Function Calling & Tool Use

In the previous lesson, you learned to spend reasoning effort on a decision made from supplied facts. One fact was deliberately missing: the latest carrier scan for order A10234. No amount of careful prompting can invent a trustworthy live scan. Software has to fetch it.

Function calling gives a language model a typed way to request that fetch. The model doesn't run the order API. It proposes an action such as get_order_status(order_id="A10234"); your runtime checks the request, executes an allowed tool, returns the observation, and asks the model to answer from the result.

This boundary is the start of agent engineering. Once an LLM can request reads or writes against real systems, correctness includes parsing, authorization, retries, side effects, latency, and evaluation of the whole trajectory.

A tool call is a request, not an execution

ShopFlow support agent Luna is handling ticket #48291: "My package is late. Where is it?" The assistant needs a live order lookup. A good loop has four visible events:

1. User asks a question that depends on external state.
2. Model emits a named action with typed arguments.
3. Runtime validates and executes that action.
4. Model receives the tool observation and writes a grounded reply.

This distinction matters. If the model requests create_refund, it still hasn't refunded anyone. Your application gets a final chance to reject a wrong customer, an ineligible order, a duplicate action, or a write that needs approval.

Define the smallest useful tool contract

A model chooses tools from the definitions you provide. Each definition needs a name, a description that says when to use it, and an argument schema. Keep the schema narrow: if a status lookup only needs an order ID, don't expose refund fields or free-form SQL.

The following logical definition is provider-neutral. Hosted APIs serialize similar information in their own request envelope.

A schema is a contract for shape. It helps the model construct a call and helps your runtime reject malformed input. It doesn't prove that the customer owns the order or that an action is permitted.

Parse and validate before dispatch

The model's output crosses a trust boundary. Even when an API offers constrained or strict structured output, your runtime still owns semantic validation and permission checks. Start with the simplest read-only dispatcher: accept one known tool, allow only named fields, and verify field types.

Notice that this validator doesn't attempt to repair a bad call silently. A rejected request becomes a structured observation, so the model may correct it on a later bounded turn.

Build the complete tool loop

Function calling becomes concrete only when you run the full state transition. In a hosted-model integration, the first model response contains a tool request and the second model response consumes a tool result. To keep this lab executable without credentials, the model below is scripted while the runtime path is real.

The transcript is the essential pattern: user message, assistant tool request, tool observation, assistant answer. Preserve a call ID so each observation stays linked to the request that produced it, especially when multiple reads run concurrently. Toolformer showed that models can learn where API calls help during generation, and ReAct made the reason/action/observation loop explicit for tool-using tasks.^[1][2] The engineering burden remains in your runtime.

Structure isn't permission

Valid arguments can still request a harmful or unauthorized action. A status lookup is read-only; create_refund changes customer money. Writes need more checks:

• caller owns the target order;
• order satisfies refund policy;
• amount is computed from trusted order data, not model text;
• a human confirms when policy requires approval; and
• an idempotency key prevents retrying the same write twice.

This is why schema enforcement isn't a security boundary. It can narrow a JSON shape; only application logic knows ownership, policy, approval, and whether a write already happened.

Return errors as observations, with limits

Tool calls fail in ordinary ways: the model uses an old field name, an order ID doesn't exist, or a service times out. A useful runtime returns a typed rejection rather than a stack trace. The next model turn can correct the request, but it should get only a small retry budget.

Correction is useful only while it changes the request. If a model repeats the same rejected call, stop before it burns external capacity or triggers repeated writes.

Track a turn cap, repeated-call detection, timeout budget, and cost budget for each request. A model that can't recover should return a safe fallback or hand the ticket to a person.

Parallelize independent reads, not dependent writes

Alex asks, "Compare my two shipments, A10234 and B77120." Those two status reads are independent. Your runtime may execute them concurrently after validating both calls. A request to cancel one shipment based on those results cannot run at the same time: the write depends on what the reads discover.

Concurrency saves elapsed time only when actions are independent. For writes on the same order, serialize execution and apply idempotency rules.

Expose a small allowed toolbox

As an agent grows, passing every internal action to the model wastes context and expands the space of possible mistakes. Filter for authorization first, then route among permitted tools relevant to the current request. Retrieval-augmented API selection appears in Gorilla, which evaluated models against large API collections.^[3]

Routing is not authorization. The allowlist is applied first. A highly relevant but forbidden write tool must stay unavailable.

Evaluate the trajectory, not just the final sentence

A pleasant answer can hide a wrong tool call, an unsafe write, or a result invented without an observation. Evaluate the events your runtime controls:

BFCL evaluates function-selection and executable calling behavior, while Tau-Bench examines longer, policy-constrained interactions with tools and users.^[4][5] Your own release gate needs the ShopFlow schemas and policy failures your users will hit.

Once correctness is scored, add serving constraints. A runtime that succeeds after ten retries is not ready for a customer-facing workflow.

The failed release is deliberate: one run exceeds latency and cost budgets even though aggregate success reaches the threshold. These fixtures test controller behavior, not model quality. Replace them with held-out tickets, actual model calls, sandboxed tool results, and labeled policy outcomes before shipping.

From local functions to reusable tools

This lesson used in-process Python functions because the execution boundary is easiest to understand there. Real agent products need many capabilities owned by different teams and consumed by more than one host. Rebuilding a custom adapter for every host and service does not scale.

The next lesson introduces the Model Context Protocol (MCP). The mental model stays the same: model proposes a typed action and a trusted runtime decides whether to execute it. MCP standardizes how hosts discover and invoke externally provided capabilities.

What to remember

• The model requests; runtime executes. Never give a text generator implicit authority over real effects.
• Schemas narrow shape, not policy. Validate ownership, eligibility, approvals, and idempotency before writes.
• Observations close the loop. A grounded answer must follow a returned tool result.
• Recovery needs budgets. Reject bad calls with structured errors, then cap retries, repeated actions, latency, and cost.
• Evaluate traces. Tool choice, arguments, results, safety, and serving cost all belong in the release gate.

Mastery check

Key concepts

• Tool call proposal versus application execution
• JSON-like input schemas and server-side validation
• Assistant request, tool observation, final-answer loop
• Read versus write permissions
• Confirmation and idempotency for side effects
• Structured errors and bounded correction
• Parallel safe reads and serialized writes
• Allowed-tool routing
• Trajectory-based evaluation
• Function calling as prerequisite for MCP

Evaluation rubric

• Foundational: Explains why a model cannot supply a live carrier scan without a tool observation.
• Intermediate: Defines and validates a narrow get_order_status contract.
• Intermediate: Implements a complete tool request, execution, observation, and answer loop.
• Advanced: Protects a refund write with ownership, policy, confirmation, and idempotency checks.
• Advanced: Builds a trajectory release gate with correctness, unsafe-write, round, and latency measures.

Common pitfalls

• Treating a tool call as a completed action: The assistant claims a refund happened before execution. Make the runtime return an observation before wording the result as complete.
• Trusting schema-valid writes: Correct JSON can still target the wrong order. Apply application authorization and policy checks.
• Blind retries: A rejected call repeats until budget is gone. Fingerprint rejected requests and cap tool rounds.
• Parallelizing effects: Two write calls race on the same order. Parallelize independent reads only.
• Scoring only the final sentence: A correct-looking answer can be ungrounded. Evaluate call, arguments, observation, and outcome.

Practice extension

Extend complete-tool-loop.py with a second read-only tool, get_return_policy(order_id), and a protected write tool, create_return_label(order_id). Build five labeled ticket fixtures: two straightforward status questions, one unknown order, one eligible return, and one ineligible return. Your artifact is a trajectory report containing final outcome, blocked writes, retries, tool rounds, and maximum latency for every fixture.