Skip to main content
Terraforming the Cloud Logo Logo Animated
Terraforming the Cloud

Pi.Dev: Minimal Agent Architecture for the Cloud-Native Ecosystem

·2806 words·14 mins
Ai Devops Kubernetes Cloud-Native Agents Architecture Developer Tools
Roberto Tazzoli
Author
Roberto Tazzoli
Passionate about declarative infrastructure, self-hosting, and Kubernetes.
Table of Contents

Introduction: The Frustration of Walled Gardens
#

When working on a complex infrastructure like TazLab — a nomadic ecosystem built on Talos Kubernetes, GitOps with Flux CD, and a reduced attack surface through Zero Trust — the need for intelligent automation becomes critical quickly. I am not talking about procedural automation (that is solved with Terragrunt and Ansible), but about cognitive assistance: an AI agent capable of reading project context, reasoning about dependencies, suggesting refactors, and debugging complex orchestration issues.

Initially, I tried to solve this problem by relying on mainstream tools: Google’s Gemini CLI and Cloud Code. Both promised native integration with Gemini APIs and a smooth workflow. However, after weeks of intensive use, I ran into structural limitations that made it impossible to adapt them to TazLab’s requirements.

This analysis documents my path toward Pi.Dev (pi-coding-agent), a minimal but radically configurable tool I adopted as the foundation for building specialized agents. The comparison is not academic: it reflects concrete needs that emerged from managing a home lab in production.

Phase 1: The Limits of “Convenience-First” Solutions
#

Gemini CLI: Power Limited by Architectural Choices
#

Gemini CLI is Google’s official tool for interacting with Gemini models via the command line. My first impression was positive: it supports multi-modality (text, images, video), manages persistent sessions, and integrates the Model Context Protocol (MCP) to extend capabilities through external servers.

Conceptual Deep-Dive: Model Context Protocol (MCP) The Model Context Protocol is a JSON-RPC protocol that allows AI agents to invoke external “tools” (functions exposed by remote or local servers). For example, an MCP server can provide tools for querying a Postgres database, searching a vector knowledge base, or reading metrics from Prometheus. The protocol supports two transport modes: Stdio (inter-process communication on the same machine via stdin/stdout) and SSE (Server-Sent Events over HTTP, for distributed integrations).

The problem with Gemini CLI surfaces when you want to do more than Google anticipated. Here are the limitations I encountered:

  1. Chronic slowness: Even on the Pro plan, Gemini CLI is noticeably slow. Responses arrive with significant latency — sometimes tens of seconds for queries that require context reading from the cluster. In an iterative debugging workflow, where you query the agent multiple times to refine a diagnosis, this slowness becomes a tangible drag on productivity.

  2. Rigid extensibility via MCP: Although Gemini CLI supports MCP, configuration is limited to a JSON file (settings.json) that specifies which external servers to invoke. It is not possible to inject custom logic directly into the agent loop without going through a separate MCP server. This means that if I wanted an agent that, for example, automatically read Flux CD logs from the Kubernetes cluster before answering a question, I had to build a dedicated MCP server to expose that tool — for every single feature.

  3. No control over the system prompt: Gemini CLI uses a hard-coded system prompt. It is not possible to modify it to instruct the agent about project-specific conventions (for example, “When writing Kubernetes manifests, always use Kustomize instead of Helm” or “For every commit, add a git note with the timestamp”). This drastically limits specialization.

Cloud Code: Speed at the Cost of Quota
#

Cloud Code is the next tool I tried — from the terminal, not as a VS Code extension which does not fit my workflow. The difference compared to Gemini CLI is immediate: responses are noticeably faster. For someone working on infrastructures like TazLab, where every query involves reading controller logs, Flux state, and kubectl output, response speed is not a cosmetic detail.

The problem is plan sustainability. On the Pro plan, a Kubernetes debugging session — reading kustomize-controller logs, validating manifests, iterating on a Flux issue — is enough to exhaust the quota. I struggle to get past two hours of intensive work before hitting the limit.

Why Cloud Code was not sustainable for TazLab:

  1. Unsustainable quota for Kubernetes workloads: The Pro plan depletes rapidly on tasks requiring intensive context. A single Flux debugging session consumes enough to block you for the rest of the day. This is not an edge case: it is the norm for anyone working on complex infrastructures.

  2. No scripting capability: I cannot invoke Cloud Code from a Bash script to automate repetitive tasks. It is a closed conversational interface, not composable in pipelines.

  3. Vendor Lock-In: The entire ecosystem pushes toward Google Cloud services. This philosophy is the opposite of TazLab’s, where digital sovereignty is a foundational principle. I do not want my ability to work to depend on the availability — or the generosity of the plan — of an external cloud service.

Phase 2: Discovering Pi.Dev — Unix Philosophy for AI Agents
#

After weeks of frustration, I started looking for alternatives that would satisfy these requirements:

  • Radical extensibility: The ability to modify every aspect of agent behavior.
  • Modularity: Support for multiple specialized agents, each with its own system prompt and tool set.
  • Multi-model: The ability to use different models (Anthropic Claude, Google Gemini, OpenAI, Ollama) depending on the task. Key is native support for OpenRouter, which provides access to practically any model available on the market with a single API key. One of the planned experiments is a systematic benchmark of frontier models on Kubernetes contexts — to determine which offer the best quality/cost ratio for tasks like Flux debugging, manifest analysis, and configuration generation.
  • Scripting-friendly: Usable both interactively and in automated pipelines.
  • Minimal: No dependencies on IDEs or heavy frameworks.

Digging through open-source projects and community experiments, I arrived at Pi.Dev (pi-coding-agent). The analogy I often use to describe it: Pi.Dev is to Gemini CLI/Cloud Code what Neovim is to Visual Studio Code. It is minimal, configurable down to the finest detail, and requires an initial investment to master, but pays off with total flexibility.

It is worth adding a piece of context: OpenClaw, the coding agent that has gained considerable attention in the developer community in recent months, is built on Pi.Dev. This is not a marginal detail — it means the framework I use as a foundation has already proven it can hold up under real production loads and ambitions.

Anatomy of Pi.Dev: Component-Based Architecture
#

Pi.Dev is written in TypeScript and distributed as an npm package. The architecture is based on three fundamental concepts:

  1. Agent: An AI instance with a specific system prompt, an associated model, and a set of available tools.
  2. Skill: Reusable modules that add contextual capabilities (e.g., “when the user asks to work on Kubernetes, load instructions from the KUBERNETES.md file”).
  3. Extension: Custom functions (tools) the agent can invoke, written in TypeScript and integrated through a simple interface.

Conceptual Deep-Dive: Agent vs Assistant vs Tool It is important to distinguish the levels of abstraction. An Assistant (like Gemini or Claude) is the underlying model, provided by a vendor (Google, Anthropic). An Agent is a specific configuration of that assistant, with a system prompt and a set of tools. For example, I can have an agent called “k8s-debugger” that uses the claude-sonnet-4 model, with a system prompt that instructs it to always read Flux logs before responding, and with access to custom tools for querying Prometheus. A Tool is a function the agent can invoke. Pi.Dev allows defining tools both as extensions (local code) and as skills (predefined bundles of prompt + tools).

The key difference is the philosophical approach. Gemini CLI and Cloud Code are finished products — tools designed for a mainstream use case and then sealed. Pi.Dev is a toolkit — it provides the building blocks (conversation management, model invocation, MCP protocol) and lets the user construct their own agent architecture.

Phase 3: Use Cases — Specialized Agents for the Kubernetes Ecosystem
#

Once I understood Pi.Dev’s potential, I started mapping the concrete use cases for TazLab. Here are two I am exploring:

Case 1: The “Blog Writer” Agent (This Article)
#

The first agent I configured is the one writing this article. Its system prompt (CLAUDE.md in the repository) instructs it to:

  • Read the existing blog documentation (~/kubernetes/blog-src/content/posts/) to understand the style.
  • Follow a structured template (Introduction → Phases → Reflections).
  • Expand each technical concept with “Deep-Dive” paragraphs.
  • Use a professional first-person singular tone.

This agent uses Anthropic’s claude-sonnet-4 model because it excels at long, structured technical writing. When I ask it to write an article, it autonomously reads existing examples, identifies the appropriate tags, and generates a complete Markdown file with TOML frontmatter.

Why this would not have been possible with Gemini CLI: With Gemini CLI, I would have had to:

  1. Build an MCP server exposing a “read_blog_posts” tool.
  2. Launch the server in the background.
  3. Configure Gemini CLI to connect to the server.
  4. Manually write the system prompt every time, because I cannot save it in the configuration.
  5. Parse the text output and save it manually.

With Pi.Dev, all of this is configured once in the agent file, and every invocation is automatic.

Case 2: The “K8s Watchdog” Agent — Proactive Cluster Surveillance
#

The second use case is the most ambitious: a pod with a minimal version of Pi.Dev deployed inside the Kubernetes cluster, acting as a general-purpose watchdog over all critical infrastructure components.

The architecture is a Kubernetes CronJob with a configurable interval — probably between ten and thirty minutes. On each run, the agent queries the cluster on multiple fronts using the in-cluster client with a strict RBAC ServiceAccount: read-only access to resources, logs, and events.

Monitoring scope:

  • GitOps (Flux): HelmRelease, Kustomization, GitRepository state. Detects failed reconciliations, stalled resources, or revisions lagging behind the latest in the repository.
  • Storage (Longhorn): Volume health, replica state, recent backups. Identifies volumes in degraded state or without snapshots within the expected interval.
  • Database: Critical database pods (Postgres/CrunchyPostgres and other StatefulSets). Verifies they are Running, with no abnormal restarts and a responding liveness probe.
  • General pods: Any pod in CrashLoopBackOff, OOMKilled, ImagePullBackOff, or with a restart count above a configurable threshold.

Operational flow:

  • Nominal: If everything is healthy, produces a concise report and terminates.
  • Anomaly detected: Switches to investigative mode — reads correlated Kubernetes events, logs from the failing component, and the state of dependent resources.
  • Elevated cause: If a pod restarts too frequently, correlates with OOMKilled events, memory limits, and application logs. If a Longhorn volume is degraded, verifies node and replica state.
  • Structured report: Probable diagnosis, ordered list of options to verify manually, and concrete solutions to evaluate — without applying anything autonomously.

The distinction is deliberate: the agent has full visibility but zero executive power. The goal is not to create an autonomous system that could worsen an already critical situation, but to reduce triaging from “I read everything myself” to “I read the report and decide.”

Expected model: an affordable model via OpenRouter — the analysis scope is broad but structured, and execution frequency makes cost per token a non-negotiable constraint.

Architectural Reflections: Toward an “Agent-Aware” Infrastructure
#

Adopting Pi.Dev is changing how I think about TazLab’s architecture. Traditionally, automation was divided into two categories:

  1. Procedural automation (Bash scripts, Terragrunt, Ansible) — repeatable, deterministic tasks.
  2. Human intervention (debugging, architectural decisions, refactoring) — tasks requiring reasoning.

With configurable AI agents, a third category emerges: cognitive automation. Tasks that require reasoning but can be delegated to an agent given the right context.

The Trust Boundary Problem
#

However, this introduces a critical security challenge. An in-cluster AI agent with access to kubectl and cluster APIs potentially has the power to destroy the entire infrastructure. How do I manage this trust boundary?

Approaches I am exploring:

  1. Strict RBAC: The in-cluster agent runs with a Kubernetes ServiceAccount with limited permissions. For example, it can read metrics and logs, but cannot delete resources or modify critical ConfigMaps.

  2. Complete Audit Trail: Every agent action is logged immutably (Loki + S3 backup). If the agent performs a destructive action, I can reconstruct the chain of events.

  3. Human-in-the-Loop for Critical Actions: The agent can propose changes (e.g., “Here is a PR to scale Longhorn storage”), but application requires human approval via GitOps.

  4. Sandbox Environments: Before deploying an agent to production, I test it on a staging cluster (TazLab’s “Green” cluster, not yet documented).

The “Agent-as-Operator” Pattern
#

A traditional Kubernetes Operator (written in Go with controller-runtime) reconciles a desired state declared in CRDs. The idea of an “Agent-as-Operator” is different: the agent does not reconcile a declared state, but responds to events and makes contextual decisions.

Concrete example:

  • Traditional Operator: “If the PVC exceeds 80% utilization, increase its size to X GB (hard-coded value).”
  • Agent-as-Operator: “If the PVC exceeds 80%, analyze the growth patterns over the last 7 days, verify available storage budget, consult backup logs to ensure recoverability, and propose an optimal scaling plan.”

This pattern does not replace traditional Operators (which are more efficient for deterministic tasks), but complements them for scenarios requiring flexibility.

Phase 4: What’s Missing — Gaps and Future Directions
#

Despite the (measured) enthusiasm for Pi.Dev, there are clear gaps I am addressing:

Gap 1: Cost per Token and Multi-Model Orchestration
#

Using different models for different tasks is powerful, but it introduces budgeting complexity. Claude Sonnet is expensive (approximately $3 per million input tokens), while Gemini Flash is nearly free. I need to build logic for:

  • Intelligent routing: simple tasks → affordable model, complex tasks → capable model.
  • Cost monitoring: a dashboard tracking how many tokens I consume per agent/task.

Pi.Dev does not provide this out-of-the-box. I am exploring integration with tools like LangSmith or building a custom dashboard with Prometheus + Grafana.

Gap 2: Agent Testing and Validation
#

How do I test that an agent works correctly? With traditional code, I write unit tests. With an AI agent, behavior is probabilistic. I am experimenting with:

  • Golden Tests: I run the agent on known problems (e.g., “Debug this Flux error I know is caused by malformed YAML”) and verify the output contains the expected keywords.
  • Regression Tests: Every time the agent resolves a problem, I save the input/output as a test case. If I change the system prompt, I re-run the tests to verify that desired behaviors have not regressed.

Gap 3: Persistent State for In-Cluster Agents
#

An agent in a Kubernetes pod is by definition ephemeral. If the pod crashes, it loses the conversation memory. For long-running agents, I need to implement persistent state. Options:

  • External database (Postgres): I save the conversation history and context.
  • Kubernetes ConfigMap: For lightweight state (configurations, task queue).

Conclusion: A Choice of Technical Sovereignty
#

Adopting Pi.Dev over Gemini CLI or Cloud Code was not driven by open-source fanaticism or an aversion to Google. It was a pragmatic choice based on TazLab’s architectural requirements:

  1. Extensibility: I need agents that behave exactly as I want, not as a BigTech product manager decided.
  2. Multi-Model: I want to choose the optimal model for each task, not be locked into an ecosystem.
  3. Deep Integration: Agents must live inside my ecosystem (TazPod, Kubernetes, Mnemosyne), not in a cloud walled garden.
  4. Sovereignty: I want to understand and control every aspect of the system, from the system prompt to the communication protocol.

Pi.Dev, with its minimal and configurable philosophy, meets these requirements. It is the Neovim of AI coding agents: it has a steep learning curve, requires an initial investment, but pays off with total control.

While writing this article (via the “blog-writer” agent built on Pi.Dev), I am still learning. The documentation is fragmented, some features are experimental, and there are edge cases to resolve. But that is precisely the point: I have the ability to resolve them. With Gemini CLI, if a feature does not exist, I can only open a GitHub issue and hope. With Pi.Dev, I can open the code, understand how it works, and contribute the patch.

This is the kind of technical empowerment I was looking for when I started the TazLab project. Adding Pi.Dev to the arsenal represents another step toward a truly sovereign ecosystem, where every component — from the OS (Talos) to the vault (TazPod) to memory (Mnemosyne) to agents (Pi.Dev) — is controllable, inspectable, and modifiable.

In the next articles, I will document the concrete implementation of the “K8s Watchdog” and the first results of the comparative benchmark of models on Kubernetes tasks. If this comparative analysis has intrigued you, I invite you to explore Pi.Dev and consider whether the philosophy of “minimal but radically configurable tool” fits your workflow.

Note for readers: This article was written by a Pi.Dev agent configured as “Home Lab Blogger.” The irony is intentional — it is a practical demonstration of the article’s thesis. The agent autonomously read previous blog articles, identified the correct format, generated the TOML frontmatter, and produced this text following the style rules defined in its system prompt. The process was: pi --agent blog-writer --task "Scrivi analisi comparativa su Pi.Dev vs Gemini CLI/Cloud Code". Generation time: ~3 minutes. Cost: ~$0.15 (Claude Sonnet 4, ~50k output tokens). +++

 Enterprise Monitoring in a Home Lab: The (Uphill) Road to Stateless Grafana and Prometheus AGENTS.ctx: Context Management for AI Agents Without Re-Explaining Everything 

Comments