长程 Agent:状态、恢复、计划与可验证的数小时执行
长程 agent 不是把 timeout 从 10 分钟改成 10 小时,也不是把所有历史塞进更长 context。它是一个可恢复的状态机:在持续变化的环境里维护目标和约束、把计划分解为可验证的局部行动、在失败后从正确边界恢复,并让外部 evaluator 能够判断最后完成的究竟是任务、奖励代理,还是一段看起来很忙的轨迹。
model + native harness + state store + tool/authority policy + environment + evaluator + time/cost budget。任何只报最终 success rate 的报告,都无法说明中断、恢复、重试、权限和资源是否悄悄改变了结论。
1. 什么算“长程”,什么不算
一次长程运行至少同时具有四个条件:状态跨多个决策仍有因果关系;中间错误会改变之后的可行路径;agent 需要在局部反馈与全局约束之间取舍;中断后必须从外部工件重建而不是靠聊天记忆猜测。这样定义后,长程的难点不在“步数多”,而在依赖、恢复和可问责性。
| 观察到的现象 | 可以支持的结论 | 不应推出的结论 |
|---|---|---|
| 一次长轨迹最终成功 | 该配置完成过一个特定初态的任务 | 模型具有稳定的长期能力 |
| 工具调用很多、context 很长 | 运行消耗了很多行动或上下文 | 状态被正确维护或计划正确 |
| 断点后能够继续 | 某个恢复路径在已测初态可用 | 所有外部服务和副作用都可安全 replay |
| 多 worker 并行更快 | 该调度在给定预算和任务上有吞吐收益 | 团队本身更可靠或更便宜 |
WildClawBench 的价值在于把 native CLI harness 也放回评测配置:在其容器化任务中,同一模型切换 harness 会显著改变结果。它支持“long-horizon performance 属于 model-harness configuration”的结论,而不是建立某个模型的脱离运行时的固定排名。
2. 状态不是聊天摘要:它必须支持重建与归因
AMA-Bench 指出,真实 agent memory 来自连续的 agent-environment 交互流,而不只是人机对话;缺失因果与目标信息的相似检索会限制表现。Agent Memory 则将 memory 的系统成本拆为构造、检索和生成阶段。MAGE 提出用层级执行状态树记录、压缩、维护和修订分支,以保留正确路径并隔离错误片段。
因此每一个跨 context handoff 至少要从外部状态中重建下表,而不是依赖“上一轮摘要”。
| 状态对象 | 应保存什么 | 如何在恢复时验证 |
|---|---|---|
| 目标与约束 | 成功条件、时间/成本/权限边界、不可逆动作 | 与 task manifest 和 policy 重新比对 |
| 世界与工件 | 环境 image、文件 / 服务状态、artifact hash、输入版本 | checkpoint digest 与只读重检 |
| 决策理由 | 当前子目标、假设、已排除路径、失败原因 | 下一步是否仍服务于未完成约束 |
| 工具与权限 | tool version、参数、授权、网络 / credential 状态 | 不重放不安全副作用;重新审批升级 |
| 资源与时钟 | token、工具调用、墙钟、队列、重试和取消 | 总预算在恢复前后连续计算 |
Context compaction 不是 checkpoint。 前者只能帮助下一轮读懂历史;后者还要能定位环境、工件和授权状态。若某个外部服务无法回到原状态,系统应把它记为不可 replay 的观察式证据,而不是假装可以确定性重跑。
3. 计划必须面对全局约束与失败,而不只是分解步骤
DeepPlanning 将主动信息获取、局部限制与时间/预算的全局优化放进同一个 long-horizon 任务。它提醒我们:单步选择正确不等于全局计划可行,尤其当工具失败、信息缺失或需要绕行时。
VLAs-as-Tools 的架构启示也适用于软件 agent:高层 agent 维护时间上的计划和恢复,受限的局部工具执行小任务,并只在显式进度反馈或异常事件时触发重规划。BCER Agent 进一步将最终输出与中间工件/测量绑定,并强调 bounded local recovery。它们不是通用架构胜利的证明,但给出两个可测的设计变量:进度反馈是否可验证,以及恢复是否只回退到受影响的局部边界。
| 阶段 | agent 的责任 | evaluator 应检查什么 |
|---|---|---|
| Plan | 声明子目标、依赖、约束和停止条件 | 计划是否遗漏硬约束、是否把不可解任务误作可解 |
| Execute | 以最小权限调用有明确定义的工具 | action 是否与声明子目标、权限和环境状态一致 |
| Observe | 把进度、失败和外部状态写入证据轨 | 观察是否来自真实工具/环境,而不是自述 |
| Recover | 定位受影响工件或子目标,选择重试、替代、回退或停止 | 恢复是否避免重放已完成或不可逆副作用 |
| Accept | 将最终工件交给独立 verifier | 最终 state、全局预算、完整性和回归是否同时成立 |
4. 恢复是一个独立能力,而不是无限重试
好的 recovery 有边界。它不应把所有失败都变成“再试一次”,也不能为了更高 pass rate 重跑完整 workflow 并掩盖失败来源。一个可审计的 recovery event 要记录:触发信号、受影响范围、恢复点、已失效的证据、重试预算、人工接管与最终结果。
最小故障注入集可以包括:工具返回不完整结果、文件或服务状态被外部修改、checkpoint 损坏、权限被拒绝、上下文摘要遗漏关键约束、以及一次局部成功但全局预算已不可行。对每类故障至少报告 recovery_success、state_reconstruction、duplicate_side_effects、resume_latency 和 cost_delta。若恢复只提高了过程分数,却没有改善独立终态或安全,它就是又一个可被刷的奖励代理。
5. 长程安全不是单轮 guard 的重复
AgentLAB 把 intent hijacking、tool chaining、task injection、objective drift 与 memory poisoning 放到多轮环境中。它的窄结论是:单轮防御不能自动覆盖跨轮攻击。对长程 agent,这意味着 state store、工具返回、handoff 文档和子 agent 消息都是不可信输入面;“前一轮已经批准”也不自动等于下一轮仍有权限。
因此安全状态也要进入 checkpoint:权限随时间的有效范围、被拒绝的 action、domain / tool allowlist、外部输入的 trust label、风险升级和人工确认。最终报告至少将 task_outcome、integrity_violations、unsafe_action_rate、false_block_rate 分开,不能用一个成功率覆盖全部。
6. 一份可被推翻的数小时执行协议
下面是设计提案,不是已报告的 long-horizon 结果。它让“能连续工作数小时”成为可以失败的实验:
- 冻结运行身份。 保存 task manifest、初态 digest、model/harness/tool/policy 版本、预算、环境 image 和 evaluator hash。
- 外化状态。 每个 checkpoint 写入目标、约束、工件、依赖、行动、观察、失败与资源;敏感内容在保留前脱敏。
- 主动测试恢复。 预注册故障注入时点与成功定义;区分观察式 replay 和真正重跑。
- 隔离接纳。 candidate 无法写入 hidden task、verifier、权限 policy 或最终 release decision;final state 和过程完整性分开判定。
- 同预算比较。 单 agent、顺序、多 agent、不同 memory 或 recovery 策略拥有相同总 token、worker-time、wall-clock、重试和外部工具额度。
- 报告完整曲线。 不只报告 best run:保留尝试、取消、恢复、回归、方差、峰值并发、总成本与每个 verified success 的成本。
7. 它如何接回五条核心线
| 核心线 | Long horizon 提供什么 | 它不能替代什么 |
|---|---|---|
| RSI / OpenRSI | 跨代 candidate 的状态、恢复和回归证据 | 独立接纳与“更会改进”的 held-out 曲线 |
| Auto Research / ART | 实验谱系、失败、复跑和资源账本 | 一条窄研究结论的对照、复现和同行审查 |
| Environment | 可 reset 初态、工具事件、postcondition 与 fault injection | verifier 完整性与安全的单独设计 |
| Synthetic training | checkpoint、recovery、state transition 与 stop/refusal 的训练信号 | 证明合成轨迹能迁移到未见长程任务 |
| Agentic RL | session-level outcome、原生 harness trace 与 credit-assignment 诊断 | 自动正确的 step-level reward 或 PPO/GRPO 优势 |
这份协议与Harness Engineering互补:后者定义运行时的工程平面;本文把这些平面转成 long-horizon 的运行、故障和验收实验。相关的合成训练见合成实例与 Agent 训练,环境边界见Agent Research Environments,对 context、retrieval、execution state、checkpoint 与安全 admission 的细化见Agent Memory,对 global constraint、反馈条件重规划、工具失败与正确停止的细化见Agent Planning,相邻的 memory、planning 和安全方向见Agent 热门方向地图。
Primary References
- WildClawBench, DeepPlanning, and AgentLAB.
- AMA-Bench, Agent Memory, and MAGE.
- VLAs-as-Tools and BCER Agent.
- Related notes: harness engineering, environments, agentic RL, and RSI.
Long-Horizon Agents: State, Recovery, Planning, and Verifiable Hours-Long Execution
A long-horizon agent is not one whose timeout moved from ten minutes to ten hours, nor one that pours its entire history into a larger context. It is a recoverable state machine: it maintains goals and constraints in a changing environment, decomposes plans into verifiable local actions, resumes from the right boundary after failure, and lets an external evaluator determine whether the final result is task completion, a reward proxy, or merely a trajectory that looked busy.
model + native harness + state store + tool/authority policy + environment + evaluator + time/cost budget. A report that gives only final success rate cannot reveal whether interruptions, recovery, retries, authority, or resources silently changed the conclusion.
1. What Counts as Long Horizon, and What Does Not
A long-running episode has at least four properties: state remains causally relevant across decisions; intermediate errors change later feasible paths; the agent trades local feedback against global constraints; and after interruption it must reconstruct from external artifacts rather than guess from chat memory. Under this definition, the difficulty is not merely “more steps,” but dependencies, recovery, and accountability.
| Observed event | Conclusion it supports | Conclusion it does not support |
|---|---|---|
| One long trajectory ends successfully | This configuration completed one task from one initial state | The model has stable long-term ability |
| Many tool calls or a large context | The run consumed many actions or tokens | State was maintained correctly or planning was sound |
| Work continues after an interruption | One recovery path worked from tested states | Every external service and side effect can be replayed safely |
| Parallel workers finish faster | That schedule increased throughput on the given tasks and budget | A team is inherently more reliable or cheaper |
WildClawBench is valuable because it restores the native CLI harness to the evaluation configuration: in its containerized tasks, swapping harnesses for the same model can substantially change performance. It supports attributing long-horizon performance to a model-harness configuration, not assigning a runtime-free fixed ranking to a model.
2. State Is Not a Chat Summary: It Must Support Reconstruction and Attribution
AMA-Bench observes that real agent memory arises from continuous agent-environment interactions rather than only human dialogue; similarity retrieval without causal and objective information limits performance. Agent Memory separates memory-system cost into construction, retrieval, and generation. MAGE proposes a hierarchical execution-state tree that records, compresses, maintains, and revises branches to preserve valid paths and isolate errors.
Every cross-context handoff should reconstruct at least the following from external state rather than a prior-turn summary.
| State object | What to retain | How to validate on recovery |
|---|---|---|
| Goals and constraints | Success conditions, time/cost/authority boundaries, irreversible actions | Reconcile with task manifest and policy |
| World and artifacts | Environment image, file/service state, artifact hashes, input versions | Checkpoint digest and read-only reinspection |
| Decision rationale | Current subgoal, hypotheses, excluded paths, failure causes | Does the next action still serve an unmet constraint? |
| Tools and authority | Tool version, parameters, grants, network/credential state | Do not replay unsafe effects; reapprove escalation |
| Resources and clock | Tokens, calls, wall clock, queueing, retries, cancellations | Compute budget continuously across recovery |
Context compaction is not a checkpoint. The former may help a fresh invocation understand history; the latter must also locate environment, artifacts, and authority. If an external service cannot return to its prior state, retain it as observational evidence rather than pretending it can be rerun deterministically.
3. Planning Must Face Global Constraints and Failure, Not Only Decompose Steps
DeepPlanning places active information gathering, local restrictions, and global time/budget optimization in a long-horizon task. It reminds us that locally correct choices do not make a globally feasible plan, particularly when tools fail, information is absent, or a route must change.
The design lesson from VLAs-as-Tools also applies to software agents: a high-level agent keeps temporal plans and recovery, bounded local tools perform small tasks, and replanning is triggered by explicit progress or exception events rather than constant polling. BCER Agent binds final outputs to intermediate artifacts and measurements and emphasizes bounded local recovery. These works are not evidence of a universal winning architecture; they expose two testable variables: whether progress feedback is verifiable and whether recovery rolls back only to the affected local boundary.
| Phase | Agent responsibility | What the evaluator should inspect |
|---|---|---|
| Plan | State subgoals, dependencies, constraints, and stopping conditions | Does the plan omit a hard constraint or treat an infeasible task as feasible? |
| Execute | Call narrowly defined tools under minimum authority | Does action match declared subgoal, authority, and environment state? |
| Observe | Write progress, failures, and external state to an evidence trail | Does observation come from a real tool/environment rather than self-report? |
| Recover | Locate affected artifact/subgoal and retry, substitute, roll back, or stop | Does recovery avoid redoing completed or irreversible effects? |
| Accept | Submit final artifact to an independent verifier | Do terminal state, global budget, integrity, and regressions all hold? |
4. Recovery Is a Distinct Ability, Not Infinite Retrying
Good recovery has a boundary. It must not turn every failure into “try again,” nor rerun a full workflow to improve pass rate while hiding failure sources. An auditable recovery event records its trigger, affected scope, recovery point, invalidated evidence, retry budget, human handoff, and terminal outcome.
A minimal fault-injection set can include incomplete tool results, externally modified file or service state, corrupted checkpoints, denied authority, a summary that omits a key constraint, and a local success that already violates the global budget. For each fault, report recovery_success, state_reconstruction, duplicate_side_effects, resume_latency, and cost_delta. If recovery raises a process score without improving independent terminal states or safety, it is another gameable reward proxy.
5. Long-Horizon Security Is Not a Repeated Single-Turn Guard
AgentLAB places intent hijacking, tool chaining, task injection, objective drift, and memory poisoning in multi-turn environments. Its narrow conclusion is that single-turn defenses do not automatically cover multi-turn attacks. For long-running agents, the state store, tool outputs, handoff documents, and subagent messages are all untrusted-input surfaces; a prior approval does not automatically authorize the next turn.
Security state therefore belongs in the checkpoint: time-bounded authority, denied actions, domain/tool allowlists, trust labels on external inputs, risk escalation, and human confirmations. Final reports should at minimum separate task_outcome, integrity_violations, unsafe_action_rate, and false_block_rate; one success rate cannot cover all four.
6. A Falsifiable Protocol for Hours-Long Execution
The following is a design proposal, not a reported long-horizon result. It makes “works continuously for hours” a claim that can fail:
- Freeze run identity. Retain task manifest, initial-state digest, model/harness/tool/policy versions, budget, environment image, and evaluator hash.
- Externalize state. Each checkpoint writes goals, constraints, artifacts, dependencies, actions, observations, failures, and resources; redact sensitive content before retention.
- Test recovery actively. Preregister fault-injection points and success definitions; distinguish observational replay from genuine reruns.
- Separate acceptance. A candidate cannot write hidden tasks, verifier, authority policy, or final release decision; judge final state and process integrity separately.
- Compare at equal budget. Single-agent, sequential, multi-agent, memory, and recovery variants receive the same total tokens, worker time, wall clock, retries, and external-tool allowance.
- Report the complete curve. Report attempts, cancellations, recovery, regression, variance, peak concurrency, total cost, and cost per verified success, not only the best run.
7. How It Returns to the Core Five
| Core thread | What long horizon provides | What it cannot replace |
|---|---|---|
| RSI / OpenRSI | State, recovery, and regression evidence for candidates across generations | Independent acceptance and a held-out curve showing better improvement |
| Auto Research / ART | Experiment lineage, failures, reruns, and a resource ledger | Controls, replication, and peer review for a narrow research conclusion |
| Environment | Resettable initial state, tool events, postconditions, and fault injection | Independent verifier-integrity and safety design |
| Synthetic training | Training signals for checkpoints, recovery, state transition, and stop/refusal | Evidence that synthetic trajectories transfer to unseen long-horizon tasks |
| Agentic RL | Session-level outcomes, native-harness traces, and credit-assignment diagnostics | Automatically correct step rewards or a PPO/GRPO advantage |
This protocol complements harness engineering: that note defines runtime engineering planes; this one turns them into long-horizon execution, fault, and acceptance experiments. See synthetic agent training for data, agent research environments for environment boundaries, Agent Memory for context, retrieval, execution state, checkpoints, and safety admission, Agent Planning for global constraints, feedback-conditioned replanning, tool failure, and correct stopping, and the hot agent directions map for adjacent memory, planning, and safety choices.
Primary References
- WildClawBench, DeepPlanning, and AgentLAB.
- AMA-Bench, Agent Memory, and MAGE.
- VLAs-as-Tools and BCER Agent.
- Related notes: harness engineering, environments, agentic RL, and RSI.