Agentic Patterns and Tool Use: ReAct, Function Calling, and Orchestration
Design LLM systems that use tools safely, including ReAct loops, function calling, planning, supervisor-worker orchestration, multi-agent patterns, and safety controls.
What Is an Agent?
An LLM agent is a system where the model can decide steps, call tools, observe results, and continue until it completes a task or stops. The model is not just generating text; it is participating in a control loop.
Tool access changes the risk model: A model that can call tools can spend money, change data, leak information, or trigger side effects if controls are weak.
Tool Calling
Tool calling lets the model produce structured arguments for code you own.
{
"tool": "get_order_status",
"arguments": {
"orderId": "ord_123"
}
}
Tool Design Rules
| Rule | Reason |
|---|---|
| Use narrow tools | Easier to validate and authorize |
| Define schemas strictly | Reduces malformed calls |
| Separate read and write tools | Write tools need stronger controls |
| Return compact observations | Avoid context bloat |
| Make tools idempotent when possible | Retries become safer |
ReAct Pattern
ReAct combines reasoning and acting in a loop: think about the next step, act with a tool, observe the result, then continue.
Use ReAct when the answer requires external information or step-by-step interaction. Avoid unbounded loops; set max steps, timeouts, and stop conditions.
Planning Patterns
| Pattern | Use Case | Risk |
|---|---|---|
| Plan-and-execute | Multi-step task with known phases | Plan may become stale |
| ReAct | Search, inspect, act iteratively | Loop can drift |
| Reflection | Critique and revise output | Extra cost and possible overthinking |
| Tree search | Explore alternatives | Expensive and complex |
| Checklist execution | Regulated or operational tasks | Less flexible |
For production systems, explicit workflows are often safer than letting the model freely invent long plans.
Multi-Agent Orchestration
Multiple agents can be useful when tasks have distinct roles, but they add coordination overhead.
Supervisor-Worker
Common Topologies
| Topology | Description | Best For |
|---|---|---|
| Supervisor-worker | One coordinator delegates tasks | Clear ownership |
| Hierarchical | Managers coordinate subteams | Large decomposable work |
| Peer-to-peer | Agents debate or collaborate | Exploration and critique |
| Pipeline | Output of one agent feeds next | Repeatable workflows |
Do not use multiple agents just because it sounds advanced. Use them when roles are naturally separable and coordination cost is justified.
Memory
Agent memory can mean different things.
| Memory Type | Example |
|---|---|
| Short-term context | Current conversation and observations |
| Episodic memory | Past task summaries |
| Semantic memory | Facts about user, product, or domain |
| Working state | Current plan, completed steps, pending actions |
Memory needs consent, privacy controls, deletion, and conflict handling. Bad memory can make agents confidently wrong.
Safety Architecture
Required Controls
| Control | Purpose |
|---|---|
| Tool allowlist | Only expose intended capabilities |
| Authorization | Enforce user and tenant permissions |
| Argument validation | Prevent malformed or malicious inputs |
| Confirmation gates | Protect side-effecting actions |
| Audit log | Record who asked, what ran, and why |
| Sandboxing | Limit code execution and file/network access |
Separate decision from execution: The LLM may propose an action, but deterministic code should validate and execute it.
Common Failure Modes
| Failure | Cause | Mitigation |
|---|---|---|
| Infinite loop | No stop condition | Step budget and convergence checks |
| Wrong tool | Ambiguous tool descriptions | Narrow schemas and examples |
| Data leak | Tool returns unauthorized data | Enforce ACL in tool code |
| Unsafe side effect | Model acts without confirmation | Human approval for risky writes |
| Prompt injection | Tool output contains instructions | Treat tool output as untrusted data |
| Context bloat | Too many observations | Summarize and cap tool output |
What to Remember for Interviews
- Agents are control loops: model, tools, observations, and stop conditions.
- Function calling is structured IO: the model proposes arguments; code validates them.
- ReAct is useful for iterative tasks: but must be bounded.
- Multi-agent adds coordination cost: use it for separable roles, not decoration.
- Safety is architectural: permissions, validation, confirmations, and audit logs are mandatory.
Practice: Design an agent that can troubleshoot failed deployments. Include read-only tools, write tools, approval gates, audit logs, and how you prevent prompt injection from logs.