QueryWise
Log inBook a Demo
PlatformAIAgentsAutomation

Agents & Automation

8 min read

QueryWise's AI features sit on a small agent platform with a deliberate, narrow scope: read product data, write recommendations, and answer questions about the tenant's environment. Agents can't apply changes to customer infrastructure, run arbitrary SQL, or call external services beyond the tools listed below.

Available agents

The platform ships with several specialized agents:

  • AnalysisAgent — generates AI-driven recommendations from queries that pattern detection couldn't help with. Triggered by the deep-analysis button or scheduled batch jobs.
  • OnboardingAgent — assists with cloud account setup, IAM policy generation, and connection troubleshooting.
  • ChatAgent — the conversational agent at the /assistant page. Has access to most tools.
  • CostAgent — answers structured cost questions. Used internally by the chat agent for cost-specific queries.
  • KnowledgeAgent — looks up internal docs (anti-patterns, best practices, vendor-specific guides) via the knowledge base.

Tools

Agents have access to ~23 tools. Each tool has a typed schema, validation, and an audit trail.

Cost & data tools

  • cost_query — custom cost aggregation queries (by tag, time, vendor, service)
  • query_usage_metrics — usage metrics: DBU, credits, queries executed
  • fetch_billing_context — monthly spend, top services / vendors / resources
  • fetch_query_stats — query execution stats: latency, row count, I/O
  • fetch_query_plan — explain plan for query optimization
  • fetch_schema_metadata — table / column definitions, types, cardinality
  • fetch_existing_recommendations — list open recs with savings estimates
  • list_recommendations — paginated rec list with filters

Account tools

  • list_accounts — connected cloud accounts
  • check_account_status — sync status, last billing date
  • check_billing_status — billing sync health
  • validate_cloud_connection — credential test
  • create_cloud_account — provision new connector (with full validation)
  • trigger_initial_sync — kickoff first data collection
  • check_sync_progress — sync job status
  • get_service_status — connector health

Action tools

  • save_ai_recommendation — write a structured recommendation to the recs table
  • generate_iam_policy — build a least-privilege IAM / RBAC policy
  • lookup_knowledge_base — query internal docs
  • create_support_ticket — escalate to support

Security guardrails

The agent system has explicit guardrails:

Input validation

Every tool has a typed Pydantic schema with strict validation:

  • query_hash matches a regex (no SQL injection through the tool layer)
  • UUIDs are validated as UUIDs
  • Text inputs are bounded in length
  • Numeric inputs have plausibility ranges

Prompt injection defense

User-controlled inputs to agent prompts are wrapped in XML delimiters that can't appear in the prompt template. This blocks the common prompt-injection paths where attacker-controlled text ("ignore your instructions") leaks into the system prompt context.

Output size controls

  • Plan output capped at 3 KB
  • Evidence truncation at predictable boundaries
  • Description capped at 5 KB
  • JSONB columns capped at 10 KB

These prevent the agent from filling the database with overlong outputs and limit blast radius if the agent is steered into producing high-volume content.

Confidence threshold

The agent self-reports a confidence score on each recommendation. Recs below 0.4 are dropped before they reach the user.

Plausibility cap

Estimated savings above $50,000/month are flagged for review rather than written directly. This catches the agent's rare hallucinated savings claims.

Per-tenant analysis budget

Each tenant has a daily token / call budget. The deep-analysis batch job throttles itself against this budget. Per-user rate limits cap deep-analysis runs at 5/day.

Audit log

Every agent run is logged in analysis_audit_logs with the prompt, tool calls, output, and savings estimate. The audit is queryable for security review.

Service-to-service auth

Agent calls between the API and the agents service are HMAC-signed (service_auth.py). The agents service won't accept calls without a valid HMAC, even from inside the cluster.

The chat interface

The /assistant page is a ChatGPT-style interface backed by the chat agent. It supports:

  • Streaming responses via Server-Sent Events
  • Tool calls visible inline in the conversation
  • Conversation history per user
  • Persona-aware default questions (different defaults for FinOps vs engineering personas)

The chat agent is stateless across conversations — it doesn't have memory between sessions, and it doesn't have access to other tenants' data ever.

What agents can't do

The list of explicit non-capabilities is deliberately long:

  • Apply changes to customer cloud infrastructure
  • Run arbitrary SQL on customer databases
  • Call external APIs beyond the configured tools
  • Read data from another tenant
  • Modify the tenant's RBAC, billing, or settings
  • Generate code for download / direct execution beyond what's in a recommendation

Anything in those categories happens through explicit user actions (apply workflow, settings changes, manual deploy) — not through the agent.

Where to next

  • Recommendations Engine — what AI-generated recs look like and how they're combined with detector recs.
  • REST API — programmatic access to the same data the agents use.

Previous

Recommendations Engine

Need help with onboarding?

Design partners get full docs plus hands-on support from our engineering team.

Book a DemoMore Docs