Letting Agents Call External APIs Directly Is the Most Expensive Architecture Mistake in Enterprise Agentic — A 5-Layer Stack + 25-API Contract Checklist | Agentic AI in Practice (IX)

Agentic AI in Practice · Part IX. The first eight pieces covered ship-readiness, post-ship discipline, the north-star metric, brain-vs-hands, dual-track testing, and intent cascading: L0-L3 grading, L2 vs L3 5 decisions, fail-closed Critic, deploy-and-abandon, containment vs resolution, brain and hands, dual-track testing. This one pivots: why 90% of enterprise Agentic projects build the wrong architecture at the "connecting external APIs" layer, and how to draw the line. 中文版：让 Agent 直接调外部 API 是企业 Agentic 最贵的架构错误.

"We Integrated 25 APIs" — the Most Expensive False Signal at an Architecture Review

At one architecture review, the vendor's slide 23 read:

"External systems integrated: 6 — order OMS, ticket platform, logistics provider, warehouse WMS, customer-service IM, knowledge base center. 25 APIs in total. 7 Tools on the Agent side. End-to-end coverage of 12 core scenarios including aftersales refunds, logistics tracking, ticket creation."

The boss nodded. Then asked three things in passing:

1. "What happens when the OMS vendor changes?" Vendor answer: "We rewrite the LLM Tools."
2. "How does QA integrate before the OMS interface is ready?" Vendor answer: "Wait for the vendor's API."
3. "Next month compliance audit needs the call-chain logs for every refund — can we get them?" Vendor answer: "Let's add some logging later."

That was the moment the whole project team realized: all 25 APIs being wired up does not mean the architecture is right. It only proves "the LLM can currently reach external systems." It does not prove this system can swap vendors without rewrites, can integrate without the real interface present, has audit trails for write operations, can roll back to specific APIs when an incident hits — those four things are the actual baseline of an enterprise-grade Agentic architecture.

Across every customer-service Agent project I worked on this year, the most expensive architecture mistake is not in the algorithm, not in model choice, not in which vector DB you pick — it is this single decision: letting LLM Tools call external APIs directly. Looks like the shortest path, ships fastest, the slide deck looks best. But three months in, when the first vendor swap happens, the first compliance audit lands, the first production incident hits — the entire Tool layer and external system integration has to be torn down and rewritten.

This piece is for architects, founders, and project owners running enterprise Agentic deployments. API integration is the part of the rollout most easily papered over with "we integrated 25 APIs" and the part that pays the largest cost when problems land. Four things to unpack: (1) the three concrete costs of the "Agent-talks-directly-to-API" fake architecture, (2) the responsibility boundary of each of the 5 layers (Adapter / Service ABC / Tool / Workflow / Critic), (3) the 6 systems × 25 APIs integration matrix — a sign-off checklist for your next architecture review, (4) 5 architecture decisions to drive this week.

"Agent Calls External APIs Directly" — Three Enterprise-Grade Costs

Conclusion first: letting LLM Tools call external interfaces directly looks like the shortest path but actually skips all three enterprise-grade concerns: contracts, abstractions, audit trails. The cost does not show in demo phase. It always shows three months in.

Cost 1: Swap a vendor = rewrite. OMS field naming convention changes (camelCase → snake_case, new required fields). Ticket platform major version upgrade (v4.x → v5.x). Logistics provider switches from A to B. Any change in your enterprise system integrations — the entire Tool layer needs rework. One project I worked on, the OMS middleware upgrade revised one schema; the Agent's 7 Tools all needed regression testing — 4 engineers working overtime for 3 weeks. The root cause: LLM Tools are coupled to the external system; the "interface name" the LLM sees IS the vendor's interface name.

Cost 2: Project stalls when interfaces are missing. Public ecommerce platforms' real APIs are still pending commercial confirmation. The ticket system's field schema is still pending business stakeholder confirmation. WMS authentication scheme has not been decided. If Tools call these APIs directly, the project halts until they exist. In projects I have seen, 80% of wasted engineering time was burned in this "waiting on interfaces" death loop. Root cause: no Mock contract layer, dev and QA have nothing to integrate against.

Cost 3: The compliance audit last mile fails. When a write operation (refund / cancel order / void ticket) caused an incident, compliance and finance want to look back: which conversation triggered the Tool? What parameters? Who signed off (LLM? Workflow? Critic? Rules? Business-signed threshold)? The "call-chain + decision basis + business signoff" audit closure simply does not exist in the "LLM-calls-API-direct" architecture. When the incident hits, all you can see is "LLM emitted approve" — no intermediate layer can tell you what validation that approve went through.

The three costs combined: "Agent calls APIs directly" trades demo speed away for the three most important capabilities of enterprise-grade architecture — swappable vendors, integrate-able contracts, auditable call chains. Without these three, an enterprise-grade Agentic project is just a slide deck.

5-Layer Architecture: Adapter → Service ABC → Tool → Workflow → Critic

Conclusion first: the segment of an enterprise-grade Agentic system that connects to external APIs must be split into 5 layers. Each layer solves exactly one thing; the contracts between layers do not leak. Miss any layer and you pay three months later.

Layer	Solves what	Key artifacts	Owner
L1 Adapter	Translates external SaaS fields, protocols, auth, error codes into internal protocol	One Adapter per external system (OAuth Token cache, camelCase ↔ snake_case mapping, non-success business code raises XxxBizError, HTTP retries)	Backend
L2 Service ABC	Lets the business layer not know which provider is in use	OrderClient / TicketClient / LogisticsClient abstract base classes + Mock implementations + Real implementations, switched at boot via SERVICES_BACKEND=mock|real	Backend + business signs schema
L3 Tool	The interface contract the LLM sees — name, parameter schema, read_only flag	7-12 Tools, each with description / parameters JSON Schema / read_only flag; ToolRegistry for unified registration	Backend + AI Ops
L4 Workflow	Multi-step orchestration of write operations + safety limits	check_params → query → validate → critic_check → execute → notify; max_steps safety limit; human_review fallback	Backend + business sign-off
L5 Critic + Rules	Last gate between "LLM decides" and "external state actually changes"	LLM Critic (semantic layer) + Rules (hard layer: amount thresholds, 7-day order window, 24h duplicate refund check), fail-closed	Business + AI Ops + legal sign-off

Each layer's boundary — the architect must be able to draw it on a whiteboard, and not being able to means the architecture is unclear:

• LLM never sees Adapter: Adapter is at the bottom. LLM never calls order_gateway.list_orders() — it only calls Tools. Tools call Service ABC. Service ABC calls Adapter.
• Business layer never sees provider: business Workflow calls order_client.get_by_user(user_id). It does not know whether this order_client is MockOrderClient or RealOrderClient, much less whether the underlying is OMS A or OMS B.
• Tool's contract to the LLM does not leak internal structure: Tool's description is "query order," not "call the order gateway's /orders/list endpoint." LLM does not see endpoint paths, field mappings, or auth.
• Write operations must pass Critic: any Tool that modifies external state (cancel_order / create_refund / cancel_ticket) is forced by the Workflow DSL to pass through a critic_check Step. Bypassing it is an architecture bug.
• Config splits into three tiers: service / flow toggles in code + env vars; business thresholds in thresholds.yaml (business signed); ops monitoring thresholds in Dashboard config. Three tiers, three people, no cross-contamination.

These 5 layers are not "architects chasing elegance" — they are the basic immunity for whether an enterprise-grade Agentic project can survive a vendor swap, a compliance audit, a production incident. Each layer with clear responsibilities = team shares a vocabulary. Miss any one and the project becomes "rewrite" in some specific scenario.

Put this diagram on the whiteboard at your next architecture review. An architect who cannot draw the 5-layer responsibility split — the team has no shared vocabulary. "Which layer changes when a vendor swaps / which layer switches to Mock for testing / which layer compliance audits trace to" — three questions, all answered by this diagram.

L1 Adapter Layer — The "Translator" That Converts External Systems to Internal Protocol

Conclusion first: Adapter only translates. It does not make business decisions. One Adapter per external SaaS, the more independent the better — this is where "swap vendor without pain" actually lives in enterprise-grade Agentic.

Adapter handles 6 jobs, each tied to a real production lesson:

1. Auth abstraction — OAuth Client Credentials + Token cache + concurrent refresh

Order gateway uses OAuth2, Token expires every 30 minutes. The naive implementation is "check token before each call, refresh if needed" — under concurrent load this is a disaster: 100 requests + Token expires simultaneously → 100 concurrent /oauth/token calls → gateway gets hammered. The right pattern: Adapter maintains a Token cache + uses asyncio.Lock to prevent concurrent-refresh stampede + proactively renews 60s before expiry + auto-clears cache and retries once on 401. This logic is written once and stays in the Adapter; Service ABC and above never know Token exists.

2. Field mapping — "diplomacy" between CamelCase / snake_case / etc.

Order gateway returns code (different vendors name it differently: bizCode / statusCode / code); internal protocol normalizes to biz_code. OMS calls it productCode; internal is sku_id. Ticket platform uses requestId; internal is ticket_id. All these naming differences are absorbed by from_dict / to_dict methods in the Adapter. Service ABC and above always receive internal protocol dataclasses; they have no idea what the external vendor's naming looks like.

3. Error-code abstraction — non-success business code raises XxxBizError

Order gateway uses a business code to distinguish success / failure (e.g. code=0 for success, code=1004 for "order not found"); ticket platform uses HTTP status codes + custom error_code; logistics provider uses result.success == false. All these heterogeneous error codes get translated to XxxBizError(code, msg) exceptions inside the Adapter. Service ABC and above use uniform try/except; no leakage of HTTP status concerns.

4. Environment isolation — X-Env header

Calling real APIs in staging needs X-Env: staging; production does not. This isolation marker is auto-injected by the Adapter based on environment variable. Business code never sees this header. Impossible to forget and accidentally route staging traffic to production.

5. Retry + timeout — hard rules at the HTTP layer

httpx with timeout=10s and connect_timeout=3s. 401 retries once (after clearing token). HTTP 5xx does not retry — propagate to business layer. These rules live once in the Adapter; all calls go through the same configuration. No tracking down whether each Tool added its own retry logic.

6. Input validation — first wall against SQL / path injection

What if the order ID contains "'; DROP TABLE;--"? httpx auto-escapes URL parameters and blocks most. The Adapter runs the strictest schema validation before any call (order ID regex, amount ≥ 0, date format) — anomalous inputs are rejected outright. This is not "Critic-level fallback" — this is "first wall" rejection.

The most counter-intuitive engineering discipline at the Adapter layer: the code should be as boring as possible — pure translation, pure retries, pure field mapping. Any code with business logic is wrong. Whether the refund amount is valid, whether the order can be canceled — Adapter does not care. Those are the responsibility of Service / Critic / Rules. The purer the Adapter, the fewer files need touching during a vendor swap.

Adapter is where "swap vendor without pain" actually lives. Any business-logic code at this layer is misplaced — the architect should bounce code review when seeing "if amount > X then reject" here, and ask for it to be refactored into Critic / Rules.

L2 Service ABC Layer — Business Layer Does Not Know Which Provider Is Used

Conclusion first: Service ABC is where enterprise-grade Agentic's "Mock integration / vendor swap / A/B switching" abstraction actually lives. Business Workflow calls ABCs, not Adapters — get this wrong and the project's swap-ability is dead.

What does Service ABC look like? Order service example:

class OrderClient(ABC):
    @abstractmethod
    async def get_by_user(self, user_id: str) -> list[OrderInfo]: ...

    @abstractmethod
    async def get_by_id(self, order_id: str) -> OrderInfo | None: ...

    @abstractmethod
    async def get_active_orders(self) -> list[OrderInfo]: ...

    @abstractmethod
    async def cancel_order(self, order_id: str) -> CancelResult: ...

    @abstractmethod
    async def close(self) -> None: ...

Two implementations:

• MockOrderClient: hardcoded mock orders (ORD-2026-0322-099 is happy path, ORD-2026-0308-042 is expired window edge case, ORD-2026-0311-001 is logistics tracking case)
• RealOrderClient: internally calls OrderGatewayAdapter, translates gateway responses to OrderInfo dataclasses

Environment variable SERVICES_BACKEND=mock|real selects which implementation gets injected. Business Workflow code never changes a line.

Service ABC solves four things:

1. Mock before Real — dev / QA don't block on interface readiness

Public ecommerce platform real APIs still pending commercial confirmation? Doesn't matter. First write MockEcommerceClient against the business-signed schema; QA can write all E2E scenario tests against Mock. When the real interface arrives, flip SERVICES_BACKEND=real and run a contract-conformance test (Pact or schema-align). Project schedule no longer gets dragged by "waiting on interfaces" — this is the dividing line between enterprise-grade Agentic teams and amateur ones.

2. Contract conformance tests — Mock can't lie

MockOrderClient's methods and return-value structures must match RealOrderClient exactly — enforced by pytest's test_contract_services.py: Mock not implementing any abstract method of ABC = test fails = PR cannot merge. This guarantees "Mock integration works" ≠ "Real explodes when swapped in."

3. Vendor swap with no pain — only Adapter changes, ABC is untouched

OMS middleware upgrades from A to B? Only RealOrderClient's internal Adapter (or a new RealOrderClientV2) changes. Business Workflow / Tool / Critic do not change a line. The entire Tool layer sees only the ABC, has no idea anything below has changed.

4. A/B switching / canary — two implementations of the same interface, in parallel

Production canary wants to route 10% traffic to new version, 90% to old? Add a routing layer above the ABC: ABRoutedOrderClient(old, new, ratio=0.1) — business layer still has no idea.

Service ABC is the layer most likely to be skipped with "is our project this complex?" rationalization — and every project that "thought it was simple" paid the rewrite cost three months later. The architect should pin down the ABC during week 1 of project kickoff. No Tool is allowed to import Adapter directly.

L3 Tool Layer — The Interface Contract the LLM Sees (No Internal Structure Leak)

Conclusion first: Tool layer is the only layer that faces the LLM directly in the 5-layer stack. Its description and parameters JSON Schema determine how the LLM understands this capability. Tool is not an alias for ABC — it is the LLM-facing "user manual," a translation of ABC.

What does a Tool look like? Three pieces:

1. description is not "calls the OMS endpoint" — it is "queries an order"

Bad example:

ToolDefinition(
    name="query_order",
    description="Calls the order gateway's /orders/list endpoint to query the order list",
)

Good example:

ToolDefinition(
    name="query_order",
    description="Queries the user's orders. Given user_id, returns all orders for that user; given order_id, returns details for that order. Only returns orders within the past 90 days.",
)

Why? When the LLM sees internal implementation names like "order gateway" or "/orders/list," it hallucinates the wrong interface — for example, it will "invent" a non-existent endpoint. Tool description must describe business semantics, not technical implementation. When the OMS vendor swaps, the description does not change.

2. parameters is JSON Schema, not Python types

parameters = {
    "type": "object",
    "properties": {
        "user_id": {"type": "string", "description": "User ID (from identity, NOT extracted from chat text)"},
        "order_id": {"type": "string", "description": "Order ID, format ORD-YYYY-MMDD-XXX"},
    },
    "required": [],  # one-of, validated in execute
}

Note the description explicitly warns the LLM not to extract user_id from chat text — this is a direct reflection of the D7 safety dimension (covered in Part 7). Without the explicit warning, the LLM will see "the user said my ID is user_999" and gladly fill it in.

3. read_only flag — separates read from write

ToolDefinition(name="query_order",   read_only=True)   # read
ToolDefinition(name="query_ticket",  read_only=True)   # read
ToolDefinition(name="cancel_order",  read_only=False)  # write, must pass Critic
ToolDefinition(name="create_refund", read_only=False)  # write, must pass Critic

read_only=False Tools are forced by the Workflow to pass through a critic_check Step — the LLM is not allowed to call a write Tool without Critic.

Tool layer's engineering discipline:

• Keep Tool count between 7 and 12. A customer-service Agent project with more than 12 Tools usually has Tool boundaries drawn too finely — "query orders in 7 days" and "query orders in 30 days" as two separate Tools is wrong; merge into query_order(time_window_days).
• Every Tool has execute() + JSON Schema validation + unified ToolResult return. ToolResult = { success: bool, data: any, error: str | None }.
• Tool does not know external system names. query_order does not know whether OMS A or OMS B is in use; cancel_ticket does not know which ticket platform — those are absorbed by Service ABC.
• Unified registration via ToolRegistry. Adding a new Tool does not require modifying LLM prompt templates — it auto-exposes to the LLM's tools list.

L4 + L5 Workflow + Critic — Four Defense Layers for Write Operations

Conclusion first: any operation that modifies external state (refund / cancel order / void ticket) must pass through four defense layers: Workflow orchestration + Rules hard checks + Critic semantic check + business-signed thresholds. Miss any layer and it is an incident waiting to happen.

Take "small refund" Workflow as example. Standard Step sequence:

small_refund:
  Step 1: check_params   ← missing params → human_review, do not continue
  Step 2: query_order    ← grab order facts
  Step 3: validate       ← Rules hard checks: amount ≤ thresholds.max_amount
                                              order_date within 7-day window
                                              no 24h duplicate refund
                                              special biz-type blacklist (biz_type_code)
  Step 4: critic_check   ← LLM Critic semantic check, fail-closed
  Step 5: execute_refund ← actually call the write Tool (read_only=False)
  Step 6: notify         ← send result to customer

Miss any defense layer and write-op safety degrades. Architects reviewing a write Workflow should check against this diagram — validate not connected to Rules / critic_check not connected to LLM Critic / not going through Service ABC and directly hitting Adapter — any one missing is an "incident waiting to happen."

Each layer's specific responsibility in this orchestration:

Workflow invariants (DSL layer):

• Entry Step must be check_params. Cannot skip parameter validation.
• Write-op Tools must be called after critic_check Step.
• max_steps safety limit (default 10), prevents LLM loops consuming resources.
• human_review=True exits the workflow immediately. LLM cannot keep pushing.
• trigger="event" (scheduled-task driven) suppresses delta events — does not actively push messages to customers.

Rules layer (thresholds.yaml + code RuleEngine):

• Business signs in docx → converts to thresholds.yaml → code loads at boot. All amount thresholds / time windows / blacklists read from here.
• One change → workflow rule + Pydantic Field(le=...) + /api/rules/thresholds display all update.
• thresholds.yaml must have a business-signed version. Engineering cannot add rules unilaterally to production.

Critic layer (LLM semantic check):

• fail-closed (Part 3 covers this end-to-end) — LLM timeout / malformed JSON / API 5xx all default to "reject."
• Input = order facts already queried by workflow + Rules check results. Not the user's raw message.
• Output = approve / reject + reject reason (logged to audit log).

Write Tool layer (actually calls external system):

• Goes through Service ABC → Adapter. LLM does not see Adapter.
• The entire call chain + input + output + decision basis goes to Langfuse trace → compliance audit can find it.

Miss any of these 4 layers and the write operation's safety degrades. The most common collapse I have seen is the Rules layer — business stakeholders never signed docx, engineering set their own thresholds and shipped, six months later business questions "who set this number?". The architect must pin this down at project kickoff: all Rules must have business + legal docx signed versions; unsigned does not ship.

6 External Systems × 25 APIs — Sign-Off Checklist for Your Next Architecture Review

Conclusion first: a typical enterprise customer-service Agent project integrates 6 major external systems with about 25 APIs. This checklist drops straight into your next architecture review — every row's "layer placement / status / owner / notes" should be explicit by end of meeting.

#	External System	API Category	Count	Layer	Status
1-5	Order OMS	list_orders / get_order_detail / cancel_order / get_admin_region / oauth_token	5	Adapter ✓ + Service ABC ✓ + Tool ✓	✅ Ready
6	Order OMS	request_refund (whether same endpoint as #14 — TBD)	1	Adapter pending schema	🚧 Missing definition
7-9	Ticket platform	create_ticket / query_ticket / cancel_ticket	3	Adapter Stub + Service ABC ✓ + Tool ✓	🚧 Stub (schema pending)
10	Logistics provider A (primary)	track_logistics (signed auth)	1	Adapter Stub + Service ABC ✓	🚧 Stub (signature formula pending)
11-13	Logistics provider B (backup)	track / intercept / receiver_change	3	Completely missing	🚧 No Adapter at all
14-15	Aftersales	refund_apply / aftersales_status	2	Adapter ✓, workflow integration pending	🟡 Partial
16-19	Public ecommerce platforms (multiple)	order_query / logistics / refund	4-8	Mock contract (business not locked)	🚧 Mock-only
20-21	Invoice	invoice_status / invoice_issue	2	Adapter ✓, workflow integration pending	🟡 Partial
22	FAS (price-diff refund)	refund_diff	1	Completely missing	🚧 Business scope TBD
23-25	Data audit dashboard	DB direct read (data team owns)	3	Out of Agent scope (data team's responsibility)	➖ Out of scope
26	Customer-service IM	webhook + push_message	1+1	Inbound Adapter ✓ + outbound Stub	🟡 In progress
27	Knowledge base center	KB sync + reload	2	Internal KB Center, separate layer	✅ Ready
28	Warehouse WMS	get_shipment_status (dual-source verification)	1	Stub, fail-closed → human review	🚧 Stub (interface pending)

Total: 25-28 APIs across 6 major systems — this is a real project's integration list (desensitized). At your next architecture review, the architect pulls out this table and asks each row "where is the layer placement? Who is the owner? Stub or real? Did business sign off?" — 30 minutes gets the project's real integration state. 10× more useful than looking at a slide with 25 green checkmarks.

The color distribution on this table is the project's real "integration health score." Many red rows = project is still in "wiring up interfaces" phase. Yellow heavy = able to run but workflow not integrated. Green dense + concentrated on core systems (OMS / KB) = ready for canary. The architect updates this every two weeks.

Several signals the architect must read from this table:

1. "Stub + fail-closed → human review" is the normal state, not a bug — the WMS interface is not out yet; the Adapter's StubWmsShippingClient returns UNKNOWN by default, triggering fail-closed → human review. This is by design, not an excuse to "wait for the interface before development."
2. "Mock contract" ≠ "fake data" — public ecommerce platforms are not locked, but as long as the schema is signed, QA can run all E2E scenarios on Mock. Mock is the contract implementation of Service ABC, not "placeholder fake data."
3. "Out of Agent scope" is an architecture decision, not headcount lacking — #23-25 data audit dashboard belongs to the data team; the Agent should not read business databases directly. Drawing this boundary clearly prevents the Agent team's scope from sprawling infinitely.
4. "Special biz-type blacklist" goes in thresholds.yaml — a handful of biz_type_code values (maintained by business, loaded from a signed-off version) trigger no-pass. It ships only after business signs docx. This kind of business rule is the responsibility of the Critic+Rules layer, not the Tool layer.

5 Things to Drive This Week: Stop the "Waiting on Vendors" Loop

As the Agentic rollout owner, after reading this, drive these 5 things next week — any one missed and 3 months later a vendor change or compliance audit will be the incident:

1. Draw a "5 layers × 6 systems" integration matrix and pin it in Confluence. For each external API: which layer does it live at (Adapter / Service ABC / Tool / Workflow / Critic), who owns it, Mock or Real, business signed or not — all explicit on one table. This table is the actual foundation of "swap vendor with no pain" — without it, six months later a vendor change costs 3 weeks of overtime.

2. Enforce that all Tools import ABCs, not Adapters directly. This is a hard convention at the code-style level — one grep finds violations. from app.adapters.order_gateway import ... appearing in the Tool layer = architecture violation = PR blocked from main. Without this enforced, all Service ABC's benefits evaporate.

3. Scan all write-op Tools' Workflows for critic_check Step. Write a simple script that traverses workflow DSLs and verifies that every read_only=False Tool is preceded by a critic_check Step. Missing = D7 dimension failure (covered in Part 7) = not allowed to ship.

4. Run thresholds.yaml past business + legal for docx sign-off. Amount thresholds, time windows, special biz-type blacklist, item-tag whitelist — all numbers and lists appearing in the Rules layer must be business-signed and legal-backed. An unsigned thresholds.yaml in production is a compliance risk.

5. Align with external dependency owners on 5 outstanding interface schemas: ticket platform output fields, WMS shipment status query, logistics signature formula, invoice endpoints, public ecommerce API. Each pending item gets an owner + deadline + blocking impact. Unlocked means Mock stays Mock — never gets to Real.

After driving these 5 things, next month the project will have clear boundaries on "enterprise API integration" — at architecture review meetings you no longer rely on "we integrated 25 APIs" as a one-liner, but instead bring a table showing every API's layer, owner, status, and signoff. This is what enterprise-grade Agentic actually looks like.

Take These Tools Into Your Next Architecture Review

The deepest takeaway from running customer-service Agent projects this year: the biggest cost of enterprise-grade Agentic rollouts is not in the algorithm, not in the model, not in the vector DB — it is in whether the layering on the "external API integration" segment is clear. 99% of projects can demo 7 Tools within 3 months. But only the projects that have drawn the 5-layer + 6-systems + 25-APIs matrix on the wall survive the first vendor swap, the first compliance audit, the first production incident six months later.

This piece's core contribution is turning architecture boundaries into a concrete checklist you can take to the next review whiteboard: the 5-layer responsibility table lets you decide "Adapter does what / Service ABC does what / Tool does what / Workflow does what / Critic does what"; the 6 systems × 25 APIs matrix lets you assess the real integration state in 30 minutes; the 4-layer write-op defenses give you a complete call chain to show during compliance audit; the thresholds.yaml business-signoff discipline keeps you from being questioned six months later "who set this threshold?".

If you're shipping an enterprise Agentic system from kickoff to launch, print this and bring it to your next architecture review — it'll likely save you a "vendor swap means rewrite in half a year" cost.

---

Send me the keyword "API layering" and I'll send the pack:

1. 5-layer responsibility checklist (Adapter / Service ABC / Tool / Workflow / Critic — what each does / does not / Owner; one-page PDF)
2. 6-systems × 25-APIs integration matrix template (fill for your own project, drop straight into Confluence)
3. Tool contract checklist (description / JSON Schema / read_only / LLM-friendly language template)
4. Rules business sign-off template (thresholds.yaml + docx sign-off sheet — usable by business + legal directly)

Channels in the footer — X or email both work.

---

Next up: Part X of this series will unpack "evolving a Chinese intent system from 36 to 48 intents — the corpus → codebook annotation methodology." How does the "48-intent classification" / "Layer1 / Layer2 / Layer3 / action / escalate / system / fallback" hierarchy mentioned across this piece evolve from an initial 36 intents? The answer is not "write another prompt version" — it is let the customer-service utterance corpus, annotator judgments, and Critic intercept events all flow back into the codebook. This is the most critical data engineering decision before D1 accuracy can rise.