What we are building

The chatbot is a thin orchestration layer over systems that already exist.
It is not a knowledge base, and it must never become one by guessing.

The agent loop

An "agent" is not magic. It is a loop your code controls:

  observe ──  DECIDE  ──  ACT  ──  observe ── … ── answer
             (the LLM)    (a tool
                           your code
                           runs)

1. Decide — the model reads the conversation and either answers or asks for a tool.
2. Act — your code runs the requested tool and returns the result.
3. Repeat — feed the result back; the model decides again, until it answers.

You own the loop. The model only ever proposes a tool call — your code executes it.

Tool-calling vs RAG

Two ways to ground the model. They solve different problems.

This project is overwhelmingly tool-calling. Order status and price are queries to systems of record — not passages to retrieve. Keep RAG in your back pocket for policy/FAQ (the demo/ RAG spike, DEMO-17).

The failure we design against: confidently wrong

A bot quoting real prices and real order status has a failure mode worse than sounding clumsy:

It states a wrong price, a wrong delivery date, or an expired promotion — fluently, with total confidence, and a customer acts on it.

• The model is a brilliant phraser and a terrible system of record.
• "฿1,290, in stock, arrives tomorrow" reads identically whether it is true or invented.
• Fluency is not correctness. Confidence is not a signal of truth.

Every technique today — grounding, tools, guardrails, evals, traces — exists to make this failure structurally hard, not just unlikely.

The one diagram (we use it all day)

So the thesis, precisely

The LLM is the conversation engine. The systems of record are the source of truth. A tool call is the only bridge between them.

This gives us three rules the whole build obeys:

1. Grounding — the model may only state a fact that a tool returned in this conversation.
2. Ownership — every authoritative value (price, stock, status, promo) comes from its owning system, never from the model.
3. Graceful failure — if no tool can answer, the bot says so and hands off. It never fills the gap with a guess.

The request path

Guardrails wrap both edges. Every hop emits a span. The agent loop is the same one from the one diagram — now placed in the real stack.

Why Bedrock (and what it buys us)

• IAM, not API keys. Model access is an IAM permission in the account. No secret to leak, rotate, or paste into a .env.
• Inside the perimeter. Requests stay in your AWS network and region (ap-southeast-1 for TH latency/data).
• Guardrails are native. PDPA controls (PII, denied topics) are a Bedrock feature, applied at the model edge — not bolted on.
• One model id, pinned: anthropic.claude-opus-4-8 in config (DEMO-2).

Heads-up — Bedrock ≠ first-party feature-for-feature. Core Messages + tool use + adaptive thinking + Guardrails are all there; a few first-party extras (e.g. Message Batches, the Files API, server-side web search) are not on Bedrock. Check before you reach for one.

Account-per-environment, under Organizations

        AWS Organization
        ├── dev account     ← build & experiment, synthetic data
        ├── test/CI account ← automated pipelines, ephemeral
        ├── uat account     ← stakeholder sign-off, prod-like
        └── prod account    ← real customers, real money

Why separate accounts, not just separate tags or VPCs:

• Blast radius — a mistake in dev cannot touch prod data or prod spend.
• IAM isolation — a dev role simply has no path to prod resources.
• Clean billing & quotas — Bedrock spend, rate limits, alarms are per account.
• Data separation — PDPA-relevant customer data lives only where it must.

Promotion flow & per-account access

Promotion is a pipeline, not a copy-paste:

 feature branch → MR → [lint · test · eval] → merge to main
        → deploy dev → deploy uat (sign-off) → deploy prod (approval)

• Same artifact promotes across accounts — the container image is built once; only config changes per env.
• IAM / Bedrock access is per account — each env's task role can invoke Bedrock only in its own account; CI assumes a scoped deploy role per target.
• Secrets & config are per account:
  • Secrets Manager — DB creds, vendor API keys (real ones only in uat/prod).
  • SSM Parameter Store — model id, Guardrail id, thresholds, feature flags.
• The image reads its config at boot from its own account's SSM + Secrets — never baked in.

Step 1 — the tool & the grounding rule

The tool is just a Python function over mock authoritative data (DEMO-3):

def get_order_status(order_id: str) -> dict:
    record = ORDERS.get(order_id)          # the system of record
    if record is None:
        raise OrderNotFound(order_id)      # never invent a record
    return {
        "order_id": order_id,
        "status": record["status"],        # e.g. "out_for_delivery"
        "eta": record["eta"],              # e.g. "2026-06-27"
        "items": record["items"],
    }

The grounding rule, in the system prompt:

Only state an order status, price, stock level, or promotion that a tool returned in this conversation. If no tool can answer, say you don't know.

Step 2 — design the tool definition

The model only calls a tool well if its definition is good. This is real engineering:

TOOLS = [{
    "name": "get_order_status",
    "description": (
        "Look up the CURRENT status of a customer order by its order ID. "
        "Call this whenever the user asks where an order is, its delivery "
        "status, or its estimated arrival. Returns authoritative live data."
    ),
    "input_schema": {
        "type": "object",
        "properties": {
            "order_id": {"type": "string",
                         "description": "Order ID, e.g. TH-10432"},
        },
        "required": ["order_id"],
    },
}]

• Name is a verb-phrase; description says when to call it, not just what it does.
• Schema is tight: required order_id, typed, with an example.

Step 3 — the manual agent loop

from anthropic import AnthropicBedrockMantle
client = AnthropicBedrockMantle(aws_region=AWS_REGION)

messages = [{"role": "user", "content": user_text}]
while True:
    resp = client.messages.create(
        model="anthropic.claude-opus-4-8", max_tokens=1024,
        system=SYSTEM_PROMPT, tools=TOOLS, messages=messages,
    )
    messages.append({"role": "assistant", "content": resp.content})
    if resp.stop_reason != "tool_use":
        break                                   # model has phrased its answer
    results = []
    for b in resp.content:
        if b.type == "tool_use":
            fact = TOOL_IMPLS[b.name](**b.input)            # YOUR code runs it
            results.append({"type": "tool_result",
                            "tool_use_id": b.id,
                            "content": json.dumps(fact)})
    messages.append({"role": "user", "content": results})   # feed facts back

decide → call → phrase, looped until stop_reason != "tool_use". You run the tool; the model only asked.

Step 4 — mock authoritative data

Mock data is not a shortcut — it is the contract the real source will later honour.

ORDERS = {
    "TH-10432": {"status": "out_for_delivery", "eta": "2026-06-27",
                 "items": ["เคสมือถือ x1", "ฟิล์มกันรอย x2"]},
    "TH-10588": {"status": "packing",          "eta": "2026-06-29",
                 "items": ["หูฟัง x1"]},
}

• Synthetic Thai data — realistic ids, items, statuses, dates.
• Enough variety that tool selection is a real choice (orders vs products vs promos).
• Includes the awkward cases: not-found, and later an expired promo.
• Same shape as the real API → swapping mock → sandbox → real is a config change, not a rewrite.

System prompt design

The system prompt is a policy, not a personality. Structure it:

1. Role & scope — "order-status assistant for «shop», a Thai e-commerce store."
2. Grounding (non-negotiable) — only state values a tool returned; never recall, guess, or round.
3. Failure behaviour — if no tool fits, say you don't know and hand off.
4. Tone & language — brief, warm; reply in the customer's language (Thai/English).

Keep authoritative facts out of the prompt — they go stale. The prompt says how to behave; tools provide what is true.

Writing tool defs the model calls reliably

The model's routing is only as good as your descriptions. Make them earn the call:

• Say when, not just what. "Call this when the user asks about price or stock" beats "gets product info."
• Disambiguate siblings. get_product_info (price/stock) vs get_promotion (active deals) — make the boundary explicit so it picks correctly.
• Tight schemas. Required fields, types, an example value per field. Fewer malformed calls.
• One job per tool. A tool that does three things gets called for the wrong one.

Multi-tool questions are normal: "is the หูฟัง in stock and on promo?" → two tool calls, then one grounded answer (DEMO-7).

Graceful "I don't know" + human handoff

The bot's right to say "I don't know" is what keeps it honest.

# In the system prompt:
#   If no tool can answer, do NOT guess. Say you don't have that
#   information and offer to connect a human agent.

def emit_handoff(reason, conversation_id):
    log.info("handoff", reason=reason, conversation_id=conversation_id)
    # stub today (DEMO-9); a real channel later

• Triggers: no tool fits · tool raised not-found · low confidence · out of scope.
• The handoff is a structured event, not a dead end — it routes to a person.
• "I don't know + handoff" is a success, not a failure. A guess is the failure.

PDPA via Bedrock Guardrails

PDPA (Thailand's data-protection law) is enforced at the model edge, on both paths (DEMO-8):

• Configured once as a Bedrock Guardrail, applied to input and output.
• Test it: a message with a fake phone number is masked, not echoed.
• Guardrails are a separate layer from the prompt — defence in depth, not "please be careful."

The golden dataset

A small, representative set of cases with expected behaviour (DEMO-10):

- vars: { question: "Where is my order TH-10432?" }
  assert:
    - { type: tool-called, value: get_order_status }   # right tool
    - { type: contains, value: "27" }                  # right fact (the ETA)

- vars: { question: "Is the 'Songkran 10% off' promo still valid?" }
  assert:
    - { type: tool-called, value: get_promotion }
    - { type: llm-rubric,
        value: "States the promo has EXPIRED. Does NOT offer the discount." }

• 8–12 cases spanning orders · products · promotions · off-topic · handoff.
• Each case pins the expected tool call and an assertion on the answer.
• Includes the expired-promo trap — the canonical "confidently wrong" test.

Assertions + LLM-as-judge — and score the tool call

Two kinds of check, because two kinds of thing can go wrong:

• Deterministic assertions — exact facts. Was the ETA 27 Jun? Was the price ฿1,290? Cheap, unambiguous.
• LLM-as-judge (rubric) — fuzzy quality. Did it refuse the expired promo? Was it grounded, not invented? For things you can't regex.

Score the tool call, not just the final text:

The bot can produce the right words for the wrong reason — a lucky guess, or the right answer after calling the wrong tool. Asserting on the tool call (and its arguments) catches the failure the text alone hides.

The deliberately-broken-prompt demo

The moment evals earn their keep — break it on purpose and watch the gate catch it (DEMO-12):

  System prompt:
- Only state prices/stock/status that a tool returned this conversation.
+ # (grounding line removed)

Run the suite:

✓ order status        ✓ product in stock
✗ expired promo  →  bot offered the discount  (groundedness FAIL)
✗ unknown order  →  bot invented an ETA       (tool-call FAIL)

Delete one grounding line → the bot starts inventing → the eval goes red. Revert → green. That is the safety net.

Wire it into GitLab CI — make it a merge gate

Evals belong in the pipeline, not a notebook (DEMO-12):

stages: [lint, test, eval]

eval:
  stage: eval
  script:
    - make eval                 # promptfoo eval -c promptfooconfig.yaml
  rules:
    - if: $CI_MERGE_REQUEST_IID  # run on every MR
  # exits non-zero below the pass threshold → the MR cannot merge

 lint  ──  test  ──  eval  ──   mergeable
   any stage red  ──   blocked

A prompt change that breaks grounding now fails the pipeline like any other bug. Quality becomes a gate, not a hope.

Two layers in one pane

• Operational is the classic web-service view — Fargate, Bedrock latency, errors, token cost (DEMO-13).
• Quality is LLM-specific: did it call the right tool, did it stay grounded, did it resolve without handoff (containment)? (DEMO-14)
• The two are correlated: an LLM trace links to the APM trace of the same request.

Reading a real trace

One conversation, fully unpacked (DEMO-14):

• See the tool calls, their arguments, and results — not just the final text.
• Tokens, cost, and latency per step.
• A wrong answer becomes debuggable: open the trace, find the tool call that lied or the step that drifted.

Cost / quality dashboard — the first signal

One dashboard the team reads at a glance (DEMO-15):

• Operational: tokens & cost per conversation, p50/p95 latency, error rate.
• Quality: tool-call correctness, groundedness, containment (resolved without handoff).

The first signal something is wrong is rarely an exception. It is a cost spike (a loop calling tools in circles) or a bad-trace example (groundedness dipping) — long before anyone files a ticket.

• A cost spike → often a runaway loop or oversized context.
• Groundedness dipping → a prompt or tool change quietly regressed.
• Containment dropping → the bot is handing off more; something it used to answer, it no longer can.

Whiteboard prompts — decide these as a team

1 · Sources: tool-call or retrieval?
For each — order, delivery, products, pricing, promotions — is it a live query (tool) or a document (RAG)? Default to tool-call; justify any RAG.

2 · Mock / sandbox strategy, per source
What's the API shape? Is there a vendor sandbox for uat? What's the mock contract for dev/CI? Who provides the real credentials, and when?

3 · Account layout under Organizations
dev / test / uat / prod accounts — who can deploy to each? How do CI roles assume into each account? Where do Bedrock budget alarms live?

4 · Ownership
Who owns each tool? Each source contract? The golden eval set? The Guardrail config? The Datadog dashboard?

Facilitator prep — have these ready

Ordered by lead time. The first group has long lead and quietly sinks the day if left late.

~1 week out (long lead):

• Bedrock access — Claude enabled in the dev account's region, IAM for attendees, budget alarm. Model access is request-gated.
• Vendor sandbox access for any real source touched in the architecture session — most likely to slip.

~2–3 days out (build materials):

• Starter repo on GitLab — runs on a clean clone (the highest-leverage item).
• Synthetic Thai dataset + golden eval set (8–12 cases, incl. the broken-prompt case).
• The one diagram · GitLab CI snippet · Datadog wired (ddtrace + a sample trace already showing).

Day before: run the whole starter repo end-to-end on a clean clone; send the pre-req.

Per-attendee 5-minute pre-req

Send this the day before. It is the whole bar — everything else is provided.

• [ ] Laptop with a working Python environment.
• [ ] Starter repo cloned and pip install'd.
• [ ] AWS credentials configured (SSO profile) with Bedrock access in the dev account.
• [ ] One confirmed test Bedrock call (python -m demo.smoke returns a completion).

If those four are green, you arrive ready to build at 09:30 — not ready to start installing at 09:30.

Decisions & action items

Capture live — every row gets an owner and a date:

The one that de-risks everything else is the last row.