# How Verification Gates and Runtime Feedback Loops Operate in Autonomous Agents > Understand verification gates and runtime feedback loops in autonomous agents. Discover how these systems ensure safety and observability by filtering LLM tool calls and managing execution logs. - Repository: [Rohit Ghumare/ai-engineering-from-scratch](https://github.com/rohitg00/ai-engineering-from-scratch) - Tags: deep-dive - Published: 2026-06-05 --- **Verification gates and runtime feedback loops operate as a deterministic, layered safety and observability system where ordered gates filter LLM tool calls before dispatch and feedback loops capture, redact, and rotate execution logs to bound memory and prevent secret leakage.** In the `rohitg00/ai-engineering-from-scratch` repository, verification gates and runtime feedback loops form the backbone of a secure agent architecture. The implementation demonstrates how to intercept tool calls with deterministic checks and audit every subprocess execution without exposing sensitive credentials. Understanding how verification gates and runtime feedback loops operate is essential for building autonomous systems that remain both safe and observable. ## Verification Gates: Deterministic Pre-Dispatch Safety Verification gates sit between an LLM-generated tool call and the actual tool dispatch. According to the source code in [`phases/19-capstone-projects/25-verification-gates-observation-budget/code/main.py`](https://github.com/rohitg00/ai-engineering-from-scratch/blob/main/phases/19-capstone-projects/25-verification-gates-observation-budget/code/main.py), each gate implements an `evaluate(call, ctx)` interface that returns a `GateDecision` of **ALLOW** or **DENY** together with a reason. ### Core Data Structures The implementation defines tightly coupled dataclasses in lines 25–132 of the capstone module. A **`ToolCall`** dataclass represents the tool request, an **`ObservationLedger`** tracks cumulative tokens observed per turn and per tool, and a **`GateContext`** read-only bundle passes the ledger, current turn, and history into each evaluation. ### GateChain Evaluation and Short-Circuiting The harness assembles gates into a **`GateChain`** (lines 288–303) that evaluates checks in a fixed order from cheapest to most expensive. The chain **short-circuits** on the first denial, so expensive checks—such as token-budget validation—are only performed after all prior gates have passed. This ordering keeps per-call overhead minimal while enforcing strict safety constraints. ### Concrete Gates and Observation Budgets The repository provides four concrete gates and an optional fifth in lines 145–258: - **WhitelistGate**: Allows only pre-approved tool names. - **RegexGate**: Matches arguments against permitted patterns. - **RecencyGate**: Enforces temporal ordering constraints. - **BudgetGate**: Reads `ctx.ledger.cumulative()` and denies the call when the total observation token budget is exhausted. - **PerToolBudgetGate** (optional): Applies an additional per-tool token ceiling. Each gate implements the **`VerificationGate`** protocol, returning a **`GateDecision`** to the orchestrator. Because the ledger updates only after a successful tool call, the budget always reflects real consumption rather than projected usage. The design follows the architectural diagram described in [`docs/en.md`](https://github.com/rohitg00/ai-engineering-from-scratch/blob/main/docs/en.md) lines 32–40. ### Building and Running the Gate Demo The following example imports the default chain and runs a synthetic session that exercises multiple gates, including a denied call: ```python from phases.19_capstone_projects.25_verification_gates_observation_budget.code.main import ( build_default_chain, run_synthetic_loop, _demo_tools, ToolCall, ) # Build the canonical chain (whitelist → regex → recency → budget) chain = build_default_chain(budget=200) # Define a short synthetic session calls = [ ToolCall(turn=1, tool="list_dir", argv=("./",)), ToolCall(turn=2, tool="read_file", argv=("main.py",)), ToolCall(turn=3, tool="read_file", argv=("README.md",)), ToolCall(turn=4, tool="run_tests", argv=("./",)), # This call will be denied by the whitelist gate ToolCall(turn=5, tool="shell", argv=("rm", "-rf", "/")), ] report = run_synthetic_loop(calls, chain, _demo_tools()) print("Allowed:", report.allowed, "Refused:", report.refused) for i, (call, outcome) in enumerate(zip(calls, report.decisions)): print(f"{i}: turn={call.turn} tool={call.tool} → {'ALLOW' if outcome.allow else 'DENY'}") if not outcome.allow: print(" reason:", outcome.deny_reason) ``` The demo prints a decision trace and will exit with a non-zero status if no refusal occurs, as implemented in `run_demo`. ## Runtime Feedback Loops: Secret-Safe Execution Capture While gates prevent unsafe dispatches, runtime feedback loops handle execution after a call is approved. The implementation in [`phases/14-agent-engineering/37-runtime-feedback-loops/code/main.py`](https://github.com/rohitg00/ai-engineering-from-scratch/blob/main/phases/14-agent-engineering/37-runtime-feedback-loops/code/main.py) captures every subprocess execution, enriches it with metadata, and guarantees bounded memory through log rotation. ### FeedbackRecord and the run_with_feedback Wrapper The **`run_with_feedback`** function (lines 103–155) wraps `subprocess.run` to spawn a command, capture stdout and stderr, and return a **`FeedbackRecord`**. Each record is appended to `feedback_record.jsonl` and includes command IDs, exit codes, duration, truncation stats, and an optional parent command ID for retry linking. ### Redaction and Deterministic Truncation Before persisting output, the harness applies two safety transforms: 1. **Truncation**: `deterministic_tail` (lines 70–76) preserves the first `HEAD_LINES` and last `TAIL_LINES` of long streams, inserting a clear truncation marker. 2. **Redaction**: Compiled **`REDACTION_PATTERNS`** (lines 30–39) scrub bearer tokens, passwords, AWS keys, Slack tokens, and private keys from logs. These steps ensure that execution records remain compact and safe to store without leaking credentials. ### Log Rotation and Retry Reconstruction The **`maybe_rotate`** function (lines 85–102) caps the active log at 1 MiB and maintains up to five historic files, removing the oldest to bound disk usage. This rotation policy prevents unbounded growth during long agent runs. Later, **`load_all`** reads the full rotated set, **`retry_chain`** walks `parent_command_id` pointers to reconstruct retry histories (lines 164–200), and the harness can check whether the loop may advance. ### Running a Command with the Feedback Loop The snippet below executes a command through the feedback wrapper and inspects the resulting record: ```python from phases.14_agent_engineering.37_runtime_feedback_loops.code.main import run_with_feedback # A harmless command – its stdout will be captured and redacted if needed record = run_with_feedback( ["python3", "-c", "print('Authorization: Bearer secret123'); print('All good')"], agent_note="demo redaction" ) print("Command ID:", record.command_id) print("Exit code:", record.exit_code) print("Redacted stdout tail:", record.stdout_tail) print("Redactions:", record.redactions) ``` The resulting `FeedbackRecord` is appended to `feedback_record.jsonl`; subsequent calls can read it via `load_all()`. ## How the Two Systems Integrate The feedback loop and gate chain are not independent. The runtime feedback loop writes executed tool results back into the **observation ledger**, and the gate chain reads that same ledger through `GateContext`. This linkage creates a closed control flow: the feedback loop guarantees safe, auditable execution, while the gate chain ensures the model never exceeds its observation budget or invokes disallowed tools. Together they provide a deterministic, observable, and secure control flow for autonomous agents. ## Summary - **Verification gates** intercept every LLM tool call through a `GateChain` that short-circuits on the first denial, running cheapest checks first. - **Runtime feedback loops** wrap subprocess execution in `run_with_feedback`, producing redacted, truncated `FeedbackRecord` entries written to a bounded JSONL log. - The **observation ledger** links both systems by feeding real token consumption back into the gate context, enabling budget-aware decisions. - **Redaction and rotation** guarantees prevent secret leakage and unbounded disk growth, making the architecture suitable for long-running autonomous agents. ## Frequently Asked Questions ### What is the purpose of a GateChain in autonomous agents? A `GateChain` sequences deterministic verification gates from cheapest to most expensive and short-circuits on the first denial. This ordering minimizes overhead while blocking unsafe LLM tool calls before they reach the dispatch layer. ### How does the observation budget prevent runaway token consumption? The `BudgetGate` reads `ctx.ledger.cumulative()` to compare total observed tokens against a fixed ceiling. Because the ledger updates only after a successful call, the budget reflects actual rather than predicted usage. ### Why does the runtime feedback loop redact logs before writing them? The harness compiles `REDACTION_PATTERNS` to scrub bearer tokens, AWS keys, passwords, and private keys from stdout and stderr. This ensures that execution audit trails remain safe to store and share without leaking credentials. ### How do verification gates and runtime feedback loops work together? The feedback loop populates the observation ledger with real tool results, and the gate chain reads that ledger through `GateContext`. This creates a closed loop where execution observability directly informs pre-dispatch safety checks.