Skip to content
APEX

Agent Architecture

Agent Anatomy

Section titled “Agent Anatomy”

Every agent definition follows a standard structure:

# Frontmatter
---
name: 06b-Bicep CodeGen
description: Expert Azure Bicep IaC specialist...
model: ["GPT-5.5"] # (1)!
tools: [list of allowed tools] # (2)!
handoffs:
  - label: "Step 6: Deploy"
    agent: 07b-Bicep Deploy # (3)!
    prompt: "Deploy the Bicep templates..."
---
# Body (≤ 500 lines)
## MANDATORY: Read Skills First
1. **Read** `.github/skills/azure-defaults/SKILL.md` # (4)!
2. **Read** `.github/skills/azure-artifacts/SKILL.md`
  1. Model selection — the Orchestrator can override this based on task complexity
  2. Tool allowlist — agents only access tools they need
  3. Handoff target — the next agent in the workflow
  4. Skills are loaded on demand to preserve context budget

The frontmatter is machine-readable metadata. The body is the agent’s full operating manual — the runtime loads it into the system prompt at invocation.

Tools

Section titled “Tools”

Agents interact with external systems through tools — structured interfaces provided by MCP servers and the VS Code runtime. Each agent’s frontmatter declares a tools: allowlist that restricts which tools it can call. Common tool categories:

  • MCP tools: Cloud API wrappers (Azure pricing queries, GitHub operations, Terraform registry lookups)
  • File tools: Read and write workspace files (create artifacts, read prior step outputs)
  • Terminal tools: Execute CLI commands (Bicep build, Terraform validate, Azure CLI)
  • Subagent tools: Delegate to specialised subagents via #runSubagent

Handoffs

Section titled “Handoffs”

Agents do not communicate directly. Instead, each agent produces artifact files in agent-output/{project}/ that the next agent reads as input. The Orchestrator orchestrates this by delegating to one agent at a time, collecting its output, and routing to the next step. At approval gates, the Orchestrator writes a 00-handoff.md summary document that enables session resume.

Top-Level Agents

Section titled “Top-Level Agents”
AgentRolePrimary Skills
01-OrchestratorMaster orchestratorworkflow-engine, apex-recall
01-Orchestrator (Fast Path)Simplified path for ≤3 resourcesapex-recall, azure-defaults
02-RequirementsCaptures project requirementsazure-defaults, azure-artifacts
03-ArchitectWAF assessment and cost estimationazure-defaults
04-DesignDiagrams and ADRsdrawio, python-diagrams, azure-adr
04g-GovernancePolicy discovery and complianceazure-defaults
05-IaC PlannerIaC implementation planning (Bicep & Terraform)azure-bicep-patterns, terraform-patterns
06b-Bicep CodeGenBicep template generationazure-bicep-patterns
06t-Terraform CodeGenTerraform configuration generationterraform-patterns
07b-Bicep DeployBicep deployment executionazure-validate, iac-common
07t-Terraform DeployTerraform deployment executionazure-validate, iac-common, terraform-patterns
08-As-BuiltPost-deployment documentationazure-artifacts, drawio, python-diagrams
09-DiagnoseAzure resource troubleshootingazure-diagnostics
10-ChallengerStandalone adversarial review
11-Context OptimizerContext window audit and optimisationcontext-management
e2e-orchestratorPrompt-invoked end-to-end validation driverworkflow-engine, apex-recall

For a live, always-current roster, see the Architecture Explorer. The count is computed from tools/registry/count-manifest.json and the source of truth is the .github/agents/*.agent.md files on disk.

Subagents

Section titled “Subagents”

Subagents are not user-invocable. They are delegated to by parent agents for isolated, specific tasks:

SubagentPurposeInvoked By
challenger-review-subagentAdversarial review of artifactsSteps 1, 2, 4, 5, 6
cost-estimate-subagentAzure Pricing MCP queriesSteps 2, 7
bicep-validate-subagentLint + AVM/security code reviewStep 5 (Bicep)
bicep-whatif-subagentaz deployment what-if previewStep 6 (Bicep)
terraform-validate-subagentLint + AVM-TF/security code reviewStep 5 (Terraform)
terraform-plan-subagentterraform plan previewStep 6 (Terraform)

The Challenger Pattern

Section titled “The Challenger Pattern”

The challenger-review-subagent implements adversarial review at critical workflow steps. It operates with rotating lenses:

  • 1-pass review (comprehensive): A single review covering all dimensions. This is the default for all steps. Used for requirements (Step 1), architecture (Step 2), deploy (Step 6), and optionally for planning (Step 4) and code (Step 5).
  • Multi-pass review (rotating lenses, opt-in): Multiple separate reviews, each focused on a specific dimension (security, reliability, cost). Available for architecture (Step 2), planning (Step 4), and code (Step 5) when explicitly requested. Recommended for complex projects.

Findings are classified as must_fix (blocking) or should_fix (advisory). Only must_fix findings block workflow progression.

Conditional passes (when multi-pass is opted in): Pass 3 of the rotating lens review is conditional — it only runs if Pass 2 returned ≥1 must_fix finding. If Pass 2 returns zero must_fix items, Pass 3 is skipped entirely, saving approximately 4 minutes per review cycle.

Context Shredding for Challenger Inputs: The challenger is instructed to apply context compression tiers when loading predecessor artefacts for review:

Context UsageLoading Strategy
< 60%Full artefact
60–80%Key H2 sections only (resource list, SKUs, WAF scores, budget)
> 80%Decision summary from 00-session-state.json + resource list

After each review pass, only the compact_for_parent string (~200 characters) is carried forward — not the full JSON findings. This prevents context bloat across multi-pass reviews and is enforced by the output schema.

New Challenger Checklists: Two mandatory checklist categories were added:

  • Cost Monitoring: Budget resource, forecast alerts at 80/100/120%, anomaly detection.
  • Repeatability: Parameterised values, multi-tenant deploy, projectName required.

Handoffs and Delegation

Section titled “Handoffs and Delegation”

Agents communicate through artefact files, not direct message passing. The Orchestrator delegates to a step agent, which produces output files in agent-output/{project}/. The next agent reads those files as input. This design:

  • Eliminates context leakage between agents
  • Enables resume from any point (artefacts are persistent)
  • Allows human review at every gate (artefacts are human-readable markdown)
  • Supports parallel development of different steps

Phase Handoff Document: At each approval gate, the Orchestrator writes a 00-handoff.md file containing a summary of what was completed, key decisions made, what comes next, and (at Gates 2 and 3) a session break recommendation. This enables resume from any gate without needing to re-read all prior artefacts.

Creating a Custom Agent

Section titled “Creating a Custom Agent”

This section walks through creating a new agent from scratch.

Step 1: Choose Agent Type and Model

Section titled “Step 1: Choose Agent Type and Model”
TypeFile LocationUser-InvocableUse When
Top-level agent.github/agents/{name}.agent.mdYesUser-facing workflow steps
Subagent.github/agents/_subagents/{name}.agent.mdNoIsolated tasks delegated by parent agents

Model selection depends on the task. Use tools/registry/agent-registry.json as the source of truth, but the current repo pattern is:

  • Planning agents (accuracy-first) — typically Claude Opus 4.7 at high reasoning effort
  • Orchestrator + Fast PathGPT-5.5 with the OpenAI outcome-first prompting style (Role / Personality / Goal / Success / Constraints / Output / Stop)
  • Design + Governance + Code generation + ChallengerGPT-5.5 for balanced execution quality with explicit retrieval budgets and stopping conditions
  • Execution, deploy, and validation subagents — model varies; consult tools/registry/agent-registry.json
  • Adversarial review — use a different model family than the artifact author when possible

Step 2: Create the Agent File

Section titled “Step 2: Create the Agent File”

Create a .agent.md file with the required frontmatter:

---
name: My Custom Agent
description: >-
  One-line description of what this agent does.
  USE FOR: keyword triggers. DO NOT USE FOR: anti-triggers.
model:
  - GPT-5.5
tools:
  - read_file
  - create_file
  - replace_string_in_file
  - run_in_terminal
  - runSubagent
handoffs:
  - label: "Next Step"
    agent: next-agent-name
    prompt: "Hand off with context..."
---

Required frontmatter fields: name, description, model, tools. Optional: handoffs, user-invocable (defaults to true for top-level).

See .github/instructions/agent-authoring.instructions.md for the complete frontmatter specification.

Step 3: Write the Agent Body

Section titled “Step 3: Write the Agent Body”

The body (below the frontmatter) is the agent’s operating manual:

## MANDATORY: Read Skills First


1. **Read** `.github/skills/azure-defaults/SKILL.md`


## DO (required behaviours)


- Always check for existing session state before starting
- Load skills progressively (SKILL.md first, then references/ on demand)


## DO NOT (prohibited behaviours)


- Do not skip approval gates
- Do not hardcode project-specific values

Keep the body under 350 lines. Use skill references for deep domain knowledge rather than inlining it.

Step 4: Register the Agent

Section titled “Step 4: Register the Agent”

Update the registry file:

  1. tools/registry/agent-registry.json — add the agent’s role, file path, model, and skill list

Step 5: Validate

Section titled “Step 5: Validate”
Terminal window
# Validate frontmatter syntax, body size, and language quality
npm run validate:agents


# Verify registry consistency
npm run validate:agent-registry

Troubleshooting

Section titled “Troubleshooting”
ProblemCauseFix
Agent not appearing in chatMissing or invalid frontmatterRun npm run validate:agents
Tool not availableTool not in tools: allowlistAdd the tool name to frontmatter
Handoff not triggeringWrong agent name in handoffs:Verify target agent file exists
Skills not loadingTypo in skill pathCheck path matches .github/skills/{name}/SKILL.md