AI-ENG-AI — Contract Thinking - Deterministic Edges Around Probabilistic Cores

Doctrinal Introduction & The Contract Thinking Doctrine

In high-dimensional artificial intelligence engineering, the primary challenge is not the elimination of model non-determinism, but rather the containment of that non-determinism within safe, verifiable boundaries. This paradigm, formulated as probabilistic containment architecture, recognizes that the cognitive flexibility of large language models is highly valuable during internal inference, but presents severe risks when allowed to interface directly with stateful, authoritative, or public-facing systems. Good systems design does not attempt to force the entire model into absolute predictability; instead, it establishes a rigid, deterministic envelope around the model’s probabilistic core. The model may execute complex synthesis, logical deduction, and creative planning within this bounded space, but every boundary crossing—or seam—must conform to a strict, typed, and enforceable contract.
This methodology generalizes Bertrand Meyer’s Design by Contract (DbC) framework, originally formulated in 1986 to improve traditional software reliability.1 Meyer identified correctness—the ability of software to perform its exact tasks as defined by its specification—as the supreme quality of software, supplemented by robustness, efficiency, extendibility, reusability, and compatibility.3 While defensive programming suggests adding redundant checks everywhere, it leads to code complexity—the primary obstacle to software quality.2 DbC advocates an “offensive programming” posture: establish clear preconditions, postconditions, and invariants, and “fail hard” immediately when assertions are violated, simplifying debugging and ensuring correctness.1
Applying the Liskov Substitution Principle to AI contract boundaries establishes clear constraints on function execution 4:

• Preconditions cannot be strengthened: An implementation must not accept a narrower range of input than the interface specification dictates.4
• Postconditions cannot be weakened: An implementation must not return a wider, more ambiguous range of output than the specification guarantees.4
• Invariants cannot be weakened: An implementation must maintain core system state within specified tolerances throughout execution.4

In AI engineering, the model is inherently probabilistic. We cannot make the model itself fully deterministic. The useful question is: Can we make every boundary around the model explicit, enforceable, observable, testable, and safe to breach-handle? Inside the box, the model operates with probabilistic freedom; at the edges, it must sign deterministic paperwork.
To establish this discipline, systems architects must maintain clean distinctions across multiple operational dimensions:

• Flexibility versus Authority: The generative core is permitted to reason, draft, and propose, but it holds zero administrative authority. Any execution of state changes, data mutation, or outbound communication must be mediated by a deterministic runtime that validates permissions and rules before execution.5
• Schema Validity versus Truth: A model output conforming perfectly to a JSON schema is structurally valid, but syntactic correctness does not imply factual accuracy. Structuring constraints ensure format compliance; separate semantic and factual verifications are required to confirm truth.7
• Prompt Instruction versus Enforceable Boundary: Instructions embedded within prompts (e.g., “never reveal system keys”) are instructions, not security controls.6 Actual boundaries must be enforced by isolated software filters, input-scrubbing routines, and policy-as-code sidecars that are completely outside the model’s context window.
• Model Capability versus System Permission: A model’s computational ability to generate a tool invocation, generate SQL, or draft a financial transaction must never be confused with systemic authorization to perform that action.5
• Generated Action versus Authorized Action: Actions drafted by the model are treated as unauthenticated proposals. They are only translated into physical side effects after passing through a deterministic authorization engine (such as Open Policy Agent or Cedar).6
• Grounding versus Citation-Shaped Decoration: The presence of inline footnotes and citation links in a generated output often serves as a persuasive UX element rather than factual proof.8 Rigid grounding contracts must programmatically verify that claims are supported by retrieved sources, with proper temporal and logical qualifiers.7
• Memory versus Surveillance: Persistent agentic memory must not become an unconstrained data sink. It requires strict tenant isolation, local pseudonymization, automatic retention rules, and user-controlled deletion paths to prevent liability and privacy leakage.9
• Eval Score versus Release Contract: An eval is a formal release gate, not a subjective vibe check.14
• Logs versus Compliance Evidence: Raw diagnostic logs track errors; immutable, cryptographically signed events serve as compliance evidence.11
• User Trust versus User Expectation Contract: UX must cultivate calibrated trust, ensuring users rely on the system when correct and override it when it fails.17
• Vendor Route versus Model-Route Contract: Gateway abstraction maintains system stability across changing provider deployments.20
• Fallback versus Contract Downgrade: Fault tolerance must preserve safety properties even when dropping back to less capable local models.20

Conceptual Glossary

The following standardized terms form the core vocabulary of the contract thinking doctrine and are defined for uniform engineering application:

The Contract Stack Model & Drift Diagnostic

AI systems fail when contract layers silently diverge. A product promise may imply current policy compliance, while retrieval pulls stale documents. A schema may require citations, while the citation verifier only checks that a field exists. A UI may show an action as complete, while the downstream transaction failed. Contract thinking prevents these failures by aligning every layer from user expectation to deployment evidence.

CONTRACT STACK

[ User Expectation Contract ]
        |
[ Product / Workflow Contract ]
        |
[ Policy / Permission Contract ]
        |
[ Prompt / Context Contract ]
        |
[ Retrieval / Memory Contract ]
        |
[ Model Route Contract ]
        |
[ Schema / Output Contract ]
        |
[ Tool / Action Contract ]
        |
[ Eval / Verification Contract ]
        |
[ Deployment / Observability Contract ]

Each layer must be supported by the layers beneath it. The user interface must not promise a capability the product workflow cannot verify. The prompt must not request evidence the retrieval system cannot supply. The model route must not be assigned to a task class it has not passed. The tool contract must not execute an action the permission contract has not authorized.

Contract Drift Diagnostic

Drift Response Rule

When drift is detected, the system should prefer:

block unsafe action
downgrade authority
disclose uncertainty
reroute only to approved routes
preserve scoped evidence
open review when drift repeats

It should not silently “repair” contract drift in ways that hide misalignment. A patched-looking response can be worse than a clean refusal.

Contract Surface Inventory

A contract surface is any seam where probabilistic behavior touches structured systems, users, tools, memory, retrieval, policy, deployment, or evidence. Every surface needs an owner, enforcer, validation method, breach behavior, and evidence boundary.

The inventory should be maintained as a registry, not as prose buried in a design doc. If a surface has no owner, it has no contract.

Prompt Contract Specification

A prompt is not decorative prose or a venue for model coaxing; it is production code and must be engineered as versioned, testable, and deterministic configuration. Treating the model as the reliability layer is an architectural mistake.5 Instead, prompts must be written inside structured files (such as YAML, JSON, or TOML) that clearly outline the precise runtime conditions under which the model will execute.
The system context must also conform to a context contract. This contract specifies exactly what state enters the model, from where, and under what systemic authority.6 To prevent context bleed—which degrades model reasoning capacity by up to 90.2% when irrelevant data is carried across distinct tasks—sub-agents must be isolated by job function.5 Context isolation must be structurally enforced, ensuring that user data does not leak across session boundaries and system instructions remain shielded from malicious user manipulation.
The following Prompt Contract Template defines the schema and execution rules for a production-grade prompt configuration:

meta:  
  name: "InvoiceExtractionContract"  
  owner: "FinanceEngineeringGroup"  
  version: "2.4.1"  
  last_modified: "2026-03-15T09:30:00Z"  
  linked_eval_suite: "eval_invoice_extraction_v2"  
  rollback_target: "2.4.0"  
  change_log: "Added tax identifier extraction field and updated failure escalation rules."

task_boundary:  
  description: "Extract line-item billing information from raw unstructured text files."  
  allowed_languages: ["en", "de", "fr"]  
  max_input_length_characters: 50000  
  instruction_hierarchy:  
    system_directives: 1 # Highest priority, protected from user override  
    formatting_rules: 2  
    context_data: 3  
    user_inputs: 4 # Evaluated as untrusted payload only

input_assumptions:  
  expected_variables:  
    - name: "raw_invoice_text"  
      type: "string"  
      required: true  
    - name: "client_id"  
      type: "uuid"  
      required: true  
  context_sources:  
    - name: "organization_billing_rules"  
      origin: "postgres_db"  
      freshness_tolerance_seconds: 86400

behavioral_constraints:  
  allowed_behavior:  
    - "Extract merchant name, total, subtotal, tax amounts, line-items, and invoice date."  
    - "Perform currency code standardization using ISO-4217."  
  forbidden_behavior:  
    - "Do not calculate or infer missing values; report them as null."  
    - "Do not append conversational text, explanations, or markdown commentary outside the structured schema."  
  uncertainty_behavior:  
    low_confidence_threshold: 0.85  
    action: "Set extraction_confidence metric and populate low_confidence_fields array; do not omit the field."  
  refusal_and_escalation:  
    condition: "Text does not resemble an invoice or is written in an unsupported language."  
    response_mode: "explicit_refusal"  
    refusal_payload:  
      error_code: "UNSUPPORTED_DOCUMENT_TYPE"  
      message: "The provided document could not be identified as a valid invoice."  
      escalate_to: "manual_review_queue"

output_requirements:  
  format: "json_schema"  
  schema_reference: "invoice_extraction_schema_v3.json"  
  evidence_and_citation:  
    require_grounding: true  
    citation_scope: "line_level"  
    minimum_grounding_score: 0.90

Schema Contract Model & Multi-Layer Validation

Schemas turn model output into typed artifacts that software can inspect. A schema contract proves structure, not truth. A perfectly valid JSON object can still contain false claims, unsupported citations, unsafe recommendations, or unauthorized actions.

Structured-output mechanisms and constrained decoding can improve schema adherence, but production systems must still validate outputs at multiple layers.

SCHEMA VALIDATION STACK

[ Probabilistic Core ]
        |
        v
[ Structured Output / Constrained Decoding Where Supported ]
        |
        v
[ Serialization Validation ]
  valid JSON / XML / CSV / function call envelope
        |
        v
[ Schema Validation ]
  required fields | types | enums | object shape
        |
        v
[ Semantic Validation ]
  domain rules | ranges | invariants | cross-field logic
        |
        v
[ Factual Validation ]
  evidence | math | source-of-record | citations
        |
        v
[ Policy Validation ]
  safety | privacy | tenant | compliance | risk tier
        |
        v
[ Action Validation ]
  preconditions | authorization | idempotency | postconditions
        |
        v
[ Accepted Artifact or Breach Behavior ]

Validation Layers

Schema Contract Requirements

Important Rule

Do not treat schema adherence as success.

valid JSON ≠ correct answer
valid schema ≠ grounded answer
grounded answer ≠ authorized action
authorized action ≠ completed action
completed action ≠ user understood the result

Each equality must be earned by a separate contract.

Retrieval Contract Model & RAG Grounding Verification

Retrieval determines what reality enters the model. The retrieval contract defines which sources may be used, who may access them, how fresh they must be, how conflicts are handled, and what level of evidence is required before the model may make a claim.

The core doctrine is:

No evidence, no grounded claim.
Weak evidence, weak claim.
Conflicting evidence, disclosed conflict.
Stale evidence, time-bounded claim.
Unauthorized evidence, no context injection.

Retrieval Contract Specification

Grounding Verification Checks

Retrieval Breach Behaviors

A retrieval pipeline that cannot refuse unsupported claims is not grounded. It is just hallucination with footnotes.

Tool and Action Contract Model

Language becomes operationally dangerous at the tool seam. A model may propose an action, but only deterministic code may authorize, execute, verify, and record that action.

A tool contract defines the complete boundary between a model proposal and a real side effect.

Tool Contract Structure

Idempotency Key Doctrine

An idempotency key must identify the same logical operation across retries. It should not depend on attempt-specific IDs that change when the framework retries, unless those IDs are guaranteed stable for the logical operation.

idempotency_key =
  hash(
    actor_id
  + operation_id
  + tool_id
  + target_resource_id
  + normalized_arguments
  + authorization_context_hash
  )

Action State Machine

ACTION CONTRACT STATE MACHINE

[ Proposed ]
    |
    v
[ Parsed and Schema-Valid ]
    |
    v
[ Permission Checked ]
    |
    +-- deny --> [ Denied ]
    |
    v
[ Preconditions Verified ]
    |
    +-- fail --> [ Blocked / Needs Clarification ]
    |
    v
[ Idempotency Key Reserved ]
    |
    +-- duplicate --> [ Return Prior Result ]
    |
    v
[ Submitted ]
    |
    v
[ Confirmed by Source of Record ]
    |
    +-- fail --> [ Compensate / Escalate ]
    |
    v
[ Completed ]

Postcondition Verification

A tool call is not complete when the API returns. It is complete when the source of record confirms the expected state.

Tool Breach Behavior

The model proposes. The tool contract disposes.

Permission and Security Contract Model

A model’s ability to generate an action is not permission to execute it. Permission must be evaluated by deterministic policy outside the model, using the authenticated subject, tenant, resource, action, arguments, environment, risk tier, and approval state.

The default decision is deny.

Permission Decision Inputs

Permission Contract Outcomes

Policy Contract Pattern

{
  "decision_request": {
    "subject": {
      "id": "user_123",
      "role": "finance_reviewer",
      "tenant": "tenant_a",
      "scopes": ["invoice:read", "invoice:review"]
    },
    "resource": {
      "type": "invoice",
      "id": "inv_789",
      "tenant": "tenant_a",
      "classification": "confidential"
    },
    "tool": {
      "id": "invoice_approval_api",
      "action": "approve_payment"
    },
    "arguments": {
      "amount": "1250.00",
      "currency": "USD",
      "payee_id": "vendor_456"
    },
    "context": {
      "risk_tier": "high",
      "environment": "production",
      "approval_state": "maker_submitted_checker_pending",
      "route_id": "finance_review_governed"
    }
  }
}

Security Contract Controls

Anti-Patterns

Security contracts must be enforced before side effects, not explained after them.

Resource, Memory, and Model Route Contracts

Resource, memory, and model-route contracts define the runtime envelope around model behavior. They prevent runaway loops, privacy leakage, stale personalization, unsafe fallback, and provider-specific dependency drift.

Resource Contract Model

A resource contract constrains the amount of time, money, context, concurrency, and retry effort a model workflow may consume.

Resource Contract Template

resource_contract:
  contract_id: "<resource_contract_id>"
  owner: "<platform_or_finops_owner>"
  applies_to_routes:
    - "<route_id>"
  limits:
    max_input_tokens: 0
    max_output_tokens: 0
    max_total_tokens: 0
    max_loop_iterations: 0
    max_tool_calls: 0
    max_retries: 0
    latency_ceiling_ms: 0
    cost_budget_usd: 0
    concurrency_limit: 0
  breach_behavior:
    token_limit: "compress_or_refuse"
    loop_limit: "return_partial_and_escalate"
    cost_limit: "require_approval"
    latency_timeout: "fallback_or_queue"

Memory Contract Model

Memory is writable state. It must be scoped, permissioned, reviewable, and deletable. Memory should not become a surveillance landfill or a prompt-injection persistence layer.

Memory Contract Template

memory_contract:
  contract_id: "<memory_contract_id>"
  owner: "<memory_owner>"
  allowed_memory_types:
    - preference
    - workflow_context
    - user_confirmed_fact
  prohibited_memory_types:
    - secrets
    - unsupported_inferences
    - sensitive_data_without_policy_basis
  write_policy:
    require_user_confirmation: true
    require_provenance: true
    injection_scan_required: true
  read_policy:
    scope: "user | tenant | workflow | role"
    require_active_task_relevance: true
    require_permission_check: true
  retention:
    default_ttl_days: 0
    review_required: true
  user_controls:
    inspect: true
    edit: true
    delete: true
    disable: true
  breach_behavior:
    suspected_poisoning: "quarantine_memory_and_open_review"
    unauthorized_read: "deny_and_log"
    conflict: "ask_user_or_disclose_conflict"

Model Route Contract Model

A model route contract maps task classes and risk tiers to approved execution routes. Routes should be expressed as capability profiles, not as brittle vendor catalogs.

Model Route Contract Template

model_route_contract:
  route_id: "<route_id>"
  owner: "<platform_owner>"
  approved_task_classes:
    - "<task_class>"
  maximum_risk_tier: "low | medium | high | regulated"
  allowed_data_classes:
    - "public"
    - "internal"
  capability_profile:
    context_window: "small | medium | large"
    modalities: ["text"]
    tool_use: "none | read_only | write_with_approval"
    latency_class: "interactive | batch | async"
  execution_profile:
    primary_route: "<provider_or_runtime_alias>"
    fallback_routes:
      - route: "<fallback_route_id>"
        authority_downgrade: "disable_tool_execution"
        reason: "primary_unavailable"
  eval_gate:
    required_suite: "<eval_suite_id>"
    required_status: "pass"
  observability:
    emit_trace: true
    emit_cost: true
    emit_quality_sample: true
  breach_behavior:
    eval_expired: "block_route"
    provider_unavailable: "use_approved_fallback"
    fallback_not_safe: "fail_closed"

A fallback route must preserve the safety contract. If the fallback cannot meet the same permission, privacy, grounding, or action-verification requirements, it is not a fallback. It is a contract downgrade and must reduce authority.

Evaluation, Deployment, and Observability Contracts

Evaluation, deployment, and observability contracts turn AI behavior from a demo into an operated system. The eval contract decides whether a configuration may ship. The deployment contract defines exactly what shipped. The observability contract proves what happened at runtime.

Evaluation Contract Model

An evaluation contract defines the test suite, dataset, metrics, thresholds, owners, and release decision for a model route, prompt, schema, retrieval pipeline, tool, or full workflow.

Risk-Tiered Evaluation Gates

Avoid universal thresholds like “1,000 cases” or “100% refusal” unless the workflow justifies them. Thresholds must match task consequence, data quality, and measurement confidence.

Deployment Contract Model

A deployment contract is the signed manifest of the active AI system configuration.

deployment_manifest:
  manifest_id: "<manifest_id>"
  release_version: "<version>"
  owner: "<release_owner>"
  created_at: "<iso_datetime>"
  applies_to:
    workflow: "<workflow_id>"
    environment: "staging | production"
  components:
    prompt_contract: "<prompt_contract_id>@<version>"
    schema_contract: "<schema_contract_id>@<version>"
    retrieval_contract: "<retrieval_contract_id>@<version>"
    memory_contract: "<memory_contract_id>@<version>"
    tool_contracts:
      - "<tool_contract_id>@<version>"
    permission_policy_bundle: "<policy_bundle_hash>"
    model_route_contract: "<route_contract_id>@<version>"
    resource_contract: "<resource_contract_id>@<version>"
  eval_gate:
    eval_suite: "<eval_suite_id>"
    status: "pass | conditional | fail"
    report_hash: "<hash>"
  approvals:
    product_owner: "<approval_ref>"
    security_owner: "<approval_ref>"
    eval_owner: "<approval_ref>"
  rollback:
    previous_manifest_id: "<manifest_id>"
    rollback_conditions:
      - "schema_error_spike"
      - "policy_denial_spike"
      - "eval_regression"

Any change to prompt, schema, route, retrieval, memory, tool, policy, eval threshold, or resource envelope is a deployment event.

Observability Contract Model

The observability contract defines runtime telemetry. It should record enough to debug, evaluate, and govern the system without overcollecting sensitive data.

Telemetry vs. Audit Evidence

Audit evidence should not be raw logs with a fancy hat. It should be scoped, structured, minimized, and defensible.

User Expectation & Trust Calibration Contract

The user interface is a contract boundary. It tells the user what the system can do, what it cannot do, what evidence it used, what was excluded, what authority it has, and when the user must verify or decide.

Trust calibration means user reliance matches system competence. Overtrust creates rubber-stamping. Undertrust creates abandonment. The contract must make the system’s role legible.

Expectation Contract Elements

Trust Calibration Controls

Confidence Display Rule

Raw model confidence can mislead users. Prefer concrete status labels tied to verification:

Expectation Breach Examples

The UI should not ask users to trust the model. It should give users enough context to trust, verify, correct, or refuse the system appropriately.

Contract Breach Playbook

A contract breach occurs when any deterministic edge rejects, cannot verify, or cannot safely process model behavior, context, retrieval, memory, tool execution, policy, route, deployment, or user expectation.

Breach handling must be deterministic. The system should not improvise safety.

CONTRACT BREACH FLOW

[ Breach Detected ]
        |
        v
[ Classify Breach ]
  schema | semantic | factual | policy | permission | tool | resource
  memory | retrieval | route | deployment | observability | user expectation
        |
        v
[ Determine Severity ]
  low | medium | high | security/compliance incident
        |
        v
[ Contain ]
  block action | stop loop | freeze state | remove source | restrict memory | fail closed
        |
        v
[ Resolve or Escalate ]
  repair | retry | clarify | reroute | degrade | human review | incident
        |
        v
[ Preserve Scoped Evidence ]
        |
        v
[ Notify / Recover / Review ]

Breach Response Matrix

Evidence Preservation Rule

Preserve enough evidence to investigate, prove, and repair the breach without creating an uncontrolled sensitive-data archive.

Raw payload capture should be reserved for incident classes and environments where policy, legal basis, access control, and retention are explicitly defined.

Incident Escalation Triggers

A breach is not just an error. It is a signal that a contract boundary either worked, failed, or was missing.

Contract Review and Lifecycle Model

Contracts are living system artifacts. They must be created, approved, tested, released, monitored, reviewed, migrated, deprecated, and retired. A contract that exists only in prose is not a contract; it is a wish with headers.

Contract Lifecycle

Review Triggers

Contract Registry Fields

Contract lifecycle management is the maintenance discipline that keeps probabilistic systems from becoming folklore.

Cross-Canon Handoff Map

AI-ENG-AI defines the seam discipline that unifies the AI Engineering Systems Canon. Contract thinking turns prompts, schemas, retrieval, memory, tools, permissions, resources, model routes, evaluations, deployments, observability, vendor dependencies, and user expectations into enforceable boundaries around probabilistic cores.

Core Canon Rule

Every probabilistic capability must cross deterministic boundaries before it can affect users, systems, memory, tools, money, permissions, evidence, or production state.

The model may be probabilistic. The system must not be.

Works cited

1. Design by contract - Wikipedia, accessed June 15, 2026, https://en.wikipedia.org/wiki/Design_by_contract
2. Applying ‘design by contract’ - Michigan Technological University, accessed June 15, 2026, https://pages.mtu.edu/~aebnenas/teaching/spring2010/cs3141/readings/meyerPDF.pdf
3. Design By Contract: A Missing Link In The Quest For Quality Software, accessed June 15, 2026, https://wstomv.win.tue.nl/edu/2ip30/references/design-by-contract/index.html

4. API Security through Contract-Driven Programming

   CMU Software Engineering Institute, accessed June 15, 2026, https://www.sei.cmu.edu/blog/api-security-through-contract-driven-programming/

5. AI Agent Tool Use Best Practices for Practitioners - MLflow, accessed June 15, 2026, https://mlflow.org/articles/ai-agent-tool-use-best-practices-for-practitioners/
6. Why Open Policy Agent is the Missing Guardrail for Your AI Agents, accessed June 15, 2026, https://codilime.com/blog/why-use-open-policy-agent-for-your-ai-agents/
7. Groundedness detection in Azure AI Content Safety - Microsoft Learn, accessed June 15, 2026, https://learn.microsoft.com/en-us/azure/ai-services/content-safety/concepts/groundedness

8. RAG Grounding: 11 Tests That Expose Fake Citations

   by Nexumo …, accessed June 15, 2026, https://medium.com/@Nexumo_/rag-grounding-11-tests-that-expose-fake-citations-30d84140831a

9. LLMs and Data Privacy: How to Protect Sensitive Information - Duality Technologies, accessed June 15, 2026, https://dualitytech.com/blog/llm-data-privacy/
10. OPA Guardrails - TrueFoundry Docs, accessed June 15, 2026, https://www.truefoundry.com/docs/ai-gateway/opa-guardrails
11. Enforce least-privilege authorization in multi-agent AI delegation chains using Cedar on AWS - GitHub, accessed June 15, 2026, https://github.com/aws-samples/sample-cedar-agentic-ai-authorization
12. A Survey on Long-Term Memory Security in LLM Agents: Attacks, Defenses, and Governance Across the Memory Lifecycle - arXiv, accessed June 15, 2026, https://arxiv.org/html/2604.16548v2
13. MemPrivacy is a privacy-preserving personalized memory management framework for edge-cloud agents. - GitHub, accessed June 15, 2026, https://github.com/MemTensor/MemPrivacy
14. RAG Evals: Retrieval Relevance, Grounding, and Citation Fidelity - Vikas Goyal, accessed June 15, 2026, https://vikasgoyal.github.io/agentic/observe/rag-evals.html
15. RAG Testing — Validating Retrieval Accuracy, Grounding, and Context Leakage - Medium, accessed June 15, 2026, https://medium.com/@gunashekarr11/rag-testing-validating-retrieval-accuracy-grounding-and-context-leakage-b3145e3a7b26

16. Building Idempotent Tools for Long-Running Agents

    PADISO Blog, accessed June 15, 2026, https://www.padiso.co/blog/building-idempotent-tools-for-long-running-agents/

17. Designing for Trust Calibration: Why AI Tools Need to Stop Pretending to Be Certain

    by Lena C

    Bootcamp

    Medium, accessed June 15, 2026, https://medium.com/design-bootcamp/designing-for-trust-calibration-why-ai-tools-need-to-stop-pretending-to-be-certain-0e7b74d285be

18. Design Patterns For Building Trust, accessed June 15, 2026, https://smart-interface-design-patterns.com/articles/the-trust-calibration-spectrum-in-ux/
19. From Trust in Automation to Trust in AI in Healthcare: A 30-Year Longitudinal Review and an Interdisciplinary Framework - PMC, accessed June 15, 2026, https://pmc.ncbi.nlm.nih.gov/articles/PMC12562135/
20. Best LLM Router and AI Gateway (2026) - Inworld AI, accessed June 15, 2026, https://inworld.ai/resources/best-llm-router-ai-gateway
21. What Is an AI Gateway? Why Your Enterprise LLM Infrastructure Needs One - LiteLLM, accessed June 15, 2026, https://www.litellm.ai/blog/what-is-an-ai-gateway
22. Structured outputs with OpenAI and Pydantic - dida.do, accessed June 15, 2026, https://dida.do/blog/structured-outputs-with-openai-and-pydantic

23. Agent Idempotency: Build Tool Calls That Are Safe to Retry

    Chanl …, accessed June 15, 2026, https://www.channel.tel/blog/idempotent-tool-calls-agent-retry-safety

24. Explainable recommendation: when design meets trust calibration - PMC, accessed June 15, 2026, https://pmc.ncbi.nlm.nih.gov/articles/PMC8327305/

25. Memory scaling for AI agents

    Databricks Blog, accessed June 15, 2026, https://www.databricks.com/blog/memory-scaling-ai-agents

26. Structured model outputs

    OpenAI API, accessed June 15, 2026, https://developers.openai.com/api/docs/guides/structured-outputs

27. Stop Parsing JSON by Hand: Structured LLM Outputs With Pydantic - DEV Community, accessed June 15, 2026, https://dev.to/klement_gunndu/stop-parsing-json-by-hand-structured-llm-outputs-with-pydantic-1pg0
28. NeurIPS Poster SeCon-RAG: A Two-Stage Semantic Filtering and Conflict-Free Framework for Trustworthy RAG, accessed June 15, 2026, https://neurips.cc/virtual/2025/poster/115589
29. LLM Gateway Comparison 2025 - what I learned testing 5 options in production : r/AIQuality, accessed June 15, 2026, https://www.reddit.com/r/AIQuality/comments/1q57lfc/llm_gateway_comparison_2025_what_i_learned/
30. The Complete Guide to Using Pydantic for Validating LLM Outputs, accessed June 15, 2026, https://machinelearningmastery.com/the-complete-guide-to-using-pydantic-for-validating-llm-outputs/

Attribution

Part of Stunspot’s Guide to AI Systems — The AI Engineering Systems Canon.

Created by Sam “stunspot” Walker / Collaborative Dynamics.

Repository: https://github.com/Stunspot/stunspots-guide-to-ai-systems
Stunspot: https://stunspot.com
Collaborative Dynamics: https://www.collaborative-dynamics.com
Discord: https://discord.gg/stunspot

Licensed under CC BY-NC-SA 4.0 unless otherwise stated.
Commercial use, resale, paid redistribution, inclusion in commercial training products, or incorporation into paid knowledge-base products requires prior written permission.

← Back to Canon Map