Practice questions

Correct: A system that decides per request which tool to call, then picks its next step from the result

Model layer: measure the base LLM's factual accuracy on a curated QA set (metric: exact-match or accuracy) — e.g. does it state the correct refund window for a policy question. Application layer: evaluate the RAG retrieval pipeline (metric: NDCG@k or recall@k over query–document pairs) — do the correct knowledge-base articles come back for a query? Agent layer: measure end-to-end multi-turn task completion (metric: resolution rate within N turns) — does the agent gather information, retrieve, draft, and escalate correctly across a conversation? The point is that each layer catches a different failure: a perfect model can still fail at the agent layer if routing or escalation is broken. Common wrong answer: giving three variants of end-to-end accuracy — that only exercises the agent layer and cannot localise a retrieval or model fault.

Leaderboards measure isolated-model capability on general benchmarks (model evaluation); they say nothing about how the model performs inside your prompts, retrieval, and tools on *legal* data (system evaluation). Benchmark scores also suffer saturation, possible training contamination, and distribution mismatch with a specialised legal domain. The right process: use the leaderboard to shortlist two or three candidates, then run system evaluation on a curated set of representative legal queries with domain-appropriate criteria — citation correctness, hallucination rate, refusal on out-of-scope questions — and pick the winner on that. Common wrong answer: "the top-ranked model is the safe choice" — ranking predicts general capability, not domain performance; the only decision-grade signal is evaluation on your own data.

Correct: Agent layer — tool selection is a routing decision specific to multi-step agents

Router: the LLM function-calling step that chooses among the four skills. Skills: flight search, loyalty-balance check, reservation hold, and email drafting (each possibly multi-step). Memory/state: the trip parameters and conversation history carried between steps. Evaluate the router first — if it picks the wrong skill, all downstream work is wasted, and routing is the most common origin of agent failure. Build a labelled dataset of user messages paired with the expected skill and measure per-category routing accuracy, then move to the lowest-scoring skill. Common wrong answer: "evaluate the final email quality" — that is an end-to-end measure that tells you *that* the agent failed, not *where*; a routing error would masquerade as a bad skill output and send you debugging the wrong component.

An AI agent is a software system that takes actions on a user's behalf using reasoning. Its three core capabilities are reasoning (the LLM decides what to do), routing (selecting which tool or skill to call), and action (executing the tool), looping on the result. What distinguishes it from a fixed prompt chain is that the agent decides *what to do next* at run time, rather than following a predetermined sequence of steps. Common wrong answer: "an agent is any application that calls an LLM" — that conflates an application with an agent; without run-time routing and decision-making it is a fixed application, not an agent.

Move evaluation from a once-per-release gate to a per-change feedback loop. Concretely: maintain a versioned evaluation dataset and a one-command eval run; on every prompt or code change, trace the agent, run the component and end-to-end evals, and read the scores before merging — not the night before release; then iterate immediately on the worst-scoring component. Wire the eval run into CI so it cannot be skipped. The change is timing and granularity: regressions surface at the commit that caused them (cheap to localise) instead of accumulating until a pre-release batch run (expensive to trace back days later). Common wrong answer: "run the full eval suite twice before release instead of once" — that is still a gate; it does nothing to tell you *which change* introduced a regression.

The three steps are: trace (capture each step's inputs and outputs), evaluate (score each component against its criteria — routing accuracy, skill output quality, and so on), and iterate (fix the worst-scoring component) — repeated on every code or prompt change. The difference from a pre-deployment gate is timing: evaluation-driven development makes evaluation the primary feedback loop *during* development, so regressions surface immediately and are cheap to localise, whereas a gate catches them only at the end when they are expensive to trace back. Common wrong answer: "it's the same as running the test suite before release" — that is exactly the gate model EDD replaces; EDD evaluates continuously, not once at the end.

End-to-end task-resolution rate is necessary but not sufficient. What it catches: whether the agent succeeded overall, reflecting real user outcomes — keep it. What it misses: *where* and *why* it failed. A single number aggregates router, skill, and state failures, so a drop can't tell you which component broke; the multiplicative-accuracy effect means several mediocre components can sink the rate invisibly; and rare failure modes hide inside the average. What to add: component-level evals (routing accuracy, per-skill output quality) and trajectory/trace inspection so a regression localises to a layer, plus slicing by query type to expose rare failures. Layer the metric to the failure mode — end-to-end for outcome, component for diagnosis. Common wrong answer: "resolution rate is ground truth, so it's enough" — it is the right *outcome* metric but cannot localise failures, which is exactly what you need to fix them.

Correct: Benchmark scores measure isolated-model capability, not performance inside their prompts, retrieval, and tools

Correct: 81% — independent step successes multiply (0.9 × 0.9)

Traditional testing assumes identical inputs yield identical outputs, so a single passing run proves correctness. LLM systems violate this: the same input can produce different outputs across runs (sampling temperature, floating-point non-associativity, batching, provider-side model updates). A single run is therefore a *sample*, not a proof — a change can raise average quality while introducing rare failures one run never surfaces. So testing must be statistical over a representative dataset, re-run on every change, comparing score distributions rather than asserting one pass/fail. Temperature 0 reduces variation but does not eliminate it (floating-point, batching, and provider drift remain), so it does not restore determinism. Common wrong answer: "set temperature to 0 and it becomes deterministic" — it lowers variance but production outputs still drift.

Correct: Routing decisions occur at many nodes, so coverage must reach every one

Centralised routing puts every decision in a single router: easy to trace and evaluate (one decision point, one routing dataset to build), but a bottleneck for complex branching flows. Distributed routing (LangGraph, Swarm-style graphs) spreads routing across the graph: more flexible and scalable for complex or parallel multi-agent flows, but harder to evaluate because routing decisions occur at many nodes, each a separate place a wrong turn can originate — so evaluation coverage must reach every node, not just one. The distributed option is the right choice when the workflow is genuinely too complex or parallel for a single router and you accept the cost of instrumenting and evaluating each decision point. Common wrong answer: "distributed is better because it is more flexible" — flexibility trades directly against evaluation coverage; for many agents a centralised router is far easier to make reliable.

Run the new prompt against a fixed, representative evaluation dataset — dozens to hundreds of inputs covering the real query distribution — not one demo. Generate several samples per input to estimate variance, score outputs against defined criteria (a quality metric and/or LLM-as-a-judge), and compare the *distribution* of scores to the previous prompt: check the average AND the tail (rare failures), plus any regression in downstream components that consume the summary. Ship only if the aggregate improves with no tail regression. Common wrong answer: "re-run the demo a few times and eyeball it" — too few samples on unrepresentative inputs; you need a curated dataset and a statistical comparison to detect the rare failures that hide behind a good average.

Correct: Misrouting is an agent-layer failure; MMLU measures model-layer knowledge, not routing

Correct: Automatic instrumentation hooks the LLM client only; the router needs a manual span

Router: 2,000 × 1 × 200 = 400,000 tokens/day → 400 × $0.02 = $8.00/day. Skill: 2,000 × 0.40 × 1 × 1,000 = 800,000 tokens/day → 800 × $0.02 = $16.00/day. So the skill, despite running on only 40% of queries, costs twice the router. Method: tokens = queries × share × calls × tokens-per-call, then tokens ÷ 1,000 × price. Common wrong answer: forgetting the 40% share and charging the skill on all 2,000 queries ($40/day) — the per-skill frequency taken from the traces is exactly what prevents that error.

Correct: Move that skill's highest-token sub-step to a cheaper model

Tracing is on but only the outermost (or a single) span is being created — there is no manual instrumentation of the orchestration, so the router/tool structure is collapsed into one node. Concrete fix: instrument outside-in — start_as_current_span for an Agent span around the run, a Chain span inside each router-loop iteration, and a Tool span around each skill dispatch. With current-context nesting the auto-traced LLM calls drop into place and the tree becomes Agent contains Chain contains Tool contains LLM. Now a misroute localises to a Chain span and a bad tool output to its Tool span. Common wrong answer: "increase log verbosity" — more flat logs add no structure; you need nested spans at the boundaries.

A trace is the end-to-end record of one agent run; a span is one step inside it. Example span kinds: an Agent span for the whole run, a Chain span for a router iteration, a Tool span for a skill invocation, an LLM span for a single model call. They relate as a tree — the trace is the root, spans nest beneath it sharing one trace ID, and the nesting mirrors the agent's structure (Agent contains Chains, which contain Tools, which contain LLM calls). Common wrong answer: "a trace is just a list of log lines" — it is a hierarchical tree, and that hierarchy is what makes it navigable and evaluable.

Build a labelled evaluation dataset from the traces: sample real queries and their correct skill (the router target), read from the Chain/Tool spans. On each candidate release, re-run the agent over that fixed dataset, extract the router's chosen skill from the new traces, and compute per-category routing accuracy. Compare against the previous release's score and gate the release if accuracy drops on any category. Optionally layer an LLM-as-judge over skill outputs for quality. The point: traces supply both the dataset and the per-version comparison, so a regression appears as a score delta rather than a user complaint. Common wrong answer: "eyeball a few recent traces before release" — unrepresentative and not comparable across versions; you need a fixed dataset and a numeric comparison.

They created spans bottom-up and as roots, so nothing establishes parent–child links — each LLM span becomes its own tiny trace instead of a nested step, and Phoenix shows a flat list. Fix: instrument outside-in using current-span context — open an Agent span for the run, a Chain span per router iteration, and a Tool span per skill with start_as_current_span (or the equivalent context manager), so each inner span attaches to the currently-active parent. The LLM-call spans then nest under their Tool/Chain parents automatically. Common wrong answer: "add a parent_id attribute to each span by hand" — brittle and easy to get wrong; let the tracer's current-context nesting build the tree.

Correct: Agent, Chain-per-iteration, and Tool-per-skill spans

Apply outside-in. Wrap run_agent() in an Agent span. Inside the router loop, wrap each iteration in a Chain span. Inside each iteration, wrap every skill/tool call in a Tool span named for the function. Leave the model calls to automatic instrumentation — they appear as LLM spans nested correctly because the enclosing with-blocks are the current span. The nesting falls out of the block structure, giving Agent contains Chain contains Tool contains LLM. Common wrong answer: "wrap each LLM call in its own top-level span" — that produces a flat list of LLM spans with no router or tool structure; start from the outermost layer and let inner spans attach to the current parent.

Three lines, zero agent edits: register() to point at the Phoenix collector, OpenAIInstrumentor().instrument() to auto-trace every model call, and launch Phoenix. Visible immediately: every LLM call's prompt, completion, token count, and latency. Invisible until manual spans are added: the router's iterations and decisions, and the tool dispatch (which skill ran, with what inputs/outputs) — plus things like retry logic. They are invisible because automatic instrumentation only hooks the LLM client, not your orchestration code. Common wrong answer: "manually instrument everything first" — too slow for a demo deadline; automatic gets you from zero to useful in minutes.

Correct: Agent ⊃ Chain ⊃ Tool ⊃ LLM

Inspect the search_kb Tool span first — specifically its two children: the "Generate Query" LLM span and the "KB Search" API span. Two causes it localises: (1) the generated search query was poor or empty (visible in the Generate Query span), so retrieval missed the article; or (2) the query was fine but the API span returned no or irrelevant results (a retrieval/index problem). If both look correct, move up to the answer Tool span to see whether good context was retrieved but ignored. Common wrong answer: "inspect the final answer LLM span" — that is the symptom; the cause is upstream in retrieval, which the span tree lets you reach directly.

Correct: A trace is the whole run; a span is one nested step, and spans form a tree

Correct: Each trace holds full inputs/outputs/steps, so evaluators can score thousands of runs

Add the Agent span first (wrap run_agent) so every later span has a root and traces group per run. Next the Chain span per router iteration — routing bugs live here, so it is the highest-value debugging boundary. Then Tool spans per skill, so per-skill cost/latency attribution and skill-level failures become visible. Lowest priority: wrapping individual sub-steps and retry logic, added where a specific skill needs a finer breakdown. The order follows debugging value: structure (Agent) → routing (Chain) → skills (Tool) → details. Common wrong answer: "wrap individual sub-steps first" — fine-grained spans are useless without the enclosing Agent/Chain structure to hang them on.

Use automatic instrumentation when you want immediate LLM-level visibility with no code changes — prototypes, demos, or any case where you mainly care about prompts, completions, tokens, and latency. Use manual instrumentation when you need to see your own logic: router iterations, tool dispatch, retries, multi-step skills — anything that is not an LLM API call. In practice you combine them: auto first for instant coverage, then manual spans wherever the trace shows gaps. Lean manual-heavy when the failures you debug are routing/orchestration bugs; auto-only is fine when the only thing that varies is the model call. Common wrong answer: "manual is always better because it is more complete" — it is also more work and error-prone (a missed span is a hole); start auto and add manual only where needed.

Code-based evaluation: programmatic checks (exact match, JSON validation, SQL result-set diff, cosine similarity) — 100% reproducible, free, fast, but only for codifiable criteria. LLM-as-a-judge: a separate LLM classifies the output into discrete rails — scales to subjective/qualitative output and handles nuance, but is never fully accurate. Human annotation: human labellers or end-user feedback — the most accurate, the standard for safety-critical or ambiguous judgments, but slowest to scale and prone to selection bias. Use code-based when you can write an assert, an LLM judge for prose/judgment, and humans where a wrong answer is dangerous. Common wrong answer: "LLM-as-a-judge is strictly best because it scales and is accurate" — it scales but is never fully accurate, and it's wasteful where a deterministic check would do.

Build a labelled dataset of representative queries, each tagged with the ground-truth tool and the ground-truth parameter values. Then score two independent dimensions: (1) tool-selection accuracy — exact match of predicted vs expected tool; (2) parameter-extraction accuracy — given the correct tool, whether the extracted argument values match the expected ones. Report them separately (and the product as end-to-end router accuracy), with a per-category breakdown so you can see which query types misroute. This localises the bottleneck: a strong tool score with a weak parameter score tells you where to invest. Common wrong answer: "measure one combined router-correct/incorrect score" — it hides which dimension fails, and the two fail independently, so you can't tell tool errors from parameter errors.

Compare the trace against the ground-truth label on both dimensions separately. First check the chosen tool against the expected tool: if it differs, it's a tool-selection failure. If the tool matches, inspect the extracted arguments against the expected parameter values: a mismatch there is a parameter-extraction failure. Confirm by re-running a few near-identical queries where only the tool-ambiguity (or only the parameter difficulty) varies — if failures track the parameter variation while the tool stays correct, it's parameter extraction. The router's two-dimension breakdown is exactly what makes this attribution possible from the trace. Common wrong answer: "the answer was wrong, so the router failed" — that doesn't say *which* dimension; you must check tool and parameters separately.

To isolate parameter extraction, pick queries whose correct tool is unambiguous so tool selection can't be what fails, but whose parameters are easy to mis-extract. Example 1: "Check the shipping status for order 12345" — only the shipping tool plausibly applies, but the agent may pass 12345 as a tracking_id instead of an order_id. Example 2: "Show sales from January to March" — clearly the sales-report tool, but the agent may reverse the start and end dates. In both, a failure can only be parameter extraction, not tool choice. (To isolate tool selection instead, you'd use queries with trivial/no parameters but an ambiguous tool.) Common wrong answer: a query that is ambiguous about both the tool and the parameters — a failure there can't be attributed to one dimension.

Use LLM-as-a-judge constrained to discrete rails — e.g. faithful/unfaithful, or complete/incomplete — never a numeric score. Write a judge template that states the criterion and asks for one rail label given the source and the summary; run it over the summary spans with llm_classify(rails=[...]); wrap the run in suppress_tracing() so the judge's own LLM calls don't pollute the agent's traces; then log_evaluations() to attach the labels back to the spans. Validate the judge against a small human-labelled sample to estimate its agreement before trusting it. Common wrong answer: "have the judge rate each summary 1–10 and average" — uncalibrated numeric scores are noise; rails are what make the judge reliable.

Correct: 72% — independent dimensions multiply (0.90 × 0.80)

End-to-end router accuracy = 0.92 × 0.88 = 0.8096 ≈ 81%. It is below both factors because both independent dimensions must succeed, so each one discards a fraction of the other's successes — the product is bounded above by the smaller factor (0.88) and is always ≤ either. To reach 90% end-to-end you need the product ≥ 0.90; holding tool selection at 0.92, parameter extraction must reach 0.90 / 0.92 ≈ 0.978, i.e. ~97.8% — so you'd realistically lift both dimensions, not one. Common wrong answer: "average them to ~90%" — independent component rates multiply, they don't average.

An LLM cannot calibrate a fine numeric scale — it cannot reliably distinguish 79 from 83 — so the numbers are noise with the appearance of precision, and averaging them aggregates that noise into a confident-looking figure that doesn't track real quality. The fix is to use 2–4 discrete rails (e.g. correct/incorrect, or faithful/partially/unfaithful) so the judge does only what it does reliably: classify. If you need a finer signal, add more *labels* with clear definitions, not a wider numeric range. Common wrong answer: "use a larger judge model to calibrate 1–10" — the problem is the task (uncalibrated numeric scoring), not model size.

Correct: LLMs are poor at calibrating a numeric scale; use 2–4 discrete rails instead

Correct: Only parameter-extraction accuracy catches it — tool selection scores it a pass

Execute the generated visualisation code in a sandboxed subprocess with a timeout and no filesystem/network access; if it exits without an exception, mark it "runnable," else capture the error as the failure reason. That is a code-based check and catches syntax errors, bad API calls, and missing columns. But runnability is necessary, not sufficient: code that runs can still plot the wrong data or the wrong chart type. Layer a semantic check on top — compare the rendered output (or the data it plotted) against expectations, or use an LLM judge on a description of the chart — to catch "runs but wrong." Common wrong answer: "if it runs, it's correct" — runnability and correctness are different gates.

Row ordering: SQL result order is non-deterministic without ORDER BY, so comparing result sets as ordered lists fails logically-correct queries — compare as sets (or sorted tuples). Floating-point columns: exact equality breaks on rounding, so compare numerics within ±ε. Timeouts: a bad query can full-scan or loop, so wrap execution in a timeout and treat it as a failure mode. Destructive queries: a generated DROP/DELETE could mutate the test DB, so run on a read-only connection or in a rolled-back transaction. Also distinguish failure modes (execution error vs wrong columns vs wrong rows) so the score carries a reason. Common wrong answer: "diff the two result lists directly" — that flags correct queries whose rows came back in a different order, the most common false negative.

Correct: So the judge's own LLM calls aren't recorded as spans in the agent's traces

Correct: Code-based — compare the number to the expected amount within tolerance

Order-lookup (SQL) → code-based: execute and compare result sets, $0. Complaint-summary (free text) → LLM-as-a-judge with rails: qualitative, no ground-truth string, 1,000 × $0.01 = $10/day. Refund-calculator (dollar amount, known value) → code-based: numeric compare within tolerance, $0. Daily total = $10, because two of the three skills are code-evaluable — routing all three to an LLM judge would cost $30/day for no accuracy gain on the deterministic ones. Common wrong answer: "use an LLM judge for all three to be safe" — it triples cost and adds error to outputs a deterministic check settles exactly.

Correct: Code-based: reproducible but codifiable-only; LLM-judge: scalable, imperfect; human: most accurate, slowest

Read the whole row, not an aggregate. V2 (new prompt) improves routing (+2pp) and SQL (+3pp), improves clarity, holds runnability, and adds only ~0.1s latency — broad gains, no meaningful regression. V3 (new model) has the best routing and SQL but regresses clarity and runnability and more than doubles latency. Ship V2: it's a clear improvement with no dimension clearly worse, whereas V3 trades correctness for clarity/latency losses a latency SLO might reject. Before committing, get statistical significance, a per-category breakdown, cost/query, and a small A/B on user satisfaction. Common wrong answer: "ship V3 because its routing and SQL are highest" — that ignores the clarity, runnability, and latency regressions the dashboard exists to surface.

"Comprehensive, not exhaustive" means cover every input *type* with 1–2 examples rather than piling up 100 near-duplicates per category. The reason is iteration speed: a small, varied dataset runs fast and stays cheap to maintain, so you can re-run it on every change — while still spanning the behaviour space enough to catch regressions. A bloated dataset slows each experiment and adds little new signal once a type is represented. Input keys are forwarded to the agent; output keys are forwarded to the evaluators for comparison. Common wrong answer: "more cases are always better" — past one or two per type you mostly buy slower runs, not more coverage.

Convergence = (runs at the minimum step count) / (completed runs). For [3, 3, 5, 3, 7, 3]: the minimum is 3, and 4 of the 6 runs hit it, so convergence = 4/6 ≈ 0.67. A key limitation: it measures consistency, not correctness — if every run shared the same unnecessary step, that waste would sit inside the minimum and convergence could still read 1.0, so it must be paired with per-step correctness evaluators. (Also filter to completed runs first: a crash after 2 steps would falsely lower the minimum.) Common wrong answer: "0.67 means the agent is 67% correct" — convergence is about path consistency, not answer correctness.

Correct: The agent takes the same minimum-step path every run — consistency, not correctness

Correct: A cross-dimension trade-off — correctness gains bought with clarity/latency regressions

Schema — input keys: query (the natural-language request, forwarded to the agent), date_range (expected extracted range, for parameter-extraction eval), category (for grouping error analysis). Output keys: expected_sql_tables (which tables the SQL should hit → enables a free code-based eval), expected_trend_direction (growth/decline/flat → an LLM-judge correctness eval), and a ground-truth data snapshot (to verify the right data was queried). Distribution (comprehensive, not exhaustive): ~1–2 cases per input type — a couple of normal categories, one sparse-data category, one invalid/future range, one ambiguous request — ~8 total, not 100 per category. Three evaluators: SQL-table check (code-based), trend-direction (LLM judge), confidence-interval-present (code-based regex). Common wrong answer: "100 cases per category to be safe" — that violates comprehensive-not-exhaustive and slows iteration without adding signal.

A trajectory is the ordered sequence of all steps — router decisions, tool calls, LLM completions — from input to final response; it records how the agent got to the answer, not just the answer. Trajectory evaluation matters because two agents can produce the same correct output via very different paths, and the longer path costs more LLM calls, adds latency, and exposes the run to more stochastic-failure opportunities. At scale that difference decides viability, so "correct" is not the same as "efficient." Common wrong answer: "only the final answer matters" — that ignores the cost and reliability the path determines.

Map it onto the four stages. Dataset: assemble test cases with input keys (the user query, expected parameters) and output keys (expected SQL tables, expected answer features). Task: a function that takes one row, runs the agent on the query, and returns its output plus metadata (the trajectory, tool calls). Run experiment: execute the task over every row, with managed parallelism and error handling, recording results as a named, versioned run. Evaluators: attach scoring functions — code-based where you have output keys (SQL table match), an LLM judge for prose — to score each result. Then compare runs across agent variants on the dashboard. Common wrong answer: "write one evaluator and run it once" — the framework's value is repeatability and versioned comparison across variants, not a single check.

Correct: Dataset → task → run experiment → evaluators

The evaluation flywheel is the self-reinforcing loop: production traces → new test cases → updated evaluators → agent improvements → better production data → repeat. Chapter 2's tracing supplies the raw production data. Its most common bottleneck is the speed of promoting a production trace into the dataset: if that needs slow manual review, the loop stalls and the eval set lags reality. The fix is automation of trace-to-dataset promotion, annotation, and evaluator updates — with a quality gate, because unfiltered bots/adversarial inputs entering the dataset degrade evaluation quality. Common wrong answer: "just collect more production data" — volume doesn't help if promotion is manual and slow, or if noisy traffic isn't filtered.

Correct: The speed of promoting production traces into the dataset

Don't ship on the score alone. A higher mean with no statistical significance may be sampling noise — likely on the small "comprehensive, not exhaustive" dataset — so first reduce the uncertainty: enlarge the eval set or run a proper A/B in production to test whether the gain is real. Meanwhile weigh the *cost*: the variant is more expensive, so even a real gain has to clear that cost to be worth it. Decision: if a larger sample / A/B confirms a significant gain that justifies the added cost (and no dimension regressed), ship; otherwise keep the cheaper incumbent. Common wrong answer: "it scored higher, so ship it" — an insignificant difference isn't evidence of improvement, and the extra cost makes a non-gain a net loss.

Combine the per-evaluator scores with context, never an aggregate alone. Steps: (1) read each evaluator dimension for gains and regressions, not the mean; (2) check statistical significance — on small datasets a 2-point gain may be noise; (3) factor cost per query and latency against any SLO; (4) get a per-category breakdown to catch a hidden regression on an important segment; (5) if it still looks good, confirm with a small A/B on real user satisfaction. Ship only if a real, significant gain justifies the cost/latency and carries no unacceptable regression. Common wrong answer: "the aggregate score rose, so ship" — aggregates hide dimension-level regressions and say nothing about significance or cost.

Wasted steps per run = avg − optimal = 7 − 4 = 3. Daily wasted steps = 15,000 × 3 = 45,000. Daily wasted cost = 45,000 × $0.025 = $1,125/day (~$410K/year). A variant that cuts the average to 5 steps wastes 1 step/run → 15,000 × 1 × $0.025 = $375/day, a $750/day saving. Method: (avg − optimal) × volume × price-per-step, as a daily dollar figure, so two variants can be compared on efficiency. Common wrong answer: comparing average step counts alone (7 vs 5) without converting to cost — the dollar figure is what makes the efficiency gain comparable to accuracy and latency on the ship dashboard.

Correct: About 17% — 10 of 58 steps were wasted (optimal is 12 × 4 = 48)

Correct: The 9-step path costs more LLM calls and latency, with more chances to fail

Correct: No — a 30% FPR passes nearly a third of wrong answers as correct

Start with the prompt — about 80% of judge failures are prompt failures. Make the criteria explicit (define what "correct" requires), tighten the output format to the rails, and add chain-of-thought if needed; re-run meta-evaluation. If agreement is still low, add 3–5 few-shot examples covering the boundary cases it gets wrong (calibration). If specific capability gaps remain, try a stronger judge model. For paraphrase false-negatives on non-binary outputs, swap exact match for semantic (embedding) similarity. Change one lever at a time so the agreement delta is attributable. Common wrong answer: "immediately switch to a bigger model" — it's the expensive lever for the least common cause; the prompt is cheaper and usually the culprit.

Agreement rate is the overall match with ground truth; the false-positive rate isolates one direction — wrong answers the judge passes as correct (leniency) — and the false-negative rate the other (strictness). They differ because a high agreement can still hide many false positives if errors cluster on the rarer class, and for a *gate*, leniency is the dangerous error: a lenient judge ships bad answers. Pick both thresholds: require overall agreement ≥ 85% AND FPR ≤ 10% (tighten the FPR cap further for safety-critical gates). Reject the judge if either fails. Common wrong answer: "agreement ≥ 90% is enough" — it can coexist with a high FPR, so a single threshold lets a lenient judge through.

Month 1 (grow): add a regression row for every production bug as it's found (~5–10 rows), so the gate starts encoding real failures. Month 2 (prune + extend): remove rows that have never triggered a failure on a stable feature, and add rows for every new feature/workflow shipped. Month 3 (stabilise): settle at ~40–60 rows with a quarterly review, keeping run time low enough to gate every PR. Throughout: add on every incident, new feature, and testing-discovered edge case; prune only stable-feature rows that never fire; never prune safety-critical rows. The guiding signal is that a gate which never fails is stale, not safe. Common wrong answer: "keep adding every case forever" — past ~100 rows the gate is too slow to run on each PR, so pruning stale non-safety rows is part of the policy.

Correct: Curated for criticality, seeded with known failures, and wired as a CI gate

A golden dataset is a curated set of must-pass scenarios used as a CI shipping gate: every agent-code change runs against it and a regression blocks the merge. It's a *living document* — it grows with every production failure (each becomes a regression row) and new use case, so it encodes institutional knowledge that new engineers inherit through the gate. A gate that passes 100% for months is a red flag, not a success: it usually means the set has gone stale and isn't covering newly added features, so it only tests what used to break. The fix is an evolution policy that adds rows on incidents/features and prunes stale ones. Common wrong answer: "100% pass means the agent is solid" — it more often means the dataset stopped keeping pace.

The golden dataset tested only pre-existing features; the new features shipped that quarter had zero coverage, so a 100% pass rate on stale rows was false confidence — the gate tested what used to break, not what might break now. Fixes: (1) require every feature-adding PR to include ≥2 golden rows covering the new feature, enforced in code review; (2) run a monthly coverage review comparing golden rows against the current feature list and flag uncovered features; (3) add a regression row within 48 hours of every production incident. Add the 3 incident cases now as regression rows. Inclusion criteria: incidents, new features/workflows, testing-discovered edge cases; removal criteria: rows untriggered for 6+ months on a stable feature, but never remove safety-critical rows. Common wrong answer: "the gate works, the incidents were bad luck" — the gate silently stopped covering the system, which is the actual defect.

Correct: Fix the prompt first — most judge failures are prompt failures

Correct: Meta-evaluate the judge against code-based ground truth before trusting its score

Ground-truth evaluator: execute the generated code in a sandbox and compare actual vs expected output — 100% accurate by construction. Dataset: ~40–50 cases mixing correct code, syntax errors, subtle logic bugs (at least ~30% of the set, since that's where leniency shows), and edge-case failures. Metrics: binary agreement rate AND false-positive rate (judge says "correct" when the code fails) — FPR is the leniency signal you specifically suspect. Acceptance: ship the judge only if agreement ≥ 85% AND FPR ≤ 10%. Common wrong answer: "measure overall agreement only" — a single rate hides the asymmetric leniency; you must break out FPR (and FNR) to see which way it errs.

Track, with alert thresholds (~>10% deviation from baseline): running evaluator scores per dimension (quality), convergence / steps-to-terminal (efficiency and loop detection), LLM-call counts per query (a spike signals a runaway loop), latency p50/p99 broken by component, and cost per query/model/skill. The failure these exist to catch is the silent regression — plausible-looking but wrong answers that throw no error, so latency and error-rate dashboards stay green; only content-quality evaluator scores over sampled live traces (plus provenance checks) reveal it. Common wrong answer: "monitor latency and error rate" alone — those miss the silent regression entirely, which is the most dangerous production failure.

Five stages: (1) collect user feedback from production; (2) augment the evaluation dataset with both successful and failed interactions; (3) run CI/CD experiments on every dataset update; (4) incorporate few-shot examples drawn from the collected data; (5) gate deployment via the golden dataset. Tracing (from the observability layer) supplies the raw data, and automation is the multiplier — each interaction makes the system incrementally better. Crucially, insert quality gates: a feedback filter before stage 2 and the human-curated golden dataset at stage 5, so noisy data can't silently degrade the agent. Common wrong answer: "retrain on all feedback automatically" — without filters and the golden gate, the pipeline poisons itself.

The human safety valve and the golden dataset are the two firewalls. The golden dataset is human-curated and fixed, so it can't be moved by noisy feedback: a pipeline update that degrades a must-pass scenario fails the gate and can't ship, even if the automated eval (which *can* drift) looks fine. The human review sample (auditing a fraction of feedback and of promoted dataset rows) catches contamination the automatic filters miss. So the pipeline automates the high-volume work but keeps two human-anchored checkpoints — the curated golden gate at deploy time and periodic human audit of the feedback stream. Common wrong answer: "trust the automated eval as the gate" — it learns from the same data the pipeline ingests, so it can be poisoned along with the agent; the gate must be independent and human-curated.

Correct: Feedback poisoning — noisy feedback contaminated the eval dataset, so the score self-confirms

Design filters that screen feedback before it enters the dataset: (1) engagement-time threshold — discard "helpful" clicks submitted within ~2 seconds of the response (too fast to have read it); (2) cross-signal validation — a positive click followed by an immediate re-query of the same topic is treated as noise, not approval; (3) confidence weighting — weight feedback from users with a history (e.g. >10 interactions) above first-touch clicks; (4) a weekly human audit of a ~10% random sample. And keep the golden dataset as an independent anchor: even if some noise slips through, human-curated must-pass rows catch the resulting drift. Common wrong answer: "collect more feedback to drown out the noise" — more unfiltered feedback adds more poison; you need filters plus the golden-dataset firewall, not volume.

Correct: Wrong-but-plausible answers returned with no error or slowdown