Glossary

Agentic Development Glossary

A reference map for the vocabulary teams need when they move Claude Code, MCP servers, and agentic workflows into production.

Use the topic groups first when you want the concept map, then use the A-Z index when you need a specific definition.

  • 73
    Definitions
  • 7
    Concept groups
  • A-Z
    Lookup

Topic group

Claude Code Production Stack

A Claude Code production stack combines the runtime with skills, hooks, memory, subagents, and permission rules so agentic coding work runs inside team-owned controls.

Topic group

Agentic Development Practice

Agentic development practice is the operating model around agent-assisted delivery: orchestration, production controls, prototype risk, and the team habits that make the work repeatable.

Topic group

Claude API, MCP, and Tool Use

Claude API, MCP, and tool-use terms define the integration layer where Claude calls tools, follows schemas, talks to MCP servers, and becomes part of application code.

Claude Messages API Most of what goes wrong in a Claude integration is a contract problem, not a model problem. Claude Agent SDK The SDK is Claude Code's engine without its terminal: the same loop and tools, handed over as a library I program against. MCP server An ownership inversion: the integration to an external system lives in the server, not in the agent. Model Context Protocol The standard earns its value from what it refuses to vary: a small fixed vocabulary of server primitives, principally tools, resources, and prompts, exchanged in one message format lets a client and a server that never coordinated still interoperate. Tool use A Claude API capability whose load-bearing property is the structured pause between turns, not the action itself: every action surfaces as an inspectable request before the caller chooses to execute it. Structured outputs The value is not that the model returns JSON; it is that the schema is enforced during generation rather than requested in the prompt, so the failure mode moves from parse-and-pray to a contract: a broken shape comes back as an explicit failure, not as silent malformed text. Model refusal The trap in a refusal is its transport: it rides the success path, so a dashboard built on error rates is structurally blind to the one outcome that most needs an explicit policy. Model fallback A fallback is a routing decision made at the worst possible moment, which is why it has to be designed before it fires. Silent degradation A refusal at least tells you it happened; a silently degraded answer is indistinguishable from a healthy one on every field the response carries.

Topic group

Context Engineering and Model Behavior

Context engineering and model-behavior terms explain how context windows, memory, retrieval, compaction, caching, effort settings, and migrations shape what an agent can do.

Context window The window is a budget, not a guarantee: a model can hold a large span of tokens and still attend to the middle of it poorly, so capacity and reliable recall are two different properties. Context engineering The unit of work is the whole context window, not the prompt. Context rot Rot is not running out of room. Context poisoning The window is the agent's working memory, and nothing in it is marked as verified or merely generated, so one bad entry can outvote the truth on every later turn. Agent memory Memory is the answer to a structural fact, not a feature bolted on: each session starts with a fresh context window, so anything worth keeping has to live outside the window and be read back in. Retrieval-augmented generation RAG separates what a model knows from what it can look up: instead of retraining a model to teach it new facts, I retrieve the right passages at the moment of the question and let the model reason over them, so the knowledge can change without the model changing. Context compaction Compaction is the window managing its own length: when the context fills past a threshold, the older history is replaced by a summary and the agent keeps going. Prompt caching The cache is a contract of immutability on a declared prefix: what makes the optimization work is the commitment to not change the prefix, not the reuse itself. Extended thinking Thinking tokens are a separate priced channel that is billed and discarded by design: that is the feature, not a bug. Prompt engineering Prompt engineering is the lever closest to the model, the wording and examples inside the request itself. Model effort matrix Picking a model is half the decision; the other half is how hard you ask it to think. Model migration A new model is not a drop-in faster version of the old one; it can change behavior the workflow quietly depended on. Adaptive thinking The reasoning budget moved from the caller's hands to the model's: I set an effort level and a token ceiling, and the model decides per request whether thinking is worth doing, billing me for reasoning I see at most as a summary. System prompt A system prompt steers behavior; it does not enforce it.

Topic group

Agent Reliability, Evaluation, and Observability

Agent reliability work turns model output into a checked system: validators, evaluation harnesses, judge models, verification loops, and traces that make failures reviewable.

Verification loop The agent's answer is a draft until something other than the agent confirms it. Deterministic validator The point of a deterministic check is that it does not have an opinion. Agentic test pyramid The classic pyramid sorted tests by scope because broad tests were slow, costly, and brittle; the scarce resource was fast, stable feedback. Review bar A merge gate without a stated bar certifies nothing: the checkpoint fires, the approval lands, and nobody can say afterward what the approval meant. Agent evaluation An agent that looks good in a demo and an agent that is good are different claims, and only the second survives a harness that scores many runs against criteria written down before anyone looked. LLM-as-a-judge A model grading another model is the most flexible verifier I have and the one I trust least by default: it sees nuance a rule cannot, and it carries biases of its own, so I treat its score as evidence to calibrate against human judgment, not a gate to trust on faith. AI hallucination A hallucination is not the model malfunctioning; it is the model doing what it always does, predicting a plausible continuation, with no built-in sense of whether the plausible thing is true. Merge gate The merge gate is where a change stops being a proposal and becomes part of the codebase. Agent observability A model's account of its own run is not evidence; the trace is. Canary baseline Some failures never announce themselves: every response succeeds, every dashboard stays green, and the behavior has still moved. Agentic code review When the thing reviewing the code can also rewrite it, the review and the work stop being independent.

Topic group

Agentic AI Governance, Security, and Provenance

Agentic AI governance covers the controls that decide what an agent may do, which inputs it may trust, and how each AI-authored artifact can prove where it came from.

Agentic AI governance Agentic governance that lives only in a policy document is documentation, not governance. Agentic guardrails No single control survives sustained contact with a capable agent: instructions get reasoned around, model-based judges get fooled, and human reviewers get tired. Autonomy gate Autonomy is a calibration, not a switch: gate everything and the reviewer stops reading, gate nothing and one wrong action becomes the incident report. Approval fatigue An approval prompt spends a budget most designs never account for: human attention. Fail-open gate A gate that fails open is worse than no gate wherever the system leans on it: the rule exists, the hook is registered, the approval step is configured, and nothing is enforced, so it keeps minting the evidence of control. Agentic threat modeling An agent's risk surface is not its code but its reach: what it reads, what reads it, and what it can touch. Prompt injection Prompt injection is the security consequence of a design fact: a model reads its instructions and its data through the same channel, so any text it processes can try to give it orders. Lethal trifecta No single corner is enough for this attack on its own; it is the combination that is lethal. Agent sandboxing A sandbox is the difference between an agent that can make a mistake and an agent whose mistake can reach production: I decide in advance what an agent is able to touch, so its blast radius is set by a boundary I control rather than by whether its judgment held on a given run. Tool poisoning The agent and the user do not read the same thing. Agent blast radius Blast radius is the question security can actually answer about an agent: not whether it will misbehave, which you cannot guarantee for a probabilistic system, but how far the damage reaches if it does. Agent least privilege The most reliable way to keep an agent from doing something is to make it unable to: every tool it does not hold, credential it cannot read, and destination it cannot reach is one less thing a bad run or an attacker can use. Agent egress control An agent can only exfiltrate through a door you left open. Instruction-data boundary A model can receive role and provenance markers for its system prompt, your message, a retrieved document, and a tool's output, but it treats them as one stream of tokens it interprets rather than a boundary it enforces, so by default nothing stops it from acting on the document as if it were an instruction. Runtime enforcement Anything the model can decide to ignore is not enforcement, it is a suggestion. MCP authorization scope The Model Context Protocol standardizes how an agent connects to a server's tools; it does not decide which of those tools a particular agent should be allowed to call. Agentic pipeline provenance The distinct property is per-artifact, not per-pipeline: what makes the chain auditable is that the trust evidence travels WITH the output, recoverable from the artifact alone. AI authoring trust chain A trust chain only works if every link is deny-by-default: the chain's strength is its weakest link, not its average, and a single fail-open gate breaks the whole chain even when every other gate holds. Generative engine optimization Generative engine optimization is search optimization aimed at a reader that summarizes instead of linking: I am not only trying to rank a page a person clicks, but also to be the passage an answer engine lifts and attributes, which rewards writing that is quotable and verifiable over content that is merely discoverable. Zero data retention ZDR is a contract, not a toggle, and its boundary is where teams get surprised: the stateless call path is covered while the stateful features agentic systems lean on sit outside it, and a provider can designate a new frontier model as ineligible outright. Human-in-the-loop Human-in-the-loop is only as strong as the attention behind it. Fail-closed gate A gate is only as trustworthy as what it does when it breaks.

Topic group

AI Readiness, ROI, Adoption, and Agent Cost

AI readiness, ROI, adoption, and cost terms connect the technical stack to buyer questions about team maturity, spend control, measurement, and rollout strategy.

Lookup

A-Z Index

All glossary terms are listed alphabetically with direct links to their full definitions.

Want to talk about how this applies to your team?

Book a Free Intro Call

Not ready for a call? Take the free AI Readiness Assessment instead.