A production agent stack is not a framework. It is twelve specific concerns, each of which has to be solved with deliberate engineering or it will solve itself badly later. This is the reference we deploy at Synthara when we're not constrained by an existing stack — and what we add layer-by-layer when we are.
TL;DR — The Stack in One Sentence
A production agent in 2026 needs edge gateway → auth → request shaping → model router → orchestration → retrieval → memory → tool layer → guardrails → evaluation → observability → cost control, and the order matters because each layer depends on the ones below it.
The Reference Architecture
┌─────────────────────────────┐
│ Edge Gateway (Layer 1) │ Cloudflare / Vercel Edge
└─────────────┬───────────────┘
│
┌─────────────────────────────────────┼─────────────────────────────────┐
│ │ │
┌────────▼─────────┐ ┌───────────▼────────────┐ ┌──────────▼──────────┐
│ Auth + Tenancy │ │ Request Shaping │ │ Cost & Quota Gate │
│ (Layer 2) │ │ (Layer 3) │ │ (Layer 12) │
└────────┬─────────┘ │ PII redact, classify │ └──────────┬──────────┘
│ └───────────┬────────────┘ │
│ │ │
└─────────────────────────────────────┼─────────────────────────────────┘
│
┌─────────────▼───────────────┐
│ Model Router (Layer 4) │ small / medium / large
└─────────────┬───────────────┘
│
┌─────────────▼───────────────┐
│ Orchestration (Layer 5) │ LangGraph
└────┬──────────┬──────────┬──┘
│ │ │
┌────────▼┐ ┌──────▼─┐ ┌─────▼────┐
│Retrieval│ │ Memory │ │ Tools │
│(Layer 6)│ │(L. 7) │ │(Layer 8) │
└────────┬┘ └──────┬─┘ └─────┬────┘
│ │ │
┌────▼──────────▼──────────▼────┐
│ Guardrails (Layer 9) │
└─────────────┬─────────────────┘
│
┌─────────────▼───────────────┐
│ Evaluation (Layer 10) │
└─────────────┬───────────────┘
│
┌─────────────▼───────────────┐
│ Observability (Layer 11) │
└─────────────────────────────┘
Layer 1 — Edge Gateway
Purpose: terminate TLS, geo-route, absorb bursts, apply WAF rules, fingerprint clients.
Default pick: Cloudflare Workers or Vercel Edge Functions.
Why it matters: Every additional network hop adds ~30–80ms of TTFT. Terminating at the edge lets you reject obvious abuse, cache identical requests, and run lightweight pre-checks (PII regex, rate limiting) without round-tripping to your origin.
What runs here: input length validation, simple regex PII redaction, JWT signature check (not full session lookup), and a coarse rate limit.
Layer 2 — Authentication and Tenancy
Purpose: identify the caller, attach a tenant ID, attach an entitlement (which models, which tools, which knowledge bases).
Default pick: Clerk, Auth0, WorkOS, or self-hosted Ory. For B2B-only systems, prefer the SSO-first vendors (WorkOS) over consumer-first ones.
The tenant ID becomes the most important field in every downstream trace. Everything from cost attribution to RAG filtering to log access depends on it.
Layer 3 — Request Shaping
Purpose: classify intent, redact PII deeply, attach metadata that downstream stages depend on.
This is where you decide what kind of request this is. A pricing question routes to a different agent than a debugging question. A high-stakes request (refunds, account closure) routes through a stricter approval graph.
pythonclass ShapedRequest(BaseModel): raw_text: str redacted_text: str pii_detected: list[PIIType] intent: Intent sensitivity: Sensitivity tenant_id: UUID user_id: UUID locale: str history_summary: str async def shape(req: RawRequest, user: User) -> ShapedRequest: redacted, pii = await pii_redactor.run(req.text) intent = await intent_classifier.classify(redacted) return ShapedRequest( raw_text=req.text, redacted_text=redacted, pii_detected=pii, intent=intent, sensitivity=infer_sensitivity(pii, intent), tenant_id=user.tenant_id, user_id=user.id, locale=req.locale, history_summary=await summarize(user.recent_messages), )
Layer 4 — Model Router
Purpose: pick the right model for the request, with fallback.
This layer routinely cuts inference cost by 40–70% with no quality regression. The simple version: a small classifier picks small | medium | large, and a multi-provider router maps each tier to a primary and fallback.
| Tier | Primary | Fallback | Use cases |
|---|---|---|---|
| small | Haiku 4.5 / GPT-4.1-mini / Llama 3.3 8B (self-hosted) | the others | Routing, classification, simple Q&A |
| medium | Sonnet 4.6 / GPT-4.1 / Mistral Large | the others | Most chat, retrieval-augmented answers |
| large | Opus 4.7 / GPT-5 / Llama 3.3 70B (self-hosted) | the others | Reasoning, planning, complex tool use |
Multi-provider routing is non-negotiable: any single provider will have a multi-hour outage in any given quarter. Treating that as a known fact and writing failover into the router is the difference between a five-nines product and a four-nines one.
Layer 5 — Orchestration
Purpose: define the agent's control flow.
Default pick: LangGraph for production. (See our framework comparison.)
Key properties to insist on: explicit state, persistable checkpoints, interruptible execution, streaming of state and tokens, and OpenTelemetry instrumentation that survives parallel branches.
Layer 6 — Retrieval
Purpose: ground the agent in your data.
Default pick: Qdrant or pgvector for the store, BGE-large or OpenAI text-embedding-3-large for embeddings, BGE-reranker-v2-m3 for reranking, hybrid (BM25 + dense) fusion.
See the vector database showdown for the database decision and the hallucination defense post for the rest of this layer.
Layer 7 — Memory
Purpose: give the agent useful continuity without context-window bloat.
Four memory tiers that compose well:
- Working memory — the current LangGraph state. Lives for one request lifetime.
- Episodic memory — summaries of past sessions, indexed by user + topic. Retrieved when relevant.
- Semantic memory — extracted facts ("Anna's company uses Postgres 16"), stored as structured records.
- Procedural memory — learned routines ("when this user asks for invoices, always include the PO number").
Implementation defaults: episodic and semantic in a vector store with structured metadata; procedural in a small relational schema. Memory writes are deliberate — emitted by a "remember this" tool the agent calls, not a silent side effect of every interaction.
Layer 8 — Tool Layer
Purpose: give the agent the ability to act.
The tool layer is where teams most underinvest. A good tool layer has:
- Typed schemas — Pydantic models for both inputs and outputs. The model sees the same schema the runtime enforces.
- Idempotency keys — every mutating tool call carries a key so retries don't double-bill.
- Per-tool authorisation — a "send_email" tool checks the user has permission for that recipient, not just permission to send email.
- Per-tool budgets — a "run_sql" tool has a wall-clock and row-count limit. The model can spend the budget once.
- Sandbox boundaries — code-execution tools run in firecracker or gvisor sandboxes with no network egress by default.
pythonclass SendEmailInput(BaseModel): to: EmailStr subject: str = Field(max_length=120) body: str = Field(max_length=8000) idempotency_key: UUID class SendEmailOutput(BaseModel): message_id: str delivered_at: datetime @tool(authz="email:send", budget=Budget(calls_per_session=5)) async def send_email(input: SendEmailInput, ctx: ToolContext) -> SendEmailOutput: if not ctx.user.can_email(input.to): raise PermissionError(...) return await mailer.send(input)
Layer 9 — Guardrails
Purpose: enforce policy that cannot be enforced by prompts alone.
What belongs here, by category:
- Input — prompt-injection detection, jailbreak heuristics, profanity filtering (when applicable), policy classification.
- Output — toxicity scoring, PII leakage detection, policy compliance, citation requirement enforcement.
- Action — pre-action approval for destructive tools, dry-run mode, scope checks.
Default picks: Llama Guard 3 or NVIDIA NeMo Guardrails for the model-side checks; Presidio for PII; custom policy classifiers for domain rules.
Layer 10 — Evaluation
Purpose: know whether the system is getting better or worse.
A production-grade eval harness has three components:
- Golden set — 200–500 hand-curated scenarios with expected outputs or evaluation criteria. Versioned in git.
- LLM-as-judge harness — automated rubric scoring (groundedness, helpfulness, safety, format compliance).
- Regression suite on production traces — replay yesterday's traces against today's prompts. Diff the scores.
python@eval_scenario(tags=["billing", "refund"]) async def test_refund_flow(): response = await agent.run( "I want a refund for order #12345 — it arrived broken.", user=test_users.PAYING, ) judge = await llm_judge.evaluate(response, rubric={ "helpfulness": "Did it acknowledge the issue and offer next steps?", "policy_compliance": "Did it follow the refund SOP?", "tone": "Was it empathetic without overpromising?", }) assert judge.score >= 0.85
This is the layer most teams skip. It is also the one that determines whether you can confidently ship prompt changes.
Layer 11 — Observability
Purpose: see what happened, fast.
Three signals, one trace ID:
- Traces — OpenTelemetry spans covering every LLM call, tool call, retrieval, and guardrail check.
- Evals — sampled groundedness / helpfulness / safety scores from production.
- Business metrics — task completion rate, escalation rate, CSAT, refund volume.
The defining property of good agent observability is being able to start from a customer complaint and trace it down through evals to specific spans without context-switching tools more than once. Wire everything through trace_id and you get this property by default.
Default picks: Langfuse (self-hosted) or LangSmith (managed) for the LLM-specific layer; OpenTelemetry to your standard observability stack (Grafana / Datadog / Honeycomb) for everything else; correlate via trace_id.
Layer 12 — Cost Control
Purpose: stop the agent from spending your runway.
Three concrete controls:
- Per-request budget — hard token cap enforced at the model router. Refuse cleanly above it.
- Per-tenant rate and spend limit — tracked in Redis with sliding window. Returns 429 with a friendly message when exhausted.
- Per-tool budget — already covered in Layer 8.
Cost control is the layer most teams "wait to add until it matters." It always matters before that, in the form of one runaway bug burning $4,000 in a weekend.
A Realistic 10-Week Build Order
| Week | Layers shipped | Why |
|---|---|---|
| 1 | Auth, model router, orchestration skeleton, basic retrieval | Get something end-to-end |
| 2 | Memory tiers (working + episodic) | Agent stops feeling amnesiac |
| 3 | Tool layer with typed schemas | Agent can act |
| 4 | Evaluation harness with 100-case golden set | You can now measure |
| 5 | Reranker + sufficiency gate (hallucination defense) | Quality jump |
| 6 | Guardrails (input + output) | Policy posture |
| 7 | Observability (traces + sampled evals) | Production debuggability |
| 8 | Cost control + per-tenant quotas | Sustainable economics |
| 9 | Edge gateway + request shaping | TTFT and abuse posture |
| 10 | Hardening, load test, regression suite from production traces | Ship-readiness |
Ship in this order and at each weekly checkpoint you have a more-defensible product. Ship in any other order and you accumulate quiet debt.
Frequently Asked Questions
What does a production AI agent stack include in 2026?
Twelve concrete layers: edge gateway, auth, request shaping, model router, orchestration, retrieval, memory, tool layer, guardrails, evaluation, observability, and cost control.
How long does it take to build a production agent stack from scratch?
A focused team builds a minimum production-grade stack in 6–10 weeks. The first four weeks are orchestration, retrieval, memory, and the eval harness. Weeks five through ten harden it with guardrails, observability, and cost control.
Can I use one tool for both observability and evaluation?
LangSmith, Langfuse, Arize Phoenix, and Helicone all do both reasonably well. LangSmith integrates deepest with LangGraph; Langfuse is the strongest open-source self-hostable option; Arize is the strongest for ML drift detection.
What's the most-skipped layer that hurts the most?
The evaluation harness. Teams ship a chatbot, declare victory, and discover six weeks later that they have no way to know whether a prompt change made things better or worse. Build the eval harness first.
Should I build all of this in-house?
No. Layers 4 (router), 9 (guardrails), 10 (eval), and 11 (observability) have mature managed offerings that are cheaper and better than what most teams build internally. Build the parts that are your differentiator; buy the rest.
Key Takeaways
- Production agents need twelve layers; the eval harness and cost-control layer are the most-skipped and most-impactful.
- Build the gateway, orchestration, memory, and eval harness in the first four weeks. Defer everything else until those are stable.
- Multi-provider model routing is non-negotiable for production cost and resilience.
- Observability is not a single tool — it's three signals (traces, evals, business metrics) wired through one trace ID.
- Build what differentiates; buy the rest.
What does a production AI agent stack include in 2026?
Twelve concrete layers: edge gateway, auth, request shaping, model router, orchestration, retrieval, memory, tool layer, guardrails, evaluation, observability, and cost control. Skipping any of them produces a system that demos well and fails in production.
How long does it take to build a production agent stack from scratch?
A focused team builds a minimum production-grade stack in 6–10 weeks. The first four weeks are orchestration, retrieval, memory, and the eval harness. Weeks five through ten harden it with guardrails, observability, and cost control.
Can I use one tool for both observability and evaluation?
LangSmith, Langfuse, Arize Phoenix, and Helicone all do both reasonably well. They are not interchangeable beyond that — LangSmith integrates deepest with LangGraph; Langfuse is the strongest open-source self-hostable option; Arize is the strongest for ML drift detection.
What's the most-skipped layer that hurts the most?
The evaluation harness. Teams ship a chatbot, declare victory, and discover six weeks later that they have no way to know whether a prompt change made things better or worse. Build the eval harness first.
