s not a small upgrade.&lt;/p&gt;

&lt;p&gt;But here’s the uncomfortable question: do knowledge workers actually live in Excel?&lt;/p&gt;

&lt;p&gt;Most don’t. They live in &lt;em&gt;the gaps between tools&lt;/em&gt;.&lt;/p&gt;

&lt;p&gt;Microsoft’s own telemetry-based research describes a day where employees are interrupted every two minutes and nearly half report that work feels “chaotic and fragmented” (see Microsoft’s “Breaking down the infinite workday”, 2025). That’s not an Excel problem. It’s a context problem.&lt;/p&gt;

&lt;p&gt;So the real question for 2026 isn’t “Which assistant should we put in Excel?” It’s:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;How do we let an agent work across email, docs, chat, tickets, and spreadsheets &lt;em&gt;without&lt;/em&gt; turning your security model into a pile of OAuth tokens?&lt;/li&gt;
&lt;li&gt;How do we keep multi-agent automation from becoming a token-heavy, non-auditable mess?&lt;/li&gt;
&lt;li&gt;And how do we make it reversible when an agent writes the wrong thing?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This post is a decision-stage guide to the office × agent stack—how to get to real &lt;strong&gt;AI agent office productivity&lt;/strong&gt; across the messy multi-app reality. Not a tool roundup. A practical model you can use to choose what to adopt next.&lt;/p&gt;




&lt;h2&gt;
  
  
  1) The single-app agent dream meets a multi-app reality
&lt;/h2&gt;

&lt;p&gt;Claude for Excel is the cleanest version of the “agent inside your tool” story: minimal setup, immediate utility, and UX that feels native.&lt;/p&gt;

&lt;p&gt;That story resonates because it’s tangible. You can point at a cell, ask for a formula, generate a chart, rewrite a table, and move on.&lt;/p&gt;

&lt;p&gt;The problem is that the real work rarely starts and ends inside one app.&lt;/p&gt;

&lt;p&gt;Microsoft’s Work Trend Index research says people are interrupted every two minutes by meetings, email, or notifications—work isn’t a single uninterrupted session in a single canvas. It’s a sequence of small moves across systems (see Microsoft’s “Breaking down the infinite workday”, 2025).&lt;/p&gt;

&lt;p&gt;That’s the tension:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Single-app agents&lt;/strong&gt; assume the context is inside the tool.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Knowledge work&lt;/strong&gt; assumes the context is distributed across tools.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In 2026, the winners won’t be the agents that write the cleanest spreadsheet formulas.&lt;/p&gt;

&lt;p&gt;They’ll be the stacks that make &lt;em&gt;context transportable, scoped, and auditable&lt;/em&gt;.&lt;/p&gt;




&lt;h2&gt;
  
  
  2) The productivity reality check: what “a day of work” actually looks like
&lt;/h2&gt;

&lt;p&gt;Here’s a realistic path for a knowledge worker doing “simple” work—say: turning a customer request into a decision and a deliverable.&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;A customer email arrives with requirements and constraints.&lt;/li&gt;
&lt;li&gt;A Notion page is created for the brief.&lt;/li&gt;
&lt;li&gt;A Slack thread aligns stakeholders and surfaces “one more thing.”&lt;/li&gt;
&lt;li&gt;A Google Sheet or Excel model is updated.&lt;/li&gt;
&lt;li&gt;A Google Doc becomes the narrative draft.&lt;/li&gt;
&lt;li&gt;A Linear/Jira ticket turns the decision into execution.&lt;/li&gt;
&lt;li&gt;A follow-up email closes the loop.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Each step forces a context reconstruction:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What did the customer &lt;em&gt;really&lt;/em&gt; ask for?&lt;/li&gt;
&lt;li&gt;What did internal stakeholders agree to?&lt;/li&gt;
&lt;li&gt;Which numbers are the &lt;em&gt;current&lt;/em&gt; numbers?&lt;/li&gt;
&lt;li&gt;Which doc is the canonical source of truth?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Embedding an agent inside a single tool solves one segment of that flow. It does &lt;strong&gt;not&lt;/strong&gt; solve the flow.&lt;/p&gt;

&lt;p&gt;This is why context engineering exists.&lt;/p&gt;

&lt;p&gt;Anthropic’s engineering team is explicit: context is finite, and “treating context as a precious, finite resource” is central to building reliable agents (&lt;a href="https://www.anthropic.com/engineering/effective-context-engineering-for-ai-agents" rel="noopener noreferrer"&gt;Anthropic’s “Effective context engineering for AI agents” (2025)&lt;/a&gt;). Their cookbook goes further: long-running agent systems need compaction, clearing, and memory to avoid context rot and token bloat (&lt;a href="https://platform.claude.com/cookbook/tool-use-context-engineering-context-engineering-tools" rel="noopener noreferrer"&gt;Claude cookbook on memory, compaction, and tool clearing (2026)&lt;/a&gt;).&lt;/p&gt;

&lt;p&gt;If your work is multi-app, your agent system is forced into one of three patterns.&lt;/p&gt;




&lt;h2&gt;
  
  
  3) Three patterns we see in 2026 (and where each breaks)
&lt;/h2&gt;

&lt;p&gt;Most “office × agent” stacks collapse into one of these.&lt;/p&gt;

&lt;h3&gt;
  
  
  Pattern A: Single-app agent
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Examples:&lt;/strong&gt; Claude for Excel, Microsoft 365 Copilot, Gemini in Google Workspace.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Strength:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Deep embed and smooth UX inside the app.&lt;/li&gt;
&lt;li&gt;High reliability for narrow tasks (write a formula, summarize a doc, draft an email).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Limitation:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;The agent only sees what the host app can see.&lt;/li&gt;
&lt;li&gt;Cross-app workflows become manual copy/paste, or brittle integrations.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If your workflow is mostly inside one tool, Pattern A is enough.&lt;/p&gt;

&lt;p&gt;If your workflow spans five tools per task, Pattern A is a local optimization.&lt;/p&gt;

&lt;h3&gt;
  
  
  Pattern B: Multi-app agent via MCP + connectors (Claude for Excel alternatives when you need cross-app work)
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Examples:&lt;/strong&gt; Claude Code or Cursor wired into 7–10 MCP servers; a custom agent that can call Slack, Gmail, Notion, Sheets, Linear.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Strength:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Real cross-app capability: can pull a thread from Slack, extract an email, update a doc, open a ticket.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Limitation:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;MCP token efficiency becomes the tax.&lt;/strong&gt; Tool calls pull back large payloads (docs, threads, tables). If you don’t aggressively manage tool outputs, you pay for context you don’t need.&lt;/li&gt;
&lt;li&gt;Security becomes “every connector has its own permissions story.”&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Anthropic’s own framing of MCP is essentially an integration-scaling argument: models are “trapped behind information silos,” and every new data source historically needed custom work (see Anthropic’s Model Context Protocol announcement, 2024).&lt;/p&gt;

&lt;p&gt;Pattern B is powerful, but it’s easy to end up with “agent sprawl”: lots of integrations, unclear boundaries, and limited auditability.&lt;/p&gt;

&lt;h3&gt;
  
  
  Pattern C: Shared file workspace + scoped agents
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;Example:&lt;/strong&gt; puppyone.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Strength:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Multiple agents can collaborate on the same artifacts &lt;em&gt;without&lt;/em&gt; sharing everything.&lt;/li&gt;
&lt;li&gt;Per-agent access scoping is first-class: you can define what each agent can read, write, or never see.&lt;/li&gt;
&lt;li&gt;Git-versioned agent context makes every write diffable and reversible.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Limitation:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Requires upfront wiring: you have to decide what becomes files, what paths exist, and which agents touch them.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you’re operating at the level of “a single assistant in a single app,” Pattern C may be overkill.&lt;/p&gt;

&lt;p&gt;If you’re operating at the level of “agents that touch customer data, price tables, and internal policy docs,” Pattern C is the difference between a demo and a deployable system.&lt;/p&gt;




&lt;h2&gt;
  
  
  4) What knowledge workers actually need (three real scenarios)
&lt;/h2&gt;

&lt;p&gt;If you want an office AI agent stack that works in production, it has to survive three properties of real work:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Inputs come from multiple SaaS tools.&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Not every agent should see every artifact.&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Outputs must be reviewable and reversible.&lt;/strong&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Let’s make that concrete.&lt;/p&gt;

&lt;h3&gt;
  
  
  Scenario 1: Customer brief automation (Notion agent integration + Slack agent integration + Gmail agent integration)
&lt;/h3&gt;

&lt;p&gt;Flow:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Gmail agent integration pulls the customer request.&lt;/li&gt;
&lt;li&gt;Notion agent integration creates the brief.&lt;/li&gt;
&lt;li&gt;Sheets/Excel is updated with assumptions.&lt;/li&gt;
&lt;li&gt;A Google Doc is drafted.&lt;/li&gt;
&lt;li&gt;Slack agent integration posts a summary for alignment.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Hidden requirement: &lt;strong&gt;per-agent access scoping.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Sales ops might be allowed to write into a “customer brief” folder but must not see internal pricing logic. Legal might be read-only on policy. The drafting agent shouldn’t see the entire Slack workspace.&lt;/p&gt;

&lt;p&gt;If your stack can’t model read/write boundaries as an explicit object, you’re relying on “please don’t” security.&lt;/p&gt;

&lt;h3&gt;
  
  
  Scenario 2: Weekly exec reporting
&lt;/h3&gt;

&lt;p&gt;Inputs:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Linear/Jira tickets&lt;/li&gt;
&lt;li&gt;Slack channel summaries&lt;/li&gt;
&lt;li&gt;GitHub PR activity&lt;/li&gt;
&lt;li&gt;KPI sheets&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Output:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;a deck&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Hidden requirement: &lt;strong&gt;multi-agent collaboration plus artifact traceability.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;In practice you want multiple agents:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;one pulls raw signals&lt;/li&gt;
&lt;li&gt;one summarizes&lt;/li&gt;
&lt;li&gt;one formats&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The system needs a shared workspace for intermediate artifacts, because “final deck only” is not debuggable.&lt;/p&gt;

&lt;p&gt;This is also where token discipline becomes real. If your summarizer agent is reloading the full Slack history and the full KPI sheet every run, you’ll feel it—cost, latency, and degraded recall.&lt;/p&gt;

&lt;h3&gt;
  
  
  Scenario 3: Sales RFP response
&lt;/h3&gt;

&lt;p&gt;Flow:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;An RFP arrives in Gmail.&lt;/li&gt;
&lt;li&gt;Past RFPs live in Notion.&lt;/li&gt;
&lt;li&gt;Pricing tables live in Sheets.&lt;/li&gt;
&lt;li&gt;The deliverable is a Word doc.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Hidden requirement: &lt;strong&gt;scoped write paths.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;You often want:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;read-only access to the past RFP library&lt;/li&gt;
&lt;li&gt;write-only access to a new “current RFP” folder&lt;/li&gt;
&lt;li&gt;and a clean audit trail of who/what generated each paragraph&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you can’t answer “which agent wrote this clause and when,” you don’t have an enterprise-ready workflow.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key Takeaway&lt;/strong&gt;: In 2026, the hardest part of office automation isn’t generating text. It’s governing multi-source context and multi-agent writes.&lt;/p&gt;
&lt;/blockquote&gt;




&lt;h2&gt;
  
  
  5) Why a file workspace beats a vector DB or a plugin
&lt;/h2&gt;

&lt;p&gt;Most “knowledge work output” is still files:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;docs&lt;/li&gt;
&lt;li&gt;sheets&lt;/li&gt;
&lt;li&gt;slides&lt;/li&gt;
&lt;li&gt;markdown&lt;/li&gt;
&lt;li&gt;CSVs&lt;/li&gt;
&lt;li&gt;contracts&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A plugin lives inside a host app. A vector DB lives inside a retrieval system.&lt;/p&gt;

&lt;p&gt;Neither is a shared, reviewable execution surface.&lt;/p&gt;

&lt;p&gt;A file workspace has three advantages that map directly to real adoption blockers:&lt;/p&gt;

&lt;h3&gt;
  
  
  1) Files are native to how teams review work
&lt;/h3&gt;

&lt;p&gt;Teams already have muscle memory for:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;diff&lt;/li&gt;
&lt;li&gt;review&lt;/li&gt;
&lt;li&gt;approve&lt;/li&gt;
&lt;li&gt;revert&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That’s not a nice-to-have. It’s how you earn trust.&lt;/p&gt;

&lt;h3&gt;
  
  
  2) LLMs are naturally good at “file operations”
&lt;/h3&gt;

&lt;p&gt;Even with new retrieval techniques, a lot of agent work is still:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;list what exists&lt;/li&gt;
&lt;li&gt;read a file&lt;/li&gt;
&lt;li&gt;grep for a clause&lt;/li&gt;
&lt;li&gt;rewrite a section&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is simpler and more explainable than “why did the vector DB retrieve this chunk?” when the stakes are high.&lt;/p&gt;

&lt;h3&gt;
  
  
  3) Versioning and audit logs turn agent writes into something you can ship
&lt;/h3&gt;

&lt;p&gt;If an agent can write, it can make mistakes.&lt;/p&gt;

&lt;p&gt;The correct response isn’t “don’t let agents write.” It’s “make writes safe.” That requires:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Git-versioned agent context&lt;/li&gt;
&lt;li&gt;audit logs&lt;/li&gt;
&lt;li&gt;rollback&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you want a deeper argument for this, see &lt;a href="https://www.puppyone.ai/en/blog/why-agents-need-a-workspace-not-another-filesystem-trick" rel="noopener noreferrer"&gt;why agents need a workspace, not another filesystem trick&lt;/a&gt;.&lt;/p&gt;




&lt;h2&gt;
  
  
  6) How puppyone fits into the Office × agent stack
&lt;/h2&gt;

&lt;p&gt;puppyone isn’t “another assistant.” It’s the layer that makes Pattern B and Pattern C behave like a system.&lt;/p&gt;

&lt;h3&gt;
  
  
  Connect: turn SaaS context into files
&lt;/h3&gt;

&lt;p&gt;Instead of building one-off pipelines per tool, puppyone’s model is:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;connect sources (Notion, Slack, Gmail, Sheets/Drive, databases, GitHub, Linear/Jira, Airtable, and more)&lt;/li&gt;
&lt;li&gt;sync into a unified file workspace&lt;/li&gt;
&lt;li&gt;expose those files through the interfaces agents already use (Bash, MCP, API, CLI)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This is a direct response to the MCP problem statement: data is scattered, integrations don’t scale, and context transport is the bottleneck.&lt;/p&gt;

&lt;h3&gt;
  
  
  Scope: give each agent an Access Point with explicit boundaries
&lt;/h3&gt;

&lt;p&gt;The core governance primitive is: &lt;strong&gt;each agent gets an Access Point&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;That Access Point defines:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;what the agent can read&lt;/li&gt;
&lt;li&gt;what the agent can write&lt;/li&gt;
&lt;li&gt;what the agent must never see&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A concrete example:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Claude can be read-only on &lt;code&gt;/research/*&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;an automation workflow agent can read/write &lt;code&gt;/sales-ops/*&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;a dev agent can have broader access on &lt;code&gt;/code/*&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The value here isn’t theoretical security. It’s operational clarity.&lt;/p&gt;

&lt;p&gt;When a workflow fails, you can ask: did the agent have the right inputs? Did it write to the right place? What changed?&lt;/p&gt;

&lt;h3&gt;
  
  
  Version: Git-style history for every write
&lt;/h3&gt;

&lt;p&gt;If you’re deploying agents, you’re deploying a write-capable system.&lt;/p&gt;

&lt;p&gt;puppyone’s version model treats every agent write like a commit:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;diffs&lt;/li&gt;
&lt;li&gt;history&lt;/li&gt;
&lt;li&gt;rollback&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That turns “agent output” into “reviewable change.”&lt;/p&gt;

&lt;p&gt;If you want the full positioning story, see &lt;a href="https://www.puppyone.ai/en/blog/introducing-puppyone-the-github-for-your-agents-context" rel="noopener noreferrer"&gt;introducing puppyone: the GitHub for your agents’ context&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;And if you want the wiring details for engineers, see the &lt;a href="https://www.puppyone.ai/en/blog/puppyone-openclaw-integration-playbook-for-engineers" rel="noopener noreferrer"&gt;puppyone OpenClaw integration playbook&lt;/a&gt;.&lt;/p&gt;




&lt;h2&gt;
  
  
  7) The 2026 Office × agent decision matrix (Microsoft 365 Copilot vs agent workspace, and beyond)
&lt;/h2&gt;

&lt;p&gt;Use this as a quick selection guide. If you’re explicitly looking for a &lt;strong&gt;multi-agent productivity stack 2026&lt;/strong&gt;, this table is the shortest path to a stack that matches your governance requirements.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Your scenario&lt;/th&gt;
&lt;th&gt;Recommended stack&lt;/th&gt;
&lt;th&gt;Why it fits&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Single-tool tasks (write a formula, summarize a doc, rewrite a slide)&lt;/td&gt;
&lt;td&gt;Native plugin / in-app agent (Claude for Excel, Copilot, Gemini; Google Workspace AI agent integration for Docs/Sheets)&lt;/td&gt;
&lt;td&gt;Lowest friction, highest UX depth&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Multi-tool workflows + one agent&lt;/td&gt;
&lt;td&gt;Claude Code / Cursor + MCP servers&lt;/td&gt;
&lt;td&gt;Cross-app reach without building a full context layer&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Multi-tool workflows + multi-agent + governance needs&lt;/td&gt;
&lt;td&gt;puppyone file workspace + scoped agents via Access Points&lt;/td&gt;
&lt;td&gt;Per-agent scoping, auditability, Git-versioned writes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Higher compliance + data residency constraints&lt;/td&gt;
&lt;td&gt;puppyone self-hosted / VPC + scoped access + audit logs&lt;/td&gt;
&lt;td&gt;Control over storage, permissions, and traceability&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;If you’re still mapping the broader market, the “patterns that won/lost” lens is useful context: &lt;a href="https://www.puppyone.ai/en/blog/state-of-enterprise-ai-agents-patterns-won-lost" rel="noopener noreferrer"&gt;state of enterprise AI agents: patterns won/lost&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;And if you’re building developer-first agent systems, this can help you place Pattern B in the landscape: &lt;a href="https://www.puppyone.ai/en/blog/best-autonomous-ai-agents-for-developers" rel="noopener noreferrer"&gt;best autonomous AI agents for developers&lt;/a&gt;.&lt;/p&gt;




&lt;h2&gt;
  
  
  8) Key takeaways + next steps
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Key takeaways
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;AI in Office isn’t solved by putting one agent in one app.&lt;/strong&gt; The bottleneck is cross-tool context.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Pattern A (single-app agents) is the right answer for narrow tasks.&lt;/strong&gt; Don’t over-engineer.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pattern B (MCP multi-app agents) unlocks real workflows, but MCP token efficiency and permission sprawl become the tax.&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Pattern C (shared file workspace + scoped agents) is what turns multi-agent automation into something you can govern, diff, and roll back.&lt;/strong&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  FAQ
&lt;/h3&gt;

&lt;p&gt;&lt;strong&gt;How do you connect Claude to Excel, Notion, and Slack at the same time?&lt;/strong&gt; You need a multi-app agent setup: either a tool-calling agent wired to each system (via MCP servers or APIs), or a shared file workspace that syncs those systems into agent-readable files and enforces scoped access. The second approach tends to be easier to govern because the agent reads and writes to explicit paths.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is Claude for Excel enough for enterprise productivity?&lt;/strong&gt; It’s enough for Excel-centric tasks. It usually isn’t enough for end-to-end workflows that require email, chat, docs, and ticketing context with auditability and rollback. Those workflows fail on context transport and permission boundaries—not spreadsheet UX.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What comes after Microsoft 365 Copilot?&lt;/strong&gt; For teams running multi-system workflows, the next layer is an “agent workspace”: a shared context surface where multiple agents can collaborate with &lt;strong&gt;per-agent access scoping&lt;/strong&gt; and versioned outputs. Copilot remains valuable inside Microsoft 365; the workspace layer is what connects Microsoft 365 to the rest of your stack.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What’s the best AI agent stack for office productivity in 2026?&lt;/strong&gt; There isn’t one universal stack. A practical default is: in-app agents for single-tool tasks, MCP-based agents for cross-tool tasks, and an &lt;strong&gt;AI agent file workspace&lt;/strong&gt; with per-agent access scoping and Git-versioned agent context when you need multi-agent collaboration and governance.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>claude</category>
      <category>productivity</category>
    </item>
    <item>
      <title>The Best Autonomous AI Agents for Developers in 2026: OpenClaw vs Manus, Devin &amp; Hermes Compared</title>
      <dc:creator>Herbert</dc:creator>
      <pubDate>Fri, 08 May 2026 13:30:00 +0000</pubDate>
      <link>https://dev.to/herbert26/the-best-autonomous-ai-agents-for-developers-in-2026-openclaw-vs-manus-devin-hermes-compared-551k</link>
      <guid>https://dev.to/herbert26/the-best-autonomous-ai-agents-for-developers-in-2026-openclaw-vs-manus-devin-hermes-compared-551k</guid>
      <description>&lt;p&gt;If you’re evaluating OpenClaw, Manus, Devin, and Hermes Agent, you’re already in that reality. This guide is a criteria-first comparison to help you shortlist without getting pulled into hype.&lt;/p&gt;

&lt;h2&gt;
  
  
  Industry background: autonomy is easy; operations are hard
&lt;/h2&gt;

&lt;p&gt;If you’ve been watching the space, the pattern is consistent: agents get more capable, and the bottleneck shifts to governance, shared context, and safe collaboration.&lt;/p&gt;

&lt;p&gt;That “ops layer” is why many teams are now investing in controlled context and traceability (not just better prompts). For a broader view of what’s working (and failing) in enterprise agent deployments, see puppyone’s industry roundup on &lt;a href="https://www.puppyone.ai/en/blog/state-of-enterprise-ai-agents-patterns-won-lost" rel="noopener noreferrer"&gt;enterprise AI agent patterns teams are winning and losing with&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  What we mean by “autonomous agent” in this guide
&lt;/h2&gt;

&lt;p&gt;A lot of products in this space blur together. Here’s the boundary this article uses:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Autonomous agent (this guide):&lt;/strong&gt; can take a goal, plan multi-step work, use tools (browser, shell, files), and deliver an artifact (PR, report, dataset) with limited back-and-forth.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Agent framework:&lt;/strong&gt; helps you &lt;em&gt;build&lt;/em&gt; agents (LangGraph, AutoGen, CrewAI, etc.). Frameworks matter, but they’re a separate comparison.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;IDE copilot:&lt;/strong&gt; improves your throughput inside an editor, but usually doesn’t own an end-to-end loop.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This distinction matters because the evaluation criteria are different.&lt;/p&gt;

&lt;h2&gt;
  
  
  Evaluation framework for autonomous AI agents for developers (2026)
&lt;/h2&gt;

&lt;p&gt;Most comparisons focus on “what the agent can do.” That’s table stakes.&lt;/p&gt;

&lt;p&gt;A better filter is: &lt;strong&gt;how you control it when it &lt;em&gt;can&lt;/em&gt; do a lot.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;This is also where teams end up caring about &lt;em&gt;enterprise AI agent governance&lt;/em&gt; even if they start with a developer productivity use case.&lt;/p&gt;

&lt;h3&gt;
  
  
  The criteria
&lt;/h3&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Autonomy model&lt;/strong&gt;: does it run end-to-end, or does it require constant steering?&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Execution surface&lt;/strong&gt;: browser/shell/files? sandboxed VM? local machine?&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Governance primitives&lt;/strong&gt;: can you scope access, review changes, and audit actions?&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Integration footprint&lt;/strong&gt;: can it live where your team already works (chat, GitHub, CLI)?&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Operational overhead&lt;/strong&gt;: setup time, ongoing maintenance, cost controls.&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Quick picks (high-level)
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;If you need…&lt;/th&gt;
&lt;th&gt;Start here&lt;/th&gt;
&lt;th&gt;Why&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Self-hosted, multi-channel agent presence&lt;/td&gt;
&lt;td&gt;OpenClaw&lt;/td&gt;
&lt;td&gt;Gateway model + broad channel support via official docs&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;A cloud “digital worker” that runs in a sandbox&lt;/td&gt;
&lt;td&gt;Manus&lt;/td&gt;
&lt;td&gt;Emphasis on sandboxed VM + skills and tool execution&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;An agent that acts like a software engineer teammate&lt;/td&gt;
&lt;td&gt;Devin&lt;/td&gt;
&lt;td&gt;Framed as end-to-end engineering with dev tools&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;A persistent agent that improves via skills/memory&lt;/td&gt;
&lt;td&gt;Hermes Agent&lt;/td&gt;
&lt;td&gt;Built around a learning loop and skill creation&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Use this table as a &lt;em&gt;starting&lt;/em&gt; point, not a final decision.&lt;/p&gt;

&lt;h2&gt;
  
  
  OpenClaw: strong for self-hosted, multi-channel automation
&lt;/h2&gt;

&lt;p&gt;OpenClaw’s cleanest pitch is also its most operationally relevant: &lt;strong&gt;run one self-hosted AI agent framework gateway and talk to your agent from the tools you already use.&lt;/strong&gt; The official &lt;a href="https://docs.openclaw.ai" rel="noopener noreferrer"&gt;OpenClaw documentation&lt;/a&gt; frames it around a Gateway process, multiple channels, and “skills” that let the agent act instead of just respond.&lt;/p&gt;

&lt;p&gt;If you’re considering OpenClaw for a team, treat it like a system, not an app. You’re not just choosing an agent—you’re choosing an &lt;em&gt;execution perimeter&lt;/em&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Where OpenClaw tends to fit
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;You want &lt;strong&gt;self-hosting&lt;/strong&gt; because data control matters.&lt;/li&gt;
&lt;li&gt;You value &lt;strong&gt;multi-channel access&lt;/strong&gt; (chat + web UI + possibly mobile nodes) more than a tightly curated enterprise surface.&lt;/li&gt;
&lt;li&gt;You’re comfortable treating configuration and skill selection as part of engineering work.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Governance reality check (and why it’s not optional)
&lt;/h3&gt;

&lt;p&gt;A powerful skill ecosystem is also an attack surface.&lt;/p&gt;

&lt;p&gt;If OpenClaw is on your shortlist, it’s worth reading a deeper governance-oriented walkthrough rather than stopping at setup docs. Start with puppyone’s &lt;a href="https://www.puppyone.ai/en/blog/ultimate-guide-openclaw-enterprise-governance" rel="noopener noreferrer"&gt;ultimate guide to OpenClaw enterprise governance&lt;/a&gt; to frame what “safe enough” looks like in practice.&lt;/p&gt;

&lt;h2&gt;
  
  
  Manus: cloud autonomy with a sandboxed execution model
&lt;/h2&gt;

&lt;p&gt;Manus is positioned as a general-purpose autonomous agent that bridges “thinking” and “doing,” and—importantly—executes workflows in an isolated environment.&lt;/p&gt;

&lt;p&gt;One practical window into how Manus thinks about reliability is its Skills approach. In &lt;a href="https://manus.im/blog/manus-skills" rel="noopener noreferrer"&gt;Manus’s post on the Skills standard&lt;/a&gt;, Manus describes skills as reusable workflow modules with progressive disclosure (metadata → instructions → resources) and describes execution in a sandboxed Ubuntu environment with shell and file access.&lt;/p&gt;

&lt;h3&gt;
  
  
  Where Manus tends to fit
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;You want a &lt;strong&gt;cloud “digital worker”&lt;/strong&gt; that can run longer tasks asynchronously.&lt;/li&gt;
&lt;li&gt;Your use cases are mixed: research, data processing, report generation, light engineering.&lt;/li&gt;
&lt;li&gt;You’re comfortable with a platform model, as long as execution and skill behavior are understandable.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  The trade-off to watch
&lt;/h3&gt;

&lt;p&gt;The more general the agent, the more you need to control:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;what data it can touch,&lt;/li&gt;
&lt;li&gt;what tools it can run,&lt;/li&gt;
&lt;li&gt;and what outputs count as “done.”&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you can’t audit that, you don’t have autonomy—you have risk.&lt;/p&gt;

&lt;h2&gt;
  
  
  Devin: the “AI software engineer” category leader (with real governance questions)
&lt;/h2&gt;

&lt;p&gt;Devin’s positioning is unusually crisp: Cognition calls it an &lt;strong&gt;AI software engineer agent&lt;/strong&gt; that can plan and execute complex tasks, using dev tools like a shell, code editor, and browser in a sandboxed environment. That framing is explicit in &lt;a href="https://cognition.ai/blog/introducing-devin" rel="noopener noreferrer"&gt;Cognition’s introduction of Devin&lt;/a&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  Where Devin tends to fit
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;You want an agent that can &lt;strong&gt;own engineering tasks end-to-end&lt;/strong&gt; (with you reviewing the work).&lt;/li&gt;
&lt;li&gt;You care more about &lt;strong&gt;repo-level outcomes&lt;/strong&gt; (PRs, bug fixes) than about being present across chat channels.&lt;/li&gt;
&lt;li&gt;You’re willing to treat it as a teammate that needs oversight, not a deterministic build step.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Security posture (what Cognition claims)
&lt;/h3&gt;

&lt;p&gt;Cognition provides a more enterprise-oriented security story than most agent products. In &lt;a href="https://docs.devin.ai/admin/security" rel="noopener noreferrer"&gt;Devin’s security documentation&lt;/a&gt;, Cognition describes controls and claims including encryption, integration-scoped permissions (e.g., selecting GitHub repos), SOC 2 Type II, and a “Secrets” feature for sharing credentials.&lt;/p&gt;

&lt;p&gt;That’s useful—but it doesn’t remove your need for governance at the workflow level: you still need to know what changed, why, and how to revert it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Hermes Agent: self-improving, skill-centric persistence
&lt;/h2&gt;

&lt;p&gt;Hermes Agent is easiest to understand as a bet on &lt;strong&gt;long-lived capability&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;In the official &lt;a href="https://github.com/NousResearch/hermes-agent" rel="noopener noreferrer"&gt;Hermes Agent GitHub repository&lt;/a&gt;, Nous Research describes a built-in learning loop that creates skills from experience, improves them during use, and builds persistent memory and user modeling across sessions. It’s also explicitly model-agnostic and designed to run in a wide range of environments.&lt;/p&gt;

&lt;h3&gt;
  
  
  Where Hermes Agent tends to fit
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;You want an agent that &lt;strong&gt;gets better at your recurring workflows&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;You want skills as artifacts (something you can review, share, and refine), not just prompt history.&lt;/li&gt;
&lt;li&gt;You’re okay investing in setup so the system compounds over time.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  The core trade-off
&lt;/h3&gt;

&lt;p&gt;Hermes Agent optimizes for persistence and learning.&lt;/p&gt;

&lt;p&gt;That can be a strength—if you can govern what the agent learns, where it stores it, and how that knowledge is shared across projects and users.&lt;/p&gt;

&lt;h2&gt;
  
  
  The governance reality check: CVEs aren’t the main problem
&lt;/h2&gt;

&lt;p&gt;Teams often over-focus on the “headline risk” (a CVE, a prompt injection, an exploit).&lt;/p&gt;

&lt;p&gt;Those matter, but the recurring operational failures are more mundane:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;an agent writes to the wrong system,&lt;/li&gt;
&lt;li&gt;changes a config without leaving a trail,&lt;/li&gt;
&lt;li&gt;or “fixes” a bug by hiding symptoms.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;To reduce that, you need basic governance primitives:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Scoped access&lt;/strong&gt;: least privilege for data sources and tools.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Audit logs&lt;/strong&gt;: who/what changed what, and when.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Version control + rollback&lt;/strong&gt;: the ability to revert an agent’s changes quickly.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you’re building or buying agents for real workflows, puppyone’s security-focused guide is a good starting point: &lt;a href="https://www.puppyone.ai/en/blog/how-to-secure-ai-agents-openclaw-permissions-audit" rel="noopener noreferrer"&gt;how to secure AI agents with permissions and auditability&lt;/a&gt;.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key Takeaway&lt;/strong&gt;: In 2026, “autonomous” is less about capability and more about controllable execution.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Choosing your stack: combine an agent with a governed context layer
&lt;/h2&gt;

&lt;p&gt;A practical way to think about these products is to separate two layers:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;The agent runtime&lt;/strong&gt; (OpenClaw, Manus, Devin, Hermes): planning + tool use + execution.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The context and governance layer&lt;/strong&gt;: what the agent can read/write, how changes are tracked, and how multiple agents collaborate safely.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;That second layer is where many teams get stuck—especially once multiple agents are running against shared documents, tickets, and code.&lt;/p&gt;

&lt;p&gt;If you’re evaluating OpenClaw in particular and want an engineering-first view of how to connect a governed context layer into agent workflows, use puppyone’s &lt;a href="https://www.puppyone.ai/en/blog/puppyone-openclaw-integration-playbook-for-engineers" rel="noopener noreferrer"&gt;OpenClaw integration playbook for engineers&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Key takeaways
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Pick agents by &lt;strong&gt;execution perimeter and control model&lt;/strong&gt;, not by demos.&lt;/li&gt;
&lt;li&gt;OpenClaw is compelling when self-hosted, multi-channel access is the priority.&lt;/li&gt;
&lt;li&gt;Manus emphasizes sandboxed execution and skill reuse for broad “digital worker” tasks.&lt;/li&gt;
&lt;li&gt;Devin is the clearest “AI software engineer” bet, but still requires workflow-level governance.&lt;/li&gt;
&lt;li&gt;Hermes Agent is built for persistence and learning, which is powerful if you can manage what it learns and where it writes.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Next steps
&lt;/h2&gt;

&lt;p&gt;If you want a &lt;em&gt;framework&lt;/em&gt; comparison (LangGraph vs AutoGen vs CrewAI, etc.) rather than an agent product roundup, see puppyone’s guide to &lt;a href="https://www.puppyone.ai/en/blog/the-best-llm-agent-frameworks-for-developers-in-2026" rel="noopener noreferrer"&gt;the best LLM agent frameworks for developers in 2026&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>agents</category>
    </item>
    <item>
      <title>From Isolated Team Agents to an Enterprise Agent Harness</title>
      <dc:creator>Herbert</dc:creator>
      <pubDate>Mon, 04 May 2026 14:17:00 +0000</pubDate>
      <link>https://dev.to/herbert26/from-isolated-team-agents-to-an-enterprise-agent-harness-48mg</link>
      <guid>https://dev.to/herbert26/from-isolated-team-agents-to-an-enterprise-agent-harness-48mg</guid>
      <description>&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;TL;DR&lt;/strong&gt;: An enterprise agent harness is the governed operating layer for many agents—centralized context, scoped permissions, audit logs, and rollback. You need it once agents can write to real systems and you must answer what they read, changed, and why.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;2026-04-10, 3:07 a.m. — your on-call phone lights up because a "helpful" agent just pushed a change into a shared workspace.&lt;/p&gt;

&lt;p&gt;At first, it's just annoyance: a small edit, a harmless automation (so you tell yourself). Then you open the diff — and realize a runbook got overwritten and the approvals trail is… blank (yes, &lt;em&gt;blank&lt;/em&gt;).&lt;/p&gt;

&lt;p&gt;That's the real failure mode.&lt;/p&gt;

&lt;p&gt;Most teams don't "fail at agents" because the model is weak.&lt;/p&gt;

&lt;p&gt;They fail because they scale from &lt;strong&gt;one helpful agent&lt;/strong&gt; to &lt;strong&gt;ten specialized agents&lt;/strong&gt;, each with slightly different tools, permissions, and context sources (you've seen the permission sprawl), and nobody can answer the only questions that matter when something breaks:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What did the agent read (and from which scope)?&lt;/li&gt;
&lt;li&gt;What did it change (show me the diff)?&lt;/li&gt;
&lt;li&gt;Who allowed it to do that (which policy, which identity)?&lt;/li&gt;
&lt;li&gt;Can we roll it back (quickly, not "restore from backup")?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you're a Head/Director/VP of Data/AI in a 200–500 person org, this is the inflection point: you don't need "more agents." You need an &lt;strong&gt;enterprise agent harness&lt;/strong&gt; (a &lt;strong&gt;unified agent harness&lt;/strong&gt;) — a unified operating layer that makes multiple agents governable, debuggable, and safe to run in production (the part your prototypes didn't budget for).&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key Takeaway&lt;/strong&gt;: A unified harness is how you turn isolated team agents into an enterprise capability: one context layer, one policy surface, one audit trail, and a repeatable way to ship agent changes without fear.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  What an enterprise agent harness is (and what it isn't)
&lt;/h2&gt;

&lt;p&gt;An agent harness (sometimes called an orchestration layer) is the software layer that wraps agent reasoning with everything production systems require: context injection, tool execution, state persistence, guardrails, and recovery.&lt;/p&gt;

&lt;p&gt;Security frameworks are converging on the same idea: once systems become more autonomous, you need explicit controls over &lt;em&gt;what they can do&lt;/em&gt;, &lt;em&gt;what they can access&lt;/em&gt;, and &lt;em&gt;how you investigate and remediate mistakes&lt;/em&gt;—not just better prompts. The threat surface is real enough that OWASP has published an agent-specific risk framing in the &lt;a href="https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications-for-2026/" rel="noopener noreferrer"&gt;OWASP Top 10 for Agentic Applications (2026)&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;What a harness is &lt;strong&gt;not&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Not "a bigger prompt" or a monolithic agent that does everything.&lt;/li&gt;
&lt;li&gt;Not just a vector DB.&lt;/li&gt;
&lt;li&gt;Not just an agent framework. Frameworks help you &lt;em&gt;build&lt;/em&gt; agents; a harness helps you &lt;em&gt;operate&lt;/em&gt; them.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The simplest mental model:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Agents&lt;/strong&gt; decide &lt;em&gt;what&lt;/em&gt; to do.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The harness&lt;/strong&gt; decides &lt;em&gt;whether they're allowed&lt;/em&gt; to do it, &lt;em&gt;how it gets executed&lt;/em&gt;, and &lt;em&gt;how it gets recorded and rolled back&lt;/em&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The moment you need a unified harness (quick needs assessment)
&lt;/h2&gt;

&lt;p&gt;You probably need a unified agent harness if at least &lt;strong&gt;two&lt;/strong&gt; of the following are true:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;You have &lt;strong&gt;multiple agents&lt;/strong&gt; (or multiple workflows) touching overlapping systems.&lt;/li&gt;
&lt;li&gt;Agents can &lt;strong&gt;write&lt;/strong&gt; anywhere (docs, tickets, code, CRM, ERP, data warehouse)—not just answer questions.&lt;/li&gt;
&lt;li&gt;You've added "temporary" permissions that never got revoked.&lt;/li&gt;
&lt;li&gt;You've had an incident where you couldn't confidently explain what an agent did.&lt;/li&gt;
&lt;li&gt;You're trying to support both &lt;strong&gt;engineering&lt;/strong&gt; and &lt;strong&gt;operations&lt;/strong&gt; stakeholders (common in manufacturing/logistics).&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;If none of those apply, keep it simple. A harness has real cost.&lt;/p&gt;

&lt;p&gt;If they do apply, the "DIY glue phase" becomes your bottleneck: each new agent adds operational risk faster than it adds capability.&lt;/p&gt;

&lt;h2&gt;
  
  
  Buyer's guide: the 6 capabilities that make an enterprise agent harness enterprise-ready
&lt;/h2&gt;

&lt;p&gt;Below is a practical evaluation framework. It's written for teams that need &lt;strong&gt;governed autonomy&lt;/strong&gt; (not science projects).&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Capability&lt;/th&gt;
&lt;th&gt;Why it matters at scale&lt;/th&gt;
&lt;th&gt;What "good" looks like&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Context/memory architecture&lt;/td&gt;
&lt;td&gt;Prevents context drift and brittle prompt spaghetti&lt;/td&gt;
&lt;td&gt;One source of truth + explicit scoping + predictable retrieval&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Scoped access (least privilege)&lt;/td&gt;
&lt;td&gt;Limits blast radius&lt;/td&gt;
&lt;td&gt;Policy defines what each agent can read/write, by path/tool/action (scoped access for AI agents)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Audit logs &amp;amp; traceability&lt;/td&gt;
&lt;td&gt;Makes incidents debuggable&lt;/td&gt;
&lt;td&gt;Every read/write/tool call is logged with identity + timestamp + scope (audit logging for AI agents)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Version control &amp;amp; rollback&lt;/td&gt;
&lt;td&gt;Makes changes reversible&lt;/td&gt;
&lt;td&gt;Diffs, history, and rollback are first-class (not "restore from backup")&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Tool/runtime orchestration&lt;/td&gt;
&lt;td&gt;Converts intent into safe action&lt;/td&gt;
&lt;td&gt;Sandboxing, approvals, deterministic execution, retries, and timeouts&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Integrations/connectors&lt;/td&gt;
&lt;td&gt;Eliminates one-off pipelines&lt;/td&gt;
&lt;td&gt;Connectors are governed, monitored, and consistent across agents&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Now let's go one by one.&lt;/p&gt;

&lt;h3&gt;
  
  
  1) Context and memory: you need a context layer, not ten copies of "truth"
&lt;/h3&gt;

&lt;p&gt;In early prototypes, context is whatever you stuffed into the prompt. That works until:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;different teams summarize the same doc differently,&lt;/li&gt;
&lt;li&gt;different agents pull from different sources,&lt;/li&gt;
&lt;li&gt;and your outputs quietly diverge.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A unified harness needs an explicit &lt;strong&gt;context/memory architecture&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;what content is canonical vs derived,&lt;/li&gt;
&lt;li&gt;how context is structured so agents can reliably read it,&lt;/li&gt;
&lt;li&gt;how freshness is managed,&lt;/li&gt;
&lt;li&gt;and how multiple agents avoid stepping on each other.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For many teams, the most practical approach is to treat context as an &lt;strong&gt;agent-readable file system&lt;/strong&gt; (not just embeddings): stable artifacts in Markdown/JSON plus a few derived indexes.&lt;/p&gt;

&lt;p&gt;That's the idea behind a "context file system" approach—centralize messy enterprise context into predictable, agent-friendly primitives (files, paths, diffs), then govern access to those primitives.&lt;/p&gt;

&lt;p&gt;If you want a concrete example of what that layer can look like, &lt;a href="https://www.puppyone.ai/en/blog/introducing-puppyone-the-github-for-your-agents-context" rel="noopener noreferrer"&gt;a GitHub-style workspace for agents' context&lt;/a&gt; describes a file-shaped approach where context is versioned and shared across multiple agents rather than recomputed per workflow.&lt;/p&gt;

&lt;h3&gt;
  
  
  2) Scoped access: least privilege has to become operational, not aspirational
&lt;/h3&gt;

&lt;p&gt;In a multi-agent environment, broad permissions don't just create security risk—they create debugging risk. When an agent can read "everything," you can't be confident what influenced an answer.&lt;/p&gt;

&lt;p&gt;Major cloud guidance for AI security is blunt about least privilege as a baseline control. Microsoft's guidance explicitly frames least privilege as a way to restrict agent actions and reduce unauthorized access risk in its &lt;a href="https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-v2-artificial-intelligence-security" rel="noopener noreferrer"&gt;AI security benchmark guidance on least privilege&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;In practice, "scoped access" means:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;separate identities per agent (or per workflow),&lt;/li&gt;
&lt;li&gt;explicit allow-lists for tools/actions,&lt;/li&gt;
&lt;li&gt;and data access scoped by &lt;em&gt;paths, objects, or domains&lt;/em&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If your scoping system can't answer "Can this agent write to that folder/table?" deterministically, you don't have scoped access—you have a hope-and-pray model.&lt;/p&gt;

&lt;p&gt;One example of this pattern is policy defined at the file/path level (read/write) with tool-level permissions—see the &lt;a href="https://www.puppyone.ai/doc/en/auth-for-agents/permissions" rel="noopener noreferrer"&gt;scoped access permissions documentation&lt;/a&gt; for a concrete model.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ Warning&lt;/strong&gt;: "One shared service account" is a reliability bug disguised as a convenience. It's how you end up with permission sprawl you can't unwind.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3&gt;
  
  
  3) Audit logs and traceability: if you can't investigate, you can't scale
&lt;/h3&gt;

&lt;p&gt;Decision-stage reality: your agents will make mistakes. The question is whether mistakes are &lt;em&gt;diagnosable and containable&lt;/em&gt;.&lt;/p&gt;

&lt;p&gt;Audit logs are the backbone for that.&lt;/p&gt;

&lt;p&gt;Treat agents like production systems: you need to know &lt;strong&gt;who did what, when, and under which authorization&lt;/strong&gt;. That's not only about compliance; it's about shipping safely.&lt;/p&gt;

&lt;p&gt;The enterprise world already solved this problem in adjacent domains:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;In DevOps, traceability links work items to commits/builds/releases to reconstruct "how the work was done." Microsoft describes this explicitly in &lt;a href="https://learn.microsoft.com/en-us/azure/devops/cross-service/end-to-end-traceability?view=azure-devops" rel="noopener noreferrer"&gt;Azure DevOps guidance on end-to-end traceability&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;In auditing, long retention exists for investigations and regulatory obligations; Microsoft notes audit log retention can be extended significantly in &lt;a href="https://learn.microsoft.com/en-us/purview/audit-log-retention-policies" rel="noopener noreferrer"&gt;Microsoft Purview audit log retention policies (up to 10 years)&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For agents, the analogous minimum audit trail should include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;the agent identity,&lt;/li&gt;
&lt;li&gt;the inputs retrieved (with scopes),&lt;/li&gt;
&lt;li&gt;tool calls (arguments + results),&lt;/li&gt;
&lt;li&gt;writes (diffs),&lt;/li&gt;
&lt;li&gt;approvals (who approved what),&lt;/li&gt;
&lt;li&gt;and any policy denials.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  4) Version control and rollback: autonomy without reversibility is a trap
&lt;/h3&gt;

&lt;p&gt;The move from "agent answers" to "agent actions" changes everything.&lt;/p&gt;

&lt;p&gt;When agents write:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;SOPs,&lt;/li&gt;
&lt;li&gt;product docs,&lt;/li&gt;
&lt;li&gt;customer-facing knowledge,&lt;/li&gt;
&lt;li&gt;runbooks,&lt;/li&gt;
&lt;li&gt;tickets,&lt;/li&gt;
&lt;li&gt;code,&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;…you need &lt;strong&gt;version history&lt;/strong&gt; and &lt;strong&gt;rollback&lt;/strong&gt; like you need seatbelts.&lt;/p&gt;

&lt;p&gt;Two concrete questions to ask vendors (or your own team) when evaluating this capability:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;&lt;em&gt;Is rollback a first-class operation, or a manual restore process?&lt;/em&gt;&lt;/li&gt;
&lt;li&gt;&lt;em&gt;Can you see diffs and attribution (which agent, which workflow, which time window)?&lt;/em&gt;&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;This is one area where a context-layer approach that treats writes as versioned artifacts is materially safer. For an example of how versioning/rollback can be designed specifically for multi-agent context (including scoped access and audit trails), see &lt;a href="https://www.puppyone.ai/en/blog/version-control-for-ai-agent-context" rel="noopener noreferrer"&gt;this guide on version control for AI agent context&lt;/a&gt;.&lt;/p&gt;

&lt;h3&gt;
  
  
  5) Tooling and runtime orchestration: safe action requires a governor
&lt;/h3&gt;

&lt;p&gt;A harness isn't just "tool calling." It's how you turn a model's intent into a controlled execution.&lt;/p&gt;

&lt;p&gt;At minimum, orchestration should cover:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Isolation&lt;/strong&gt;: agents run in sandboxes/containers where they can't silently escape.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Policy enforcement&lt;/strong&gt;: tool calls are validated against scope and intent.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Approvals&lt;/strong&gt;: high-risk actions require explicit approval (human or automated gate).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Time bounds&lt;/strong&gt;: timeouts, retries, and cancellation are not optional.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;AWS's guidance on agentic security emphasizes hardening the execution envelope—session management, isolation patterns, and monitoring—in &lt;a href="https://docs.aws.amazon.com/pdfs/prescriptive-guidance/latest/agentic-ai-security/agentic-ai-security.pdf" rel="noopener noreferrer"&gt;AWS Prescriptive Guidance: Security for agentic AI (2026)&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;If you're comparing options, the decisive question is:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Does the harness make &lt;em&gt;unsafe actions hard&lt;/em&gt; by default?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Or does it assume correctness and ask you to bolt on guardrails later?&lt;/p&gt;

&lt;h3&gt;
  
  
  6) Integrations and connectors: connectors are part of your threat model
&lt;/h3&gt;

&lt;p&gt;Most teams underestimate connectors.&lt;/p&gt;

&lt;p&gt;Connectors aren't "plumbing." They define:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;what data is accessible to agents,&lt;/li&gt;
&lt;li&gt;how fresh it is,&lt;/li&gt;
&lt;li&gt;what transforms are applied,&lt;/li&gt;
&lt;li&gt;and what permissions are implied.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;When every team builds its own connector, you get:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;inconsistent data semantics,&lt;/li&gt;
&lt;li&gt;duplicated pipelines,&lt;/li&gt;
&lt;li&gt;and unreviewed access paths.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A unified harness approach treats connectors as governed assets:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;registered,&lt;/li&gt;
&lt;li&gt;permissioned,&lt;/li&gt;
&lt;li&gt;monitored,&lt;/li&gt;
&lt;li&gt;and consistent across agents.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The uncomfortable truth: multi-agent scale is mostly a governance problem
&lt;/h2&gt;

&lt;p&gt;It's tempting to treat scaling as an "agent framework choice."&lt;/p&gt;

&lt;p&gt;But enterprise outcomes are usually limited by:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;permission sprawl,&lt;/li&gt;
&lt;li&gt;context drift,&lt;/li&gt;
&lt;li&gt;missing auditability,&lt;/li&gt;
&lt;li&gt;and lack of reversibility.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Microsoft's guidance on the tradeoffs between single- and multi-agent architectures is explicit about additional failure points and complexity in multi-agent systems; see &lt;a href="https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ai-agents/single-agent-multiple-agents" rel="noopener noreferrer"&gt;Microsoft guidance on single-agent vs multi-agent tradeoffs&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;And in security framing, a consistent pattern is scoping by blast radius and capability, not just "more prompts." AWS frames this explicitly as a scoping exercise in &lt;a href="https://aws.amazon.com/blogs/security/the-agentic-ai-security-scoping-matrix-a-framework-for-securing-autonomous-ai-systems/" rel="noopener noreferrer"&gt;AWS's Agentic AI Security Scoping Matrix (2025)&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;If your harness doesn't make governance natural, it will eventually become the thing you have to replace. (This is the heart of &lt;strong&gt;AI agent governance&lt;/strong&gt;: make safe behavior the default, not an afterthought.)&lt;/p&gt;

&lt;h2&gt;
  
  
  Build vs buy: what you'll underestimate if you build
&lt;/h2&gt;

&lt;p&gt;Building a basic agent loop is easy.&lt;/p&gt;

&lt;p&gt;Building a unified enterprise harness is a sustained commitment. The hidden surface area is:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;a permissions system you can audit,&lt;/li&gt;
&lt;li&gt;a context/memory architecture that doesn't drift,&lt;/li&gt;
&lt;li&gt;versioning and rollback for agent writes,&lt;/li&gt;
&lt;li&gt;connector governance,&lt;/li&gt;
&lt;li&gt;runtime isolation,&lt;/li&gt;
&lt;li&gt;and incident response tooling.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you do build, be honest about the roadmap:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;you're building a platform, not a feature.&lt;/li&gt;
&lt;li&gt;your first usable harness is likely v2 or v3.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you buy, be equally honest:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;you're buying a policy surface and operational model.&lt;/li&gt;
&lt;li&gt;if it doesn't fit your org's governance posture, you'll fight it forever.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For teams that want a self-host posture without rebuilding everything, a useful litmus test is whether the system supports a credible self-managed deployment path; for example, this &lt;a href="https://www.puppyone.ai/en/open-source" rel="noopener noreferrer"&gt;Docker self-host option&lt;/a&gt; is the kind of capability some teams prefer for data residency.&lt;/p&gt;

&lt;h2&gt;
  
  
  A 90-day adoption path for SMB teams (practical and low-regret)
&lt;/h2&gt;

&lt;p&gt;You don't have to "unify everything" on day one. Here's a sequence that minimizes regret.&lt;/p&gt;

&lt;h3&gt;
  
  
  Days 0–30: unify the context layer first
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Define canonical context categories (e.g., /policies, /product, /ops, /customers).&lt;/li&gt;
&lt;li&gt;Create scoped read paths per agent role.&lt;/li&gt;
&lt;li&gt;Start logging tool calls and writes.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Done when:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;you can answer "what did the agent read?" and "what did it change?" for any run.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Days 31–60: enforce scoped access + approvals
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Remove shared credentials.&lt;/li&gt;
&lt;li&gt;Introduce least-privilege by default.&lt;/li&gt;
&lt;li&gt;Add approval gates for high-risk writes (customer-facing docs, production actions).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Done when:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;your harness can deny unsafe actions deterministically.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Days 61–90: add rollback discipline + connector governance
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Make versioning/rollback a standard operating procedure.&lt;/li&gt;
&lt;li&gt;Register connectors and review them like you review services.&lt;/li&gt;
&lt;li&gt;Add basic dashboards: error rates, denied actions, write volume by agent.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Done when:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;incidents can be investigated and remediated without heroics.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Is a unified harness only for "enterprise" companies?
&lt;/h3&gt;

&lt;p&gt;No. The reason SMBs need a harness is different: you have fewer people to manage chaos. A unified policy surface and rollback discipline is how you scale agent adoption without building a large platform team.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can't we just use an agent framework and call it a day?
&lt;/h3&gt;

&lt;p&gt;Frameworks help you assemble agents. A harness is about operation: permissions, auditing, rollback, connectors, and repeatability. If your agents can act, you need an operating layer.&lt;/p&gt;

&lt;h3&gt;
  
  
  What's the minimum harness that's still worth doing?
&lt;/h3&gt;

&lt;p&gt;For most teams: scoped access + audit logs + rollback. If you have those three, everything else (orchestration patterns, connector sprawl) becomes manageable.&lt;/p&gt;

&lt;h3&gt;
  
  
  Where does "context/memory" belong: in vectors or files?
&lt;/h3&gt;

&lt;p&gt;Vectors are useful for retrieval. But governance and traceability often map more naturally to versioned artifacts (files) with explicit scopes. Many production stacks use both.&lt;/p&gt;

&lt;h2&gt;
  
  
  Next steps
&lt;/h2&gt;

&lt;p&gt;If you're evaluating what "good" looks like in practice, start by mapping your current agents to the six harness capabilities above—and identify which two gaps create the biggest operational risk today.&lt;/p&gt;

&lt;p&gt;If your biggest risks are &lt;strong&gt;scoped access&lt;/strong&gt; and &lt;strong&gt;rollback for agent writes&lt;/strong&gt;, it can be useful to look at a context-layer approach like &lt;a href="https://www.puppyone.ai/en" rel="noopener noreferrer"&gt;puppyone&lt;/a&gt;, where context is structured into agent-readable files with scoped access, auditability, and version history.&lt;/p&gt;

</description>
      <category>agents</category>
      <category>ai</category>
      <category>architecture</category>
      <category>security</category>
    </item>
    <item>
      <title>Hermes Agent vs Agent Harness: What Enterprises Really Need</title>
      <dc:creator>Herbert</dc:creator>
      <pubDate>Sun, 03 May 2026 16:26:00 +0000</pubDate>
      <link>https://dev.to/herbert26/hermes-agent-vs-agent-harness-what-enterprises-really-need-2kbn</link>
      <guid>https://dev.to/herbert26/hermes-agent-vs-agent-harness-what-enterprises-really-need-2kbn</guid>
      <description>&lt;p&gt;If you're making an enterprise agent decision right now, it's tempting to start with the agent.&lt;/p&gt;

&lt;p&gt;Pick the best "Hermes," the best model, the best framework — and assume the rest will follow.&lt;/p&gt;

&lt;p&gt;That ordering is backwards.&lt;/p&gt;

&lt;p&gt;The agent is &lt;em&gt;replaceable&lt;/em&gt;. The harness is what makes any agent deployable.&lt;/p&gt;

&lt;h2&gt;
  
  
  The thesis: Hermes is optional; the harness is foundational
&lt;/h2&gt;

&lt;p&gt;Hermes Agent (from Nous Research) is a real project with real momentum — an open-source, self-improving agent built around a learning loop and persistent operation. According to &lt;a href="https://hermes-agent.nousresearch.com/docs/" rel="noopener noreferrer"&gt;the Hermes Agent documentation from Nous Research&lt;/a&gt;, the goal is an autonomous agent that gets more capable over time.&lt;/p&gt;

&lt;p&gt;But for enterprises (and governance-heavy SMBs), the system you need to choose first isn't the agent.&lt;/p&gt;

&lt;p&gt;It's the operating layer around &lt;em&gt;every&lt;/em&gt; agent:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;what the agent is allowed to see&lt;/li&gt;
&lt;li&gt;what it's allowed to do&lt;/li&gt;
&lt;li&gt;how it proves what it did&lt;/li&gt;
&lt;li&gt;how you roll back when it's wrong&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That operating layer is what engineering teams increasingly call an &lt;strong&gt;agent harness&lt;/strong&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  What an "agent harness" means (in plain terms)
&lt;/h2&gt;

&lt;p&gt;An agent harness is everything you build around a model to turn it into a working, governed agent: the state, the tools, the policies, the execution environment, and the control points.&lt;/p&gt;

&lt;p&gt;You can think of this work as &lt;strong&gt;agent harness engineering&lt;/strong&gt;: designing the constraints, interfaces, and feedback loops that make agents behave like software you can own — not demos you have to babysit.&lt;/p&gt;

&lt;p&gt;Builder.io puts it bluntly in &lt;a href="https://www.builder.io/blog/agent-harness" rel="noopener noreferrer"&gt;its definition of an agent harness&lt;/a&gt;: it's "every piece of code, configuration, and execution logic that wraps an AI model to turn it into a working agent."&lt;/p&gt;

&lt;p&gt;LangChain uses the same mental model — "Agent = Model + Harness" — and describes harness primitives like durable storage, sandboxes, memory/context injection, and verification loops in &lt;a href="https://www.langchain.com/blog/the-anatomy-of-an-agent-harness" rel="noopener noreferrer"&gt;"The Anatomy of an Agent Harness"&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;If you're a Head/Director/VP of Data/AI in a 200–500 person org, this is the part that matters:&lt;/p&gt;

&lt;p&gt;A better agent can improve &lt;em&gt;capability&lt;/em&gt;. A better harness improves &lt;em&gt;risk, repeatability, and ownership&lt;/em&gt;.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key Takeaway&lt;/strong&gt;: If your stack can't answer "who had access, what changed, and how do we roll it back?", you don't have an enterprise agent system yet — you have a prototype.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  What Hermes Agent gives you (and why it's not the enterprise answer by itself)
&lt;/h2&gt;

&lt;p&gt;Hermes Agent is positioned as a long-lived agent runtime that can operate across environments and channels.&lt;/p&gt;

&lt;p&gt;From the project's own materials (docs + repo), Hermes emphasizes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;a built-in learning loop&lt;/strong&gt; and skill creation over time (Nous docs)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;run-anywhere deployment&lt;/strong&gt; options (local, Docker, SSH, serverless-like backends)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;tool use + orchestration&lt;/strong&gt; patterns&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;You can validate these claims directly in &lt;a href="https://github.com/nousresearch/hermes-agent" rel="noopener noreferrer"&gt;NousResearch/hermes-agent on GitHub (MIT license)&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;That's valuable.&lt;/p&gt;

&lt;p&gt;But those are primarily &lt;em&gt;agent capabilities&lt;/em&gt;.&lt;/p&gt;

&lt;p&gt;What they don't automatically solve — especially in regulated, integration-heavy environments — is the set of constraints that keep your org safe when the agent inevitably:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;reads the wrong context&lt;/li&gt;
&lt;li&gt;uses the right tool in the wrong sequence&lt;/li&gt;
&lt;li&gt;writes to the wrong place&lt;/li&gt;
&lt;li&gt;"helpfully" overwrites a shared artifact&lt;/li&gt;
&lt;li&gt;acts with more privilege than the business intended&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This isn't a critique of Hermes. It's a category error.&lt;/p&gt;

&lt;p&gt;You can swap Hermes for a different agent tomorrow. You can't casually swap the harness once your workflows, permissions, audit posture, and incident response are built around it.&lt;/p&gt;

&lt;h2&gt;
  
  
  The enterprise failure modes that agents don't fix
&lt;/h2&gt;

&lt;p&gt;When leaders say "we want enterprise-ready agents," they usually mean one of these five things.&lt;/p&gt;

&lt;p&gt;In other words: this is &lt;strong&gt;enterprise AI agent governance&lt;/strong&gt;. Not because you want bureaucracy, but because production agents touch real systems, real data, and real accountability.&lt;/p&gt;

&lt;h3&gt;
  
  
  1) "We need least-privilege access — for agents, not just humans"
&lt;/h3&gt;

&lt;p&gt;In practice, the hardest problem isn't tool calling.&lt;/p&gt;

&lt;p&gt;It's authorization.&lt;/p&gt;

&lt;p&gt;An agent shouldn't get access to "the knowledge base." It should get access to &lt;em&gt;a scoped slice&lt;/em&gt; of context and tools, tied to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;a specific identity&lt;/li&gt;
&lt;li&gt;a time window&lt;/li&gt;
&lt;li&gt;a task&lt;/li&gt;
&lt;li&gt;an approval trail&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The Cloud Security Alliance frames this as an IAM problem that needs agent-native identity and delegation patterns in &lt;a href="https://cloudsecurityalliance.org/artifacts/agentic-ai-identity-and-access-management-a-new-approach" rel="noopener noreferrer"&gt;"Agentic AI Identity and Access Management: A New Approach"&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;If you don't build this, you end up with the default: shared API keys, ambiguous responsibility, and no credible answer to "who did what?"&lt;/p&gt;

&lt;h3&gt;
  
  
  2) "We need auditability that survives incidents"
&lt;/h3&gt;

&lt;p&gt;Enterprises don't just want logs.&lt;/p&gt;

&lt;p&gt;They want &lt;em&gt;forensics&lt;/em&gt;.&lt;/p&gt;

&lt;p&gt;When an agent produces a bad outcome, the questions are immediate:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;What inputs did it see?&lt;/li&gt;
&lt;li&gt;What tool calls did it make?&lt;/li&gt;
&lt;li&gt;What did it write?&lt;/li&gt;
&lt;li&gt;What changed, exactly?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A harness isn't only about preventing mistakes. It's about making mistakes containable.&lt;/p&gt;

&lt;p&gt;That's why mature teams treat &lt;strong&gt;AI agent permissions and audit logs&lt;/strong&gt; as baseline infrastructure — not an optional add-on once the prototype "works."&lt;/p&gt;

&lt;h3&gt;
  
  
  3) "We need rollback for agent writes, not apology messages"
&lt;/h3&gt;

&lt;p&gt;Most agent failures aren't catastrophic. They're subtle: a config tweak, a document rewrite, a silent regression.&lt;/p&gt;

&lt;p&gt;The fix isn't "try again."&lt;/p&gt;

&lt;p&gt;The fix is &lt;strong&gt;versioning + diff + rollback&lt;/strong&gt; across every agent write.&lt;/p&gt;

&lt;p&gt;Without that, your team's real workflow becomes: argue in Slack about which run broke things.&lt;/p&gt;

&lt;h3&gt;
  
  
  4) "We need deterministic context, not context roulette"
&lt;/h3&gt;

&lt;p&gt;A model can only reason over what you provide.&lt;/p&gt;

&lt;p&gt;So in production, "agent reliability" often collapses into &lt;strong&gt;context engineering&lt;/strong&gt;:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;what context is retrieved&lt;/li&gt;
&lt;li&gt;how it's structured&lt;/li&gt;
&lt;li&gt;what gets excluded&lt;/li&gt;
&lt;li&gt;what gets carried forward between runs&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A harness owns these decisions.&lt;/p&gt;

&lt;p&gt;A single agent framework rarely solves them end-to-end for an organization.&lt;/p&gt;

&lt;h3&gt;
  
  
  5) "We need safe tool execution and verification loops"
&lt;/h3&gt;

&lt;p&gt;In enterprise environments, the question isn't "can the agent call tools?"&lt;/p&gt;

&lt;p&gt;It's:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Can it call them safely?&lt;/li&gt;
&lt;li&gt;Does it have a sandbox?&lt;/li&gt;
&lt;li&gt;Does it verify outputs?&lt;/li&gt;
&lt;li&gt;Does it stop before high-impact actions?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Those are harness-level constraints.&lt;/p&gt;

&lt;h2&gt;
  
  
  Minimum viable agent harness (MVH): what to build or buy first
&lt;/h2&gt;

&lt;p&gt;If you accept the thesis, the practical question is what to implement &lt;em&gt;now&lt;/em&gt; — especially when your team doesn't have 20 platform engineers to spare.&lt;/p&gt;

&lt;p&gt;Here's a minimum viable harness checklist you can implement in weeks, not quarters.&lt;/p&gt;

&lt;h3&gt;
  
  
  A. Agent identity + scoped access
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Give each agent its &lt;strong&gt;own identity&lt;/strong&gt; (not "shared service account").&lt;/li&gt;
&lt;li&gt;Define "access points" to context and tools by role and task.&lt;/li&gt;
&lt;li&gt;Default to &lt;strong&gt;deny&lt;/strong&gt;; grant narrowly.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  B. Governed context storage
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Store context as &lt;strong&gt;addressable, reviewable artifacts&lt;/strong&gt; (not just embeddings).&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Separate:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;long-lived org context&lt;/li&gt;
&lt;li&gt;task artifacts&lt;/li&gt;
&lt;li&gt;agent memory&lt;/li&gt;
&lt;/ul&gt;


&lt;/li&gt;

&lt;/ul&gt;

&lt;h3&gt;
  
  
  C. Version control + rollback for every write
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;Every agent write should produce:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;a new version&lt;/li&gt;
&lt;li&gt;a diff&lt;/li&gt;
&lt;li&gt;a rollback path&lt;/li&gt;
&lt;/ul&gt;


&lt;/li&gt;

&lt;/ul&gt;

&lt;h3&gt;
  
  
  D. Audit logs that connect actions to identity
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;You need an immutable trail of:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;agent identity&lt;/li&gt;
&lt;li&gt;time&lt;/li&gt;
&lt;li&gt;inputs&lt;/li&gt;
&lt;li&gt;tool calls&lt;/li&gt;
&lt;li&gt;writes&lt;/li&gt;
&lt;/ul&gt;


&lt;/li&gt;

&lt;/ul&gt;

&lt;h3&gt;
  
  
  E. Verification loops and human gates
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;Add "stop points" where a human must approve before:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;sending external messages&lt;/li&gt;
&lt;li&gt;changing production configs&lt;/li&gt;
&lt;li&gt;writing to canonical knowledge&lt;/li&gt;
&lt;/ul&gt;


&lt;/li&gt;

&lt;/ul&gt;

&lt;p&gt;This checklist is not vendor-specific. It's the harness.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where puppyone fits: the governed context layer inside the harness
&lt;/h2&gt;

&lt;p&gt;A harness needs a durable, governed place for &lt;strong&gt;agent context management&lt;/strong&gt; and agent-written artifacts to live.&lt;/p&gt;

&lt;p&gt;That's the gap &lt;strong&gt;puppyone&lt;/strong&gt; is designed to fill.&lt;/p&gt;

&lt;p&gt;At a systems level, puppyone is a context workspace that emphasizes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;scoped access points&lt;/strong&gt; (what each agent can read/write/never see)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;version control for agent context&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;diff + rollback&lt;/strong&gt; when agent writes go wrong&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;auditability&lt;/strong&gt;: tracking what changed, by which agent, and when&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you want a concrete reference point, puppyone documents the mechanics in &lt;a href="https://www.puppyone.ai/doc/en/version-control/versions" rel="noopener noreferrer"&gt;puppyone version history and rollback documentation&lt;/a&gt; and gives the reasoning in &lt;a href="https://www.puppyone.ai/en/blog/version-control-for-ai-agent-context" rel="noopener noreferrer"&gt;puppyone on version control for AI agent context&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;Put differently: Hermes (or any agent) can be a worker. The harness is the operating layer. puppyone can be the governed file system where the work and memory live.&lt;/p&gt;

&lt;h2&gt;
  
  
  The strongest counterargument: "If Hermes gets good enough, we won't need a harness"
&lt;/h2&gt;

&lt;p&gt;This sounds plausible if you treat "agent reliability" as a model quality problem.&lt;/p&gt;

&lt;p&gt;But enterprise reliability is a systems property.&lt;/p&gt;

&lt;p&gt;Even a very capable agent still needs:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;explicit permission boundaries&lt;/li&gt;
&lt;li&gt;durable state that outlives a context window&lt;/li&gt;
&lt;li&gt;rollback when it's wrong&lt;/li&gt;
&lt;li&gt;audit trails for internal and external scrutiny&lt;/li&gt;
&lt;li&gt;predictable interfaces to tools and data&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you remove the harness, you're betting your governance posture on prompt discipline.&lt;/p&gt;

&lt;p&gt;That's not an enterprise strategy.&lt;/p&gt;

&lt;h2&gt;
  
  
  A decision rubric: what to decide this quarter
&lt;/h2&gt;

&lt;p&gt;If you're choosing what to fund right now, start here.&lt;/p&gt;

&lt;h3&gt;
  
  
  Choose a harness-first architecture if…
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;multiple teams will run agents against shared data&lt;/li&gt;
&lt;li&gt;you operate under GDPR, sector rules, or customer audits&lt;/li&gt;
&lt;li&gt;you expect agents to write artifacts that humans will rely on&lt;/li&gt;
&lt;li&gt;you can't afford "mystery regressions" in knowledge and workflows&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Choose an agent-first prototype if…
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;the work is personal productivity or a single-team sandbox&lt;/li&gt;
&lt;li&gt;data access is low-risk and non-sensitive&lt;/li&gt;
&lt;li&gt;you're explicitly exploring capability, not shipping outcomes&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In most enterprise-adjacent SMBs, you will end up needing the harness either way.&lt;/p&gt;

&lt;p&gt;The only real question is whether you build it intentionally — or accumulate it accidentally.&lt;/p&gt;

&lt;h2&gt;
  
  
  Next steps
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;Write down your "minimum viable harness" requirements (identity, permissions, rollback, audit, verification).&lt;/li&gt;
&lt;li&gt;Pick one agent (Hermes or otherwise) as a &lt;em&gt;replaceable worker&lt;/em&gt;.&lt;/li&gt;
&lt;li&gt;Stand up the governed context layer early so your team can ship with confidence.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;If you want a concrete starting point, &lt;a href="https://www.puppyone.ai/en" rel="noopener noreferrer"&gt;puppyone&lt;/a&gt; is designed to be that governed context workspace inside an agent harness.&lt;/p&gt;

&lt;h2&gt;
  
  
  Key takeaways
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Hermes Agent is a credible open-source agent project, but it's not a complete enterprise operating layer by itself.&lt;/li&gt;
&lt;li&gt;An agent harness is the system around the model: permissions, tools, state, constraints, verification, and team controls.&lt;/li&gt;
&lt;li&gt;Enterprises and governance-heavy SMBs should fund the harness first because that's where risk is contained.&lt;/li&gt;
&lt;li&gt;puppyone fits as the governed context layer: scoped access points, versioning, auditability, and rollback for agent-written artifacts.&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>ai</category>
      <category>agents</category>
      <category>llm</category>
    </item>
    <item>
      <title>Build vs Buy Agent Context Platform: The 9–14 Month Reality Check</title>
      <dc:creator>Herbert</dc:creator>
      <pubDate>Wed, 29 Apr 2026 08:04:08 +0000</pubDate>
      <link>https://dev.to/herbert26/build-vs-buy-agent-context-platform-the-9-14-month-reality-check-35pn</link>
      <guid>https://dev.to/herbert26/build-vs-buy-agent-context-platform-the-9-14-month-reality-check-35pn</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpin18wj53lg05ajjot7v.jpeg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpin18wj53lg05ajjot7v.jpeg" alt=" " width="800" height="533"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Build vs Buy Agent Context Platform: The 9–14 Month Reality Check
&lt;/h2&gt;

&lt;p&gt;If you’re building agentic workflows in a real business (not a demo), you eventually hit a non-glamorous question. This is the same decision pattern you see in &lt;strong&gt;build vs buy RAG infrastructure&lt;/strong&gt; projects: are you investing in a long-lived platform, or getting to a governed baseline fast?&lt;/p&gt;

&lt;p&gt;Do you keep stitching context together with bespoke connectors, prompts, and ad-hoc stores—or do you treat “context” as infrastructure and either build or buy a governed system for it?&lt;/p&gt;

&lt;p&gt;Put another way: every production agent is really a &lt;strong&gt;harness agent&lt;/strong&gt;—an LLM wrapped in a harness that supplies its tools, permissions, memory, and audit trail. The decision in front of you isn’t “do we need agents.” It’s whether you build the harness yourself or adopt one. That harness is what this post is about.&lt;/p&gt;

&lt;p&gt;This post is a consideration-stage framework for that decision. It assumes you’re a 200–500 person SMB in tech or manufacturing/logistics, you care about security and compliance, and you don’t have infinite platform engineering bandwidth.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Key Takeaway&lt;/strong&gt;: “Build vs buy” is rarely about whether you &lt;em&gt;can&lt;/em&gt; build. It’s about whether you can &lt;em&gt;own&lt;/em&gt; the maintenance surface area: connectors, scoped access, auditability, versioning/rollback, and evaluation.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  What an “agent context filesystem” actually means
&lt;/h2&gt;

&lt;p&gt;In practice, an agent context filesystem (or context file system) is a layer that makes organizational knowledge &lt;strong&gt;agent-readable&lt;/strong&gt; and &lt;strong&gt;operationally governable&lt;/strong&gt;. You can think of it as an &lt;strong&gt;agent context management platform&lt;/strong&gt; that behaves like a file system (paths, files, diffs) rather than a purely query-first knowledge product.&lt;/p&gt;

&lt;p&gt;This layer is the core of the &lt;strong&gt;harness agent&lt;/strong&gt; pattern: the harness is what turns a bare LLM loop into something your security team will sign off on, and the context filesystem is where most of that harness lives. A harness agent without a real context layer is just a prompt with ambition.&lt;/p&gt;

&lt;p&gt;It usually includes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Ingestion/connectors&lt;/strong&gt;: Notion/Slack/Gmail/GitHub/DBs/internal apps, plus sync and change tracking.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Normalization&lt;/strong&gt;: turning content into stable formats (Markdown/JSON/raw files) with consistent structure.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Scoped access&lt;/strong&gt;: per-agent read/write boundaries (and explicit “never access” zones).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Audit logs&lt;/strong&gt;: who/what changed context, when, and why.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Version control + rollback&lt;/strong&gt;: because agents write, and sometimes they write the wrong thing.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Evaluation/observability&lt;/strong&gt;: detecting retrieval drift, broken connectors, and “context pollution.”&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If that sounds like “an internal platform,” that’s the point.&lt;/p&gt;

&lt;h2&gt;
  
  
  Build vs buy vs hybrid: a quick comparison matrix
&lt;/h2&gt;

&lt;p&gt;Most teams don’t need a philosophical debate—they need a fast shortlist of tradeoffs.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Dimension&lt;/th&gt;
&lt;th&gt;Build in-house&lt;/th&gt;
&lt;th&gt;Buy a platform&lt;/th&gt;
&lt;th&gt;Hybrid (buy core, build on top)&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Time-to-value&lt;/td&gt;
&lt;td&gt;Slow (months)&lt;/td&gt;
&lt;td&gt;Fast (weeks)&lt;/td&gt;
&lt;td&gt;Medium-fast (core fast, extensions later)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Custom fit&lt;/td&gt;
&lt;td&gt;Highest&lt;/td&gt;
&lt;td&gt;Medium (within product constraints)&lt;/td&gt;
&lt;td&gt;High (extensions via APIs/workflows)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ongoing maintenance&lt;/td&gt;
&lt;td&gt;Highest (you own it)&lt;/td&gt;
&lt;td&gt;Lower (vendor owns core)&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Security/compliance effort&lt;/td&gt;
&lt;td&gt;You build controls + prove them&lt;/td&gt;
&lt;td&gt;You inherit vendor posture + still govern usage&lt;/td&gt;
&lt;td&gt;Shared&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Lock-in risk&lt;/td&gt;
&lt;td&gt;Low (but you can lock into your own design)&lt;/td&gt;
&lt;td&gt;Medium–high (depends on portability)&lt;/td&gt;
&lt;td&gt;Medium&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Failure recovery&lt;/td&gt;
&lt;td&gt;You must build rollback/audit pathways&lt;/td&gt;
&lt;td&gt;Often built-in (verify)&lt;/td&gt;
&lt;td&gt;Mixed&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Frameworks used for internal platforms (like IDPs) tend to converge on these same choices. The Spacelift team lays out that trade space in their &lt;a href="https://spacelift.io/blog/internal-developer-platform-idp-build-or-buy" rel="noopener noreferrer"&gt;IDP build vs buy guide&lt;/a&gt; (2026).&lt;/p&gt;

&lt;h2&gt;
  
  
  Build vs buy agent context platform: use these criteria to decide
&lt;/h2&gt;

&lt;p&gt;A good comparison doesn’t start with vendor names. It starts with criteria.&lt;/p&gt;

&lt;h3&gt;
  
  
  1) Scope: are you building a feature—or a platform?
&lt;/h3&gt;

&lt;p&gt;If context infrastructure is part of what you sell (or your key differentiation), building can make sense.&lt;/p&gt;

&lt;p&gt;If it’s not core to your product, internal tools guidance is blunt: building often turns into a long-term tax on the same engineers you want shipping customer value. Retool’s &lt;a href="https://retool.com/blog/build-vs-buy-guide-for-internal-tools" rel="noopener noreferrer"&gt;build vs buy guide for internal tools&lt;/a&gt; (2025) is a useful reminder that opportunity cost is a real line item.&lt;/p&gt;

&lt;p&gt;A practical test:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Build&lt;/strong&gt; if you need a specialized capability that materially differentiates you and you can staff a platform team.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Buy&lt;/strong&gt; if you need reliable baseline capabilities (governance, connectors, versioning) more than bespoke innovation.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Hybrid&lt;/strong&gt; if you need standard foundations &lt;em&gt;plus&lt;/em&gt; a few non-negotiable custom workflows.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  2) The 9–14 month build plan: what you’re really committing to
&lt;/h3&gt;

&lt;p&gt;Teams underestimate build timelines because they count the MVP, not the operational system.&lt;/p&gt;

&lt;p&gt;A realistic 9–14 month path often looks like this:&lt;/p&gt;

&lt;h4&gt;
  
  
  Months 1–2: Define the contract
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;Define “context objects” (files, metadata, ownership).&lt;/li&gt;
&lt;li&gt;Define your access model (scopes, roles, approvals).&lt;/li&gt;
&lt;li&gt;Define write paths (how agents propose changes; what gets committed).&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Deliverable: a spec your security + engineering leadership can sign.&lt;/p&gt;

&lt;h4&gt;
  
  
  Months 3–5: Ingestion + normalization MVP
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;Build 3–5 connectors that you actually need.&lt;/li&gt;
&lt;li&gt;Build a sync story (polling vs webhooks vs CDC), plus failure handling.&lt;/li&gt;
&lt;li&gt;Normalize into durable formats and stable paths.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Deliverable: a context store that stays fresh without manual babysitting.&lt;/p&gt;

&lt;h4&gt;
  
  
  Months 6–8: Governance layer (permissions + audit logs)
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;Per-agent scoped access.&lt;/li&gt;
&lt;li&gt;Audit log model and retention.&lt;/li&gt;
&lt;li&gt;Admin workflows for exceptions.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Deliverable: “we can pass an internal security review.”&lt;/p&gt;

&lt;h4&gt;
  
  
  Months 9–11: Versioning + rollback for agent writes
&lt;/h4&gt;

&lt;p&gt;Agent writes are where systems get messy. You need:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;diffs (what changed)&lt;/li&gt;
&lt;li&gt;rollbacks (undo)&lt;/li&gt;
&lt;li&gt;“safe merge” semantics&lt;/li&gt;
&lt;li&gt;traceability (which agent/tool caused it)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you want a concrete example of why context versioning differs from code versioning, puppyone’s article on &lt;a href="https://www.puppyone.ai/en/blog/version-control-for-ai-agent-context" rel="noopener noreferrer"&gt;version control for AI agent context&lt;/a&gt; is a useful reference.&lt;/p&gt;

&lt;h4&gt;
  
  
  Months 12–14: Evaluation + observability + hardening
&lt;/h4&gt;

&lt;p&gt;Context systems fail quietly. A connector doesn’t always throw an exception—it can just stop updating. Retrieval quality drifts. Tool usage sprawls. Prompts become brittle.&lt;/p&gt;

&lt;p&gt;Anthropic’s &lt;a href="https://www.anthropic.com/engineering/effective-context-engineering-for-ai-agents" rel="noopener noreferrer"&gt;Effective context engineering for AI agents&lt;/a&gt; (2025) is useful here: minimizing tool sprawl and managing context pollution isn’t a one-time setup; it’s ongoing tuning. That ongoing tuning work is part of the real &lt;strong&gt;context engineering infrastructure&lt;/strong&gt; cost of ownership.&lt;/p&gt;

&lt;p&gt;Deliverable: dashboards, quality gates, and incident playbooks.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;⚠️ Warning&lt;/strong&gt;: The “done” state is not “agents can read files.” It’s “agents can read and write safely, and you can recover from mistakes.”&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h3&gt;
  
  
  3) Staffing: who owns the surface area?
&lt;/h3&gt;

&lt;p&gt;A build plan implies ownership. For a 9–14 month build, assume the work spans:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Platform/infra lead&lt;/strong&gt; (architecture + delivery)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;2–4 backend/platform engineers&lt;/strong&gt; (connectors, storage, APIs)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;1 security/identity engineer&lt;/strong&gt; (scoped access, policy, approvals)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;1 SRE/DevOps&lt;/strong&gt; (reliability, monitoring, incident response)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;0.5–1 product/PM&lt;/strong&gt; (requirements, internal adoption, prioritization)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;You can compress roles in smaller orgs, but the work doesn’t disappear.&lt;/p&gt;

&lt;p&gt;This is also why many teams choose a hybrid. In the IDP world, “buy core + build on top” shows up repeatedly because it reduces foundational engineering while preserving flexibility.&lt;/p&gt;

&lt;h3&gt;
  
  
  4) CapEx vs OpEx: what you pay, and when
&lt;/h3&gt;

&lt;p&gt;Instead of pretending there’s a universal number, model your own inputs.&lt;/p&gt;

&lt;h4&gt;
  
  
  Build cost categories (mostly CapEx up front, OpEx forever)
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;Engineering time (build)&lt;/li&gt;
&lt;li&gt;Infra (storage, compute, networking)&lt;/li&gt;
&lt;li&gt;Security/compliance work (design + audits)&lt;/li&gt;
&lt;li&gt;Tooling (observability stack, CI/CD, secret management)&lt;/li&gt;
&lt;li&gt;Ongoing maintenance (connector churn, governance, on-call)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A pattern you’ll see across infrastructure categories is that “free core tech” still demands expensive human capital to run it reliably. Confluent’s analysis of the &lt;a href="https://www.confluent.io/blog/cost-build-data-streaming-platform/" rel="noopener noreferrer"&gt;cost of building a data streaming platform&lt;/a&gt; (2025) makes this point sharply.&lt;/p&gt;

&lt;h4&gt;
  
  
  Buy cost categories (mostly OpEx, plus integration)
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;Subscription/license&lt;/li&gt;
&lt;li&gt;Implementation + integration&lt;/li&gt;
&lt;li&gt;Add-ons (storage, seats, audit retention, etc.)&lt;/li&gt;
&lt;li&gt;Vendor management (security review, renewals)&lt;/li&gt;
&lt;li&gt;Internal ownership of “your side” (policies, workflows, adoption)&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  5) Maintenance risk: what breaks in month 15
&lt;/h3&gt;

&lt;p&gt;A context layer doesn’t fail like a feature. It fails like plumbing. And when it fails, every harness agent downstream fails with it—silently, and usually in the exact ways that are hardest to detect.&lt;/p&gt;

&lt;p&gt;Typical long-term failure modes:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Connector brittleness&lt;/strong&gt;: APIs change; auth models rotate; webhooks are unreliable.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Access drift&lt;/strong&gt;: who should see what changes over time; exceptions accumulate.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Context rot&lt;/strong&gt;: outdated documents keep getting retrieved because freshness and deprecation aren’t encoded.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;No safe rollback&lt;/strong&gt;: an agent writes the wrong summary or policy, and now everything downstream is wrong.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Observability gaps&lt;/strong&gt;: you notice failures only when a user complains.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;If you build, you’re signing up to maintain these as first-class product problems.&lt;/p&gt;

&lt;p&gt;If you buy, your job is due diligence: verify the platform actually solves the boring parts (auditability, rollback, scoped access) rather than simply providing a vector store with a UI.&lt;/p&gt;

&lt;p&gt;For a concrete governance example, puppyone’s write-up on &lt;a href="https://www.puppyone.ai/en/blog/how-to-secure-ai-agents-openclaw-permissions-audit" rel="noopener noreferrer"&gt;securing AI agents with permissions and audit&lt;/a&gt; is a useful internal reference point for what teams usually end up building themselves.&lt;/p&gt;

&lt;h3&gt;
  
  
  6) Time-to-value: what you can achieve in 30/60/90 days
&lt;/h3&gt;

&lt;p&gt;A neutral way to compare options is to map outcomes to a calendar.&lt;/p&gt;

&lt;h4&gt;
  
  
  If you buy (typical)
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;30 days&lt;/strong&gt;: connect key sources, define scoped access boundaries, establish audit logging.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;60 days&lt;/strong&gt;: add versioning/rollback for agent writes, harden governance workflows.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;90 days&lt;/strong&gt;: expand connectors, add evaluation signals, formalize incident response.&lt;/li&gt;
&lt;/ul&gt;

&lt;h4&gt;
  
  
  If you build (typical)
&lt;/h4&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;30 days&lt;/strong&gt;: spec + a prototype.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;60 days&lt;/strong&gt;: first connector(s) + normalization.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;90 days&lt;/strong&gt;: early MVP, usually without mature governance and rollback.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This doesn’t mean buy is always better. It means buy tends to front-load value, while build front-loads learning.&lt;/p&gt;

&lt;h2&gt;
  
  
  ROI calculator
&lt;/h2&gt;

&lt;p&gt;This is intentionally lightweight. The goal is to make your assumptions explicit.&lt;/p&gt;

&lt;h3&gt;
  
  
  Step 1: estimate annualized costs
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Input&lt;/th&gt;
&lt;th&gt;Symbol&lt;/th&gt;
&lt;th&gt;Example range&lt;/th&gt;
&lt;th&gt;Notes&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Fully loaded annual cost per engineer&lt;/td&gt;
&lt;td&gt;C_eng&lt;/td&gt;
&lt;td&gt;$180k–$350k&lt;/td&gt;
&lt;td&gt;Use your internal fully loaded cost&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Build team size (FTE)&lt;/td&gt;
&lt;td&gt;N_build&lt;/td&gt;
&lt;td&gt;4–8&lt;/td&gt;
&lt;td&gt;Platform + security + SRE blended&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Build duration (months)&lt;/td&gt;
&lt;td&gt;M_build&lt;/td&gt;
&lt;td&gt;9–14&lt;/td&gt;
&lt;td&gt;Your assumption&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Annual vendor subscription (if buy)&lt;/td&gt;
&lt;td&gt;C_vendor&lt;/td&gt;
&lt;td&gt;$0–$X&lt;/td&gt;
&lt;td&gt;Use quotes/tiers&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Annual infra/tooling for build&lt;/td&gt;
&lt;td&gt;C_infra&lt;/td&gt;
&lt;td&gt;$20k–$300k&lt;/td&gt;
&lt;td&gt;Storage, compute, observability, etc.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Ongoing maintenance (FTE) after launch&lt;/td&gt;
&lt;td&gt;N_maint&lt;/td&gt;
&lt;td&gt;1–3&lt;/td&gt;
&lt;td&gt;Connector churn + governance + on-call&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Formulas:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Build labor cost (one-time)&lt;/strong&gt;: &lt;code&gt;Cost_build_labor = C_eng * N_build * (M_build/12)&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Build ongoing annual maintenance&lt;/strong&gt;: &lt;code&gt;Cost_build_maint_annual = C_eng * N_maint + C_infra&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Buy annual cost&lt;/strong&gt;: &lt;code&gt;Cost_buy_annual = C_vendor + (C_eng * N_maint_buy)&lt;/code&gt; where &lt;code&gt;N_maint_buy&lt;/code&gt; is your internal admin/integration burden.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Step 2: estimate benefits (choose measurable levers)
&lt;/h3&gt;

&lt;p&gt;Pick 1–2 benefits you can actually measure:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Engineer hours saved per week from fewer context hunts: &lt;code&gt;H_saved&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;Fully loaded hourly cost: &lt;code&gt;C_hour&lt;/code&gt;
&lt;/li&gt;
&lt;li&gt;Avoided incidents or compliance rework (use conservative internal estimates)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Simple benefit formula:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Annual productivity value&lt;/strong&gt;: &lt;code&gt;Benefit_prod_annual = H_saved * C_hour * 52&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Then compute:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Payback period (months)&lt;/strong&gt;: &lt;code&gt;Payback_months = (Upfront_cost / (Annual_benefit/12))&lt;/code&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Pro Tip&lt;/strong&gt;: Keep three scenarios (conservative / base / aggressive). You’ll learn more from the spread than from the midpoint.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;h2&gt;
  
  
  Exit strategies: avoid “forever decisions”
&lt;/h2&gt;

&lt;p&gt;Lock-in risk is real—but the fix isn’t “never buy.” It’s planning portability.&lt;/p&gt;

&lt;h3&gt;
  
  
  If you buy
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Ensure &lt;strong&gt;data export&lt;/strong&gt; is practical (not just “available”): can you export files + metadata + history?&lt;/li&gt;
&lt;li&gt;Prefer systems where context artifacts are in durable formats (Markdown/JSON) and stable paths.&lt;/li&gt;
&lt;li&gt;Make “connector ownership” explicit: what happens when a vendor connector breaks or is removed?&lt;/li&gt;
&lt;li&gt;Document the minimum viable replacement you could run if you had to migrate.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  If you build
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Avoid inventing proprietary formats that only your team understands.&lt;/li&gt;
&lt;li&gt;Separate the context data model from the retrieval stack.&lt;/li&gt;
&lt;li&gt;Treat connectors as replaceable modules; keep contracts stable.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A useful heuristic: the best exit strategy is one where your “context artifacts” can survive a tool change.&lt;/p&gt;

&lt;h2&gt;
  
  
  So… which should you choose?
&lt;/h2&gt;

&lt;p&gt;Here’s a practical mapping for SMB teams.&lt;/p&gt;

&lt;h3&gt;
  
  
  Choose &lt;strong&gt;build&lt;/strong&gt; if:
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;Context infrastructure is your core product differentiation.&lt;/li&gt;
&lt;li&gt;You can staff (and retain) a platform team for maintenance and on-call.&lt;/li&gt;
&lt;li&gt;You have unusual constraints a vendor can’t meet (deployment, residency, policy).&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Choose &lt;strong&gt;buy&lt;/strong&gt; if:
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;You need governed context quickly and your bottleneck is engineering bandwidth.&lt;/li&gt;
&lt;li&gt;Your highest risks are governance failures (scoped access, audit logs, rollback) and you want mature defaults.&lt;/li&gt;
&lt;li&gt;You’d rather spend engineers on agent workflows than reinventing infrastructure.&lt;/li&gt;
&lt;/ul&gt;

&lt;h3&gt;
  
  
  Choose &lt;strong&gt;hybrid&lt;/strong&gt; if:
&lt;/h3&gt;

&lt;ul&gt;
&lt;li&gt;You want a reliable core (connectors, access control, versioning) but need custom workflows.&lt;/li&gt;
&lt;li&gt;You want to de-risk the first 90 days, then iterate toward differentiation.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Next steps
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;Copy the calculator table into a spreadsheet and fill in your real staffing and timeline assumptions.&lt;/li&gt;
&lt;li&gt;Use the criteria sections above as an evaluation checklist for any vendor or internal build—score each option on how complete a harness agent stack it actually delivers (connectors, scoped access, versioning, audit, evaluation), not just how fast it demos.&lt;/li&gt;
&lt;li&gt;If you’re evaluating a platform, start with governance basics (scoped access, audit logs, rollback), then look at connectors and observability.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;If it’s helpful, a fast way to pressure-test requirements is a technical walkthrough where you map data sources, access boundaries, and rollback needs against a real harness agent platform like &lt;a href="https://www.puppyone.ai/en" rel="noopener noreferrer"&gt;puppyone&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>agents</category>
    </item>
  </channel>
</rss>
