Promote Loops, Not Conversations
The central mistake in advanced agent work is treating a successful session as the artifact. A good session is only a trace. The artifact is the loop you can rerun: trigger, skill, tools, state, output, verification, and escalation. Once a workflow survives repeated manual use, move it out of chat and into a versioned package with explicit inputs, preconditions, allowed tools, expected outputs, and known failure modes.
Start by auditing actual repeated work, not imagined automation opportunities. Mine prior coding-agent sessions, shell history, Slack requests, tickets, and recurring weekly chores. The best candidates have stable intent, repeatable inputs, observable outputs, and bounded authority. Do not automate taste-heavy tasks first. For subjective work, package augmentation: draft, segment, render, critique, and wait for human direction. For measurable work, push toward unattended execution.
Keep skills and routines separate. A skill is the operating procedure. A routine is when and where it runs. That separation lets you improve the agent’s reasoning, tool descriptions, gotchas, and verification plan without touching cron, Slack commands, n8n triggers, or cloud schedule configuration. A routine should declare four things only: trigger, skill, tools, and output destination.
Give the Agent a Filesystem It Can Navigate
Once loops become reusable, state becomes the bottleneck. Long-running agents fail less from lack of intelligence than from losing the map: where source material lives, what was tried, which outputs were accepted, which constraints are protected, and what the next run should compare against. Treat the working directory or vault as the agent’s memory bus, not as a dumping ground.
Use a predictable layout: raw inputs, synthesized knowledge, generated outputs, logs, approvals, and reusable references. Put an index file at every meaningful level. Add a top-level agent instruction file that explains lookup paths, naming rules, protected areas, and when to read prior runs before acting. For visual, video, code, or ops workflows, keep presets and brand or environment constraints as files the agent can inspect instead of restating them in prompts.
Logs are not just compliance artifacts. They are training data for the next execution. Record run ID, trigger, model, skill version, tools invoked, command output summaries, artifacts produced, validation results, cost, latency, approval decisions, and final outcome. When an overnight loop wakes up, it should ask: what happened last time, what changed, what invariant must still hold, and which prior failure pattern applies here?
Build Verification Into the Loop
Autonomy without verification is just batch prompting. Every mature loop needs layered checks before results reach users or mutate state. For coding, require a verification plan before edits, then run tests, linters, type checks, smoke tests, and targeted inspections. For diagrams, render JSON to PNG and have the agent inspect layout, hierarchy, arrow flow, and spacing before handing it off. For video, lock the rough cut before graphics generation, then validate captions, music gain, segment timing, and re-render only affected sections.
The pattern is always the same: generate, materialize, inspect, patch, and only then publish. Text-only self-critique is too weak for artifacts with external structure. Render the diagram. Export the video. Run the command. Query the service. Open the page. Compare against the expected output. If the loop cannot observe its own artifact, it is not ready for unattended operation.
Put Human Validation Zones around irreversible or high-risk actions: payments, production deploys, data deletion, external messaging, repo merges, and infrastructure changes. Require structured output such as `needs_approval`, `commands_requested`, `risk_level`, `applied_fix`, and `rollback_plan` so downstream systems can branch deterministically. Approval should gate authority, not reasoning. Let the agent diagnose deeply, prepare the patch, and explain the intended mutation, then pause before execution.
Expose Tools as Narrow, Auditable Capabilities
A useful agentic OS is mostly tool plumbing with taste. Code is the universal interface because it lets the agent touch files, shells, APIs, browsers, renderers, transcription engines, FFmpeg, diagram tools, and SaaS systems. But broad tool access is where long loops become dangerous. Wrap tools behind narrow descriptions and constrained sub-workflows. An SSH tool should not be “run any command.” It should be a diagnostic capability with allowed command families, protected containers, and explicit topology notes.
For non-terminal users, expose routines through Slack, a web panel, voice, or an internal dashboard. The UI should not be a chat box pretending to be infrastructure. It should present named skills, required inputs, run status, artifacts, approvals, logs, and cost. Slack-native agents are especially powerful for async engineering teams: they can summarize repo state, triage pull requests by target branch and CI status, answer architecture questions, and call internal tools. That power requires scoped channel bundles, repository permissions, spend limits, and audit trails before ambient access is enabled.
MCP-backed tools are the right abstraction boundary when agents need Notion, GitHub, Zapier, internal APIs, or image generation endpoints. The same loop can be entered by schedule, Slack command, voice request, or web button, but it should call the same skill and write the same logs. Entry points multiply. The operational core should not.
Route Models and Parallel Work Like Infrastructure
At frontier usage, model choice is an operations decision. Cheap models can classify, summarize logs, extract structured fields, and draft routine artifacts. Stronger models should handle multi-step diagnosis, ambiguous code changes, tool-heavy recovery, and final risk review. Route by task shape and escalation signal: failed cheap-pass verification, unfamiliar error class, production blast radius, high token compression, or conflicting evidence.
Parallelism should be deliberate. Launch independent agents for repo reconnaissance, implementation planning, test design, security review, documentation, or competing hypotheses, then merge results through a coordinator that owns the final spec. Parallel agents reduce anchoring, but they also multiply cost and inconsistency. Require each sub-agent to return claims with evidence paths, commands run, confidence, and unresolved questions. Do not let five agents all mutate the same branch without a merge protocol.
Cost control belongs in the harness, not in the operator’s anxiety. Track tokens, wall time, tool calls, retries, artifact size, and model mix per run. Put budgets on routines, channels, teams, and skills. Cache expensive context summaries, reuse transcripts for captions instead of transcribing again, render only changed video segments, and split large diagrams or code audits into bounded sections. The finished system feels less like a clever prompt and more like an operating system: scheduled, observable, permissioned, memoryful, and boring enough that someone outside the terminal can run it without inheriting your risk.
Key takeaways
- Promote only proven manual workflows into routines; keep the skill instructions separate from the schedule or UI trigger.
- Treat filesystem structure, index files, run logs, and prior outcomes as the agent’s durable memory layer.
- Require artifact-level verification: render, run, inspect, compare, patch, and publish only after checks pass.
- Wrap MCP, SSH, GitHub, media, and SaaS access as narrow capabilities with scoped permissions and audit logs.
- Use stronger models for ambiguous, tool-heavy, high-risk loops, and cheaper models for classification, extraction, and routine passes.
- Expose mature loops through Slack, web, voice, or dashboards, but keep one shared operational core behind every entry point.