Enterprise Support Agent for TechFlow

Agentic support system design: single tool-using agent, permission-aware retrieval, autonomy tiers 0 to 1
agentify design document production mode 2026-07-14

1. Executive summary

TechFlow should build a single tool-using agent behind an intent router, not a multi-agent system and not a bare workflow. The use case has open-ended dialogue and a small, well-scoped tool set (retrieve, look up subscription, write ticket), which lands it at rung 3 of the escalation ladder [knowledge/decision-trees.md].

The two decisions that shape everything else are permission-aware retrieval (the internal KB is tier-gated and past tickets carry PII, so retrieval must run under the caller identity) and a hard autonomy ceiling at tier 1 (create and update tickets, never touch billing). At the target load of 1,800 conversations per day, the design runs at roughly 0.06 USD per conversation against the 0.15 USD ceiling, and about 4,500 USD per month all in against the 6,000 USD ceiling. Rollout is staged behind evaluation gates, starting read-only.

Recommendation Build the agent. Gate every write behind an audit trail, escalate on low retrieval confidence, and do not connect any billing tool to the model.

2. Requirements and NFRs

Functional scope, confirmed with the customer:

  • Answer product questions from public docs and the tier-gated internal KB, with citations.
  • Look up order and subscription status for the authenticated customer.
  • Create and update support tickets.
  • Escalate to a human when confidence is low or the request is out of scope.

Non-goals (hard boundaries): never issue refunds, never change billing, never delete data. English only at launch.

NFRTargetSource
Throughput1,800 conversations/day, 40 concurrent sessions peakcustomer
LatencyFirst token < 2s, full answer < 10s p95customer
Availability99.9% (business-hours bias)customer
RTO / RPO4h / 15min for conversation statecustomer
Cost≤ 0.15 USD per conversation, ≤ 6,000 USD/monthcustomer
ComplianceSOC 2 Type II, GDPR (EU customers), no HIPAAcustomer
Quality40% ticket deflection with CSAT ≥ 4.2/5customer
Assumptions to validate Average conversation length is modeled at 4 turns and 3 agent model calls. Deflection is measured as resolved-without-human, not just contained. Peak concurrency is assumed steady within business hours rather than spiky; if traffic is bursty, revisit the concurrency budget in section 11.

3. Decision record

Each decision tree from [knowledge/decision-trees.md] was walked. Answers and the strongest rejected alternative:

GateDecisionWhy, and what lost
Need generative AI?YesFree-text questions over unstructured docs need synthesis. Rejected: pure search (cannot compose an answer or drive ticket actions).
Escalation ladderRung 3, single agentThe path is not predetermined: some turns need retrieval, some a subscription lookup, some a ticket write, in an order that depends on the question [knowledge/building-effective-agents.md]. Rejected: a fixed workflow (rung 2), which cannot handle the branching without an unwieldy router tree.
Single vs multi-agentSingleThree tools with no overlap and one coherent task do not justify multi-agent token cost (roughly an order of magnitude more) [knowledge/multi-agent-orchestration.md]. Anti-escalation rule applied.
Knowledge strategyRAG, permission-awareKB changes weekly and is tier-gated; retrieval must filter by entitlement [knowledge/rag-patterns.md]. Rejected: fine-tuning (facts change weekly; no style need) and long-context (2,000 pages exceed a sane per-call budget).
Autonomy tiersTier 0 to 1 onlyReads and reversible ticket writes are safe to automate; billing and deletion are out of scope by design [knowledge/security-governance.md].
Memory tierSession state + compactionMulti-turn within a session, no cross-session personalization required at launch [knowledge/context-memory.md].

4. System architecture

An intent router (a cheap model) admits and classifies each turn, then hands to the agent, which reasons in a bounded tool loop against a retriever, a subscription-lookup tool, and a ticket tool. Input and output guardrails bracket the model. The agent runs under the caller identity so retrieval and tools inherit the user's entitlements.

Agent runtime (user identity propagated) Support Users Web / Chat widget Input Guardrails injection + PII scan OWASP LLM01 Intent Router small model, cached Support Agent tool loop, max 8 steps Model Gateway routing + fallback multi-provider Retriever hybrid + rerank entitlement filter Vector Index KB + tickets Session Memory state + summaries Ticket Tools MCP server tier 1 writes Human Review tier 2+ actions Output Guardrails groundedness check Eval Pipeline traces to golden set offline + canary Observability OTel GenAI spans query agentic path LLM calls search act tier 2+ response traces Legend External Guardrail LLM router Agent Model gateway Retriever Vector store Memory / state Tool / MCP server Human review Eval loop Cloud
Figure 1. Component architecture. The dashed boundary marks the agent runtime, where the authenticated user identity is propagated to the router, agent, retriever, and memory.
ComponentServesScalingFailure mode and fallbackTech example
Input guardrailInjection + PII defenseStateless, horizontalFail closed: block the turnRules + small classifier + moderation [knowledge/security-governance.md]
Intent routerCheap triage, cost controlStateless, horizontalFall through to agent on errorHaiku-class model, cached
AgentReasoning and tool loopStateless workers, horizontalMax 8 steps then escalateSonnet-class model
Model gatewayRouting, provider fallbackStateless, horizontalSecondary provider on outageGateway with multi-provider routing [knowledge/latency-cost-reliability.md]
RetrieverPermission-aware RAGStateless, horizontalDegrade to docs-only, flagHybrid search + reranker [knowledge/rag-patterns.md]
Vector indexKB + ticket embeddingsStateful, read replicasRebuildable from sourcepgvector or OpenSearch-class
Session memoryMulti-turn stateStateful, partitionedRPO 15min via replicationRedis-class + durable log
Ticket toolsSubscription read, ticket writeStateless, horizontalRetry idempotently, then escalateMCP server over internal APIs [knowledge/interoperability-observability.md]
Human reviewEscalation targetHuman capacityQueue with SLAExisting support desk
Output guardrailGroundedness, safetyStateless, horizontalSuppress ungrounded claimsGroundedness check [knowledge/evaluation.md]

5. Data and retrieval

Four sources with different trust and freshness profiles: public product docs (~2,000 pages, weekly refresh), the internal KB (tier-gated), the order and subscription database (per-tenant, strictly isolated), and past tickets (PII present). The retrieval design follows advanced RAG [knowledge/rag-patterns.md]: hybrid dense plus keyword search, reranking to the top passages, and query rewriting on follow-up turns.

Permission-aware retrieval

This is the crux. Every chunk is indexed with its entitlement metadata (public, customer tier, tenant id). The retriever receives the caller identity from the agent runtime and filters candidates by entitlement before ranking, so a customer never retrieves another tenant's data or a higher tier's KB [knowledge/security-governance.md]. PII in past tickets is scrubbed at ingestion and access to ticket embeddings is tenant-scoped.

Freshness

Docs reindex weekly on publish; the KB and tickets stream incremental updates with delete propagation so revoked content leaves the index promptly.

6. Tools and integrations

Three tools, each with an explicit autonomy tier and enforcement gate [knowledge/security-governance.md]. Tools are exposed as an MCP server so the interface is typed and versioned [knowledge/interoperability-observability.md].

ToolContractTierEnforcement
search_knowledgequery, identity, filters → passages0 (read)Entitlement filter in the retriever
get_subscriptionidentity → status, plan, renewal0 (read)Tenant-scoped credential, read-only role
create_or_update_ticketidentity, fields → ticket id1 (reversible write)Idempotency key, full audit log, rate cap per session
Out of scope by construction No billing, refund, or delete tool exists in the tool registry. This is enforced by absence, not by a prompt instruction: the model cannot call what it is not given.

7. State and memory

Conversation state is held per session with summarization-based compaction once the turn history approaches the context budget [knowledge/context-memory.md]. No long-term cross-session memory ships at launch, which keeps the PII surface small. State is replicated to meet the 15 minute RPO, and a durable event log allows a session to resume after a worker restart.

8. Security, identity, and guardrails

Threat surfaces present here [knowledge/security-governance.md]: user input (prompt injection), retrieved content (indirect injection from KB or ticket text), and tool outputs. The lethal-trifecta test applies, since the agent has private data access, exposure to untrusted content, and a write tool; the mitigation is to keep writes reversible (tier 1) and to bracket the model with guardrails.

LayerMitigates (OWASP)
Input validation + classifierLLM01 prompt injection, LLM02 sensitive-info disclosure
Entitlement-filtered retrievalLLM02, excessive data exposure
Tool tiering + absent billing toolsLLM06 excessive agency (ASI: uncontrolled autonomy)
Output groundedness checkLLM09 misinformation
Full audit log of prompt, response, tool callsForensics, SOC 2 evidence

Identity: the agent acts with the authenticated user's permissions, not a broad service account, so a compromised turn cannot reach data the user could not already see. Tenancy: vector index, memory, and caches are tenant-scoped. Governance: maps to NIST AI RMF MEASURE (evals) and MANAGE (audit, escalation) [knowledge/security-governance.md].

9. Evaluation plan

Eval before launch, gates between phases [knowledge/evaluation.md].

  • Golden set: 150 to 300 real questions, stratified by intent and customer tier, including negative and out-of-scope cases, refreshed monthly from production traces.
  • Component metrics: retrieval recall@k and reranked precision measured separately from generation; generation scored for faithfulness and answer relevance (RAGAS-style, plus the TruLens triad) [knowledge/evaluation.md].
  • Agent metrics: task completion, tool-call correctness, and pass^k for reliability across repeated runs, since tool agents are inconsistent even at high single-run scores [knowledge/evaluation.md].
  • Judge: LLM-as-judge with rubric prompting and position and verbosity bias controls; judge version pinned.
GateUnlocks
Offline faithfulness and no confidentiality leak on the golden setShadow
Shadow parity with human answers, zero entitlement violationsCanary (5%)
Canary CSAT ≥ 4.2 and deflection trending to targetGeneral availability

10. Observability

Every turn emits a trace with the full reasoning chain as spans (router, agent step, each retrieval, each tool call) using OpenTelemetry GenAI conventions, capturing tokens, latency, and cost per span [knowledge/interoperability-observability.md]. Dashboards track deflection, CSAT, p50/p95 latency per stage, cost per conversation, guardrail trigger rate, and eval-score drift. Alerts fire on cost anomalies, latency breach, a spike in escalations, or any entitlement-filter error. Sampled production traces flow back into the golden set.

11. Scale and cost analysis

Model pricing used, [live-sourced 2026-07-14]: Haiku 4.5 at 1.00 USD input and 5.00 USD output per million tokens; Sonnet 4.6 at 3.00 USD input and 15.00 USD output per million tokens, with prompt caching at roughly 10% of input price on cached tokens.

Per-conversation cost (4 turns, ~3 agent calls)

ElementTokensCost
Guardrails + router (Haiku)~3k in, ~150 out~0.004 USD
Agent, 3 calls (Sonnet)~2k cached + ~4k fresh in, ~400 out each~0.056 USD
Embedding + rerankquery-scale~0.001 USD
Total per conversation~0.06 USD (ceiling 0.15)

Monthly: 1,800/day times 30 is 54,000 conversations at ~0.06 USD is ~3,240 USD in model spend. Add vector index hosting, reranker, memory, and observability for roughly 4,500 USD all in, under the 6,000 USD ceiling.

Latency budget (p95 ≤ 10s)

Input guardrail ~0.3s, router ~0.5s, retrieval ~0.7s, agent reasoning across 3 calls ~6s (streaming gives first token under 2s), tool calls ~0.8s, output guardrail ~0.4s. Tail latency compounds across the agent loop [knowledge/latency-cost-reliability.md], so the 8-step cap and per-stage timeouts protect the SLO.

At 10x (18,000 conversations/day)

Model spend alone would reach ~32,000 USD/month, over budget. Levers, in order: semantic caching (support questions repeat heavily, a 40 to 50% hit rate is realistic and cuts cost proportionally), route more turns to Haiku, and widen prompt caching. Concurrency rises from 40 to ~400, which the stateless router, agent, and guardrail tiers absorb horizontally; the vector index needs read replicas and the memory store needs partitioning.

12. Failure modes and degradation

FailureDegradation
Model provider outageGateway fails over to secondary provider; if both down, static help + human queue [knowledge/latency-cost-reliability.md]
Retrieval degradedAnswer from public docs only, flag reduced confidence, offer escalation
Tool (ticket API) failureIdempotent retry, then escalate with context preserved
Runaway loop8-step cap ends the turn and escalates
Guardrail false positiveRoute to human rather than block silently; track rate

For any tier 1 write, the system fails closed: if the audit log write fails, the ticket action does not proceed.

13. Rollout plan

  1. Crawl (read-only): answers with citations, no ticket writes, internal users only. Gate: offline faithfulness and zero entitlement leaks.
  2. Walk (canary): 5% of real customers, ticket creation enabled at tier 1, subscription reads live. Gate: shadow parity, CSAT hold, zero confidentiality violations [knowledge/evaluation.md].
  3. Run (GA): full traffic, ticket updates enabled, human escalation always available. Field feedback and sampled traces feed the golden set and the next iteration [knowledge/genai-sysdesign-loop.md].

14. Request walkthrough

The primary path for a single customer turn, from admission through grounded response.

Admit Reason + act Ground + return question clean text intent + context search KB (user identity) entitled passages lookup order status subscription data create ticket (tier 1) ticket id draft answer + citations grounded reply Customer portal session Input Guard injection + PII Router intent, cheap model Agent tool loop Retriever ACL-scoped RAG Ticket Tools MCP server Output Guard groundedness Legend request return security async trace
Figure 2. Query sequence. Retrieval and tools run under the caller identity; the output guardrail checks groundedness before the reply is returned.

15. References

Knowledge base

  • knowledge/decision-trees.md, building-effective-agents.md, multi-agent-orchestration.md (pattern selection)
  • knowledge/rag-patterns.md (permission-aware retrieval), context-memory.md (state)
  • knowledge/security-governance.md (guardrails, identity, OWASP and NIST mappings)
  • knowledge/evaluation.md (eval-driven development, gates), interoperability-observability.md (MCP, tracing)
  • knowledge/latency-cost-reliability.md, enterprise-architecture.md (capacity, cost, DR)

Live-sourced

  • Anthropic API pricing, retrieved 2026-07-14, for the cost model in section 11.

Each knowledge document carries its own primary-source citations; see agentify/knowledge/SOURCES.md for provenance.