Agents: build a bounded, observable agent

Build a ReAct agent over 2–3 real tools that completes a multi-step task, is fully observable per loop iteration, and cannot run away: it always terminates within a hard step, wall-clock, and token budget, never thrashes on an identical call, and never silently drops its own instructions — proven with traces and a task-success eval.

• Implement the bare ReAct loop yourself (or with a minimal framework): system + task messages, model call with tool definitions, dispatch the chosen tool, append the result, repeat. Wire 2–3 real tools (e.g. a search/lookup, a calculator, a write/action tool) over a small fixed task domain.
• Add the four independent exits: natural completion (model returns no tool call), a hard max-step cap, a wall-clock AND token budget that caps the dollar figure regardless of step count, and a progress/dedup check that breaks on repeated identical tool calls. Each exit must be logged with the reason it fired.
• Instrument per-iteration observability: step number, tokens sent this call vs cumulative, tool name + arguments, tool result size, and a running cost estimate — so the quadratic growth is visible in the trace, not inferred.
• Manage the context window: pin the system/task messages so they are never evicted, and trim or summarise the middle of the history once it nears a token budget. Show that a long run stays under the window without losing its instructions.
• Add input/output guardrails: validate and size-limit tool arguments before dispatch (reject oversized or malformed input), cap per-tool retries, and treat untrusted tool/web output as data — never let a tool result inject new instructions the loop obeys.
• Build a small task-success eval: 8–12 task instances with a programmatic check of whether the final answer is correct (exact match, schema check, or rubric). Report solve rate alongside mean steps, mean tokens, and mean cost per task.
• Run an adversarial pass: craft inputs that trigger a runaway loop, an identical-call thrash, and a near-context-overflow long run. Show in the trace that the matching guard fired and the agent terminated bounded — not crashed, not silently truncated.

• A loop trace for one normal run and one adversarial run, each showing per-iteration tokens (cumulative growth visible) and the exact exit reason that fired.
• A before/after comparison: the same agent WITHOUT guards (or with the cap removed) runs away or thrashes on the adversarial input; WITH guards it terminates bounded within the step/wall-clock/token budget.
• An eval table: solve rate over the 8–12 tasks, plus mean steps, mean tokens, and mean cost per task — measured, not estimated.
• Evidence the context guard works: a long run that stays under the window with the system/task messages still present at the final step (no silent truncation of instructions).
• A one-paragraph write-up: which exit defends which failure mode, why a step cap alone is insufficient, and one task where scripting beats the agent.