Back to Blogs
Deep Dive

Software Can Talk: How the Wall Between Humans and Machines Finally Broke

Arjunagi A. Rehman · 14 min read ·
HCI AI Agents MCP Architecture Open Source

In a previous deep dive, I traced the arc of human-machine communication from punch cards to LLMs. The longer I sit with where we've actually landed, the more I think calling this a UX upgrade undersells it. What we're living through is a philosophical inversion of the oldest contract in computing.

For sixty years, software was silent. It rendered. It waited. It obeyed — but only if you spoke its language, navigated its menus, and clicked its buttons in the right sequence. Every interface revolution from punch cards to touchscreens was the same exercise in different costume: humans accommodating machines.

That contract is broken.

Software can talk now. It can listen. It can reason about what you mean, not just what you typed. The page you're on talks back if you ask it to — /agent is this essay's argument made operational.

The Old Contract: You Shall Learn My Language

Every generation of computing demanded humans internalize a machine's logic.

The CLI required syntax memorization. The GUI required spatial metaphors — folders, windows, drag-and-drop. Mobile required gestures. Enterprise software — ERPs, CRMs, HRMS platforms — required weeks of training, certification programs, and fat user manuals.

The cognitive load was always on the human side.

If you wanted to file a purchase order in SAP, you needed the transaction code. If you wanted to filter a Salesforce report, you needed to know which object held which field. If you wanted to pivot in Excel, you had to think in cell references and nested functions.

None of this was the computer understanding you. All of it was you understanding the computer.

For decades, software design rested on one implicit deal: the user must translate their intent into the system's grammar. Every dropdown, wizard, and tooltip was an attempt to make that translation less painful. The burden never moved.

The Rupture: Software Learns Your Language Instead

LLMs didn't just improve search or make chatbots less infuriating. They inverted the oldest power dynamic in computing.

Software can now receive input in pure human language — ambiguous, context-dependent, imprecise — and figure out what to do. The user no longer translates intent into the system's grammar. The system translates the user's grammar into intent.

In the old world, a hospital admin filing a PM-JAY claim navigated five screens, knew the module name, the menu path, the mandatory fields, and the file format. In the new world, they say:

prompt User intent — 2026 
"File a PM-JAY claim for patient 4471, dialysis April 20,
 attach last week's pathology report."

And the system acts.

The user's job has changed. It's no longer about remembering which page to go to. It's about asking — in plain language, with clarity.

Clarity replaces navigation. That's the new contract.

How I Made This Site Talk

The previous deep dive argued that natural-language was the next paradigm. This one is about what happens when you actually ship into that paradigm — so let me show, not tell.

If you go to /agent, you can ask my AI persona about my projects, essays, or thinking. It answers in first person. With inline citations. Streamed token by token. The same agent is exposed as an MCP endpoint at mcp.arjunagiarehman.com/mcp — Claude Desktop, Cursor, mcp-inspector, anything that speaks Streamable HTTP can hit it directly.

The whole thing is open source. About 500 lines of handler code. 133 offline tests. One Bun binary.

Here's how it works — and more importantly, what it deliberately doesn't do.

Markdown-as-data, not vector embeddings

Most teams building knowledge agents reach for a vector DB first. Pinecone, Weaviate, Qdrant, pgvector. Chunk your content, embed it, query by similarity. It works — but it's overkill for a knowledge base of a few dozen entries, and it makes your content opaque. You can't git diff an embedding.

I went the other way.

Each "node" in my knowledge base is a markdown file with YAML frontmatter:

markdown mcp-server/nodes/projects/kalrav-ai.md 
---
id: kalrav-ai
source: project
url: /projects/kalrav
summary: >
  Built Kalrav.AI, a vertical AI agent platform serving 10+ live
  e-commerce customers — domain embedding beats model quality.
---

## What is Kalrav.AI?

Kalrav.AI is an enterprise AI agent platform I built for e-commerce
operators. Instead of asking a store owner to integrate with a generic
LLM playground, give them an agent that already knows their stack...

The 120-character summary is the only thing the router LLM sees. The full body is what the responder LLM reads. Both are versioned, code-reviewable, forkable like any other content. No database. No embedding pipeline. No vector index to keep in sync with the source of truth — the markdown is the source of truth.

Two-LLM pipeline, not one big model

The flow is deliberate:

flow /ask request lifecycle 
POST /ask  ──►  Router (Claude Haiku 4.5)
                  reads node SUMMARIES only
                  picks 2-3 relevant node IDs (JSON mode)
                       │
                       ▼
                Fetch full node bodies from in-memory cache
                       │
                       ▼
                Responder (Claude Sonnet 4.5)
                  wraps node bodies in <node_body> delimiters
                  composes cited answer in first person
                  streams tokens via SSE
                       │
                       ▼
                { answer, citations[], noMatch, latencyMs }

Haiku is cheap and fast. It's perfect for the routing decision: of these N summaries, which 2-3 are relevant? That's a classification problem dressed up as retrieval.

Sonnet is the writer. It receives only the selected node bodies, wrapped in <node_body> delimiters with role-marker escaping (so any prompt injection inside content gets neutralized before the model sees it). It composes a streamed answer in my voice, with inline [id] citations.

A final post-processor strips phantom citations the model invented. If Sonnet cites [chotuai] but the router never returned chotuai, the citation is stripped before it reaches the user.

This is router + responder, not dense RAG. Deterministic and legible, not fuzzy.

MCP from day one

The same pipeline serves two transports:

  • POST /ask — JSON SSE for the browser UI on /agent. CORS-locked to my origins.
  • ALL /mcp — spec-compliant Streamable HTTP (2025-03-26) for any MCP client. IP rate-limited, bot-UA filtered.

I didn't bolt MCP on later. The endpoint is the agent's primary public interface. The browser UI is one client among many.

That's the bet I'm making about where this is going: agents call other agents. If your agent only speaks HTTP-with-CORS, you've already cut yourself off from half the ecosystem that's emerging.

Safety as a first-class layer, not an afterthought

Every dollar an agent costs you can be turned into infinite dollars by an attacker. Three things I shipped before any prompt-injection paper made me nervous:

Rate Limiter

In-memory token bucket per IP, separate buckets for /ask and /mcp, returns 429 with Retry-After. Default 10 req/minute — tight, but tunable per env without redeploy.

Kill Switch

AGENT_DISABLED=1 short-circuits every endpoint to a degraded response with zero LLM spend. Resolved per-request, so the env edit takes effect instantly. The panic button when the spend dashboard is slow.

Prompt-Injection Hardening

Node bodies wrapped in <node_body> delimiters; <system>, <user>, <assistant> markers and nested closers all neutralized before Sonnet sees the content. The system prompt explicitly treats node content as data, not instructions.

The one thing not in the repo: a hard monthly spend cap. That lives in Anthropic's dashboard. AGENT_DISABLED is the panic button when the dashboard's slow.

The lesson the agent stack taught me

You don't need GraphRAG. You don't need a vector DB. You don't need a thirty-step LangChain pipeline.

You need:

  • A small, well-curated knowledge base in a format you control
  • A cheap router model to pick what's relevant
  • A capable responder model to compose the answer
  • A clean transport that plays nice with the agent ecosystem (MCP)
  • Safety rails before the abuse arrives, not after

That's the whole thing. The 90% of "agentic" complexity people ship is technical insecurity dressed up as architecture.

Keep your knowledge base in markdown. Pick your model per task. Stream the response. Wrap user-influenced content in delimiters. Ship.

Beyond the Website Agent: When Software Acts

A knowledge agent that answers is the easy half. The harder half is when software doesn't just talk — it acts.

That's where Kalrav.AI sits.

Kalrav is a vertical AI agent platform I built for e-commerce. Ten-plus live customers running 24/7 conversations on WordPress, Shopify, and WooCommerce. The agent doesn't just answer "what's your return policy?" — it processes the return. It searches the catalog. It tracks the order. It logs the conversation to Zoho or Salesforce and flags high-intent users for human follow-up.

The architectural insight that drove Kalrav: domain embedding beats model quality for most business workflows. A horizontally generic assistant doesn't know the difference between a product variant and a product category. Kalrav does. That's the moat.

This is also where UCP (Universal Commerce Protocol) comes in — a separate stack I built so any AI agent can discover, authenticate, and transact with any UCP-compliant merchant from one URL. The shopping agent in that stack has zero store-specific code. Drop in /.well-known/ucp and it figures out browse, checkout, and order tracking from the manifest.

Different products, same underlying shift: the user describes intent, the agent decomposes into actions, the platform executes. The orchestration layer between human brain and system API used to be the user. Now it's the agent.

What Changes for the User

If clarity replaces navigation, the skill that mattered for forty years stops mattering.

Power users used to build spatial memory — keyboard shortcuts, menu paths, screen layouts. Institutional knowledge in enterprises was often just knowing which screen held which field in which module. That kind of knowledge is now worthless. The user who memorized the menu structure has no advantage over the user who can articulate intent clearly.

The new scarce resource is articulation: decomposing a goal into clear, actionable language. Specifying constraints. Knowing what "done" looks like.

This is closer to managing a capable junior colleague than it is to using software. You need to be specific about what you want, clear about the success condition, and willing to inspect the output before approving it.

The CLI never died — it became the substrate underneath every GUI. The GUI isn't dying either — it's becoming the substrate underneath every natural-language layer. What's changing is the entry point: just say what you mean.

What Changes for the Builder

Every product team I talk to is wrestling with the same question: do we add a chat widget?

That's the wrong question.

The right question is: where in our workflow does the user's intent get translated into our system's grammar — and can we move that translation into the agent layer?

A chat widget glued onto a CRUD app is decoration. An agent that takes "schedule a follow-up call with the diabetic patients who missed last week's dialysis session" and decomposes it into database queries, calendar API calls, and notification triggers — that's a product change.

The first version is harder than it looks because the orchestration layer isn't a chatbot framework. It's your domain model exposed as tools the LLM can reason over. Function calling. Structured outputs. Validated inputs. Reversible actions where possible. Idempotent operations. All the boring backend hygiene that has nothing to do with AI but determines whether your "agent" is a demo or a product.

The companies that win this layer won't be the ones with the slickest UI. They'll be the ones with the cleanest tool surface — domain models exposed as well-documented, machine-readable APIs an agent can compose against.

The Risks I Take Seriously

Three risks I genuinely think about, not the hype-cycle list:

Hallucination at confidence. When software talks confidently, users trust it. An agent that fabricates a patient ID, misquotes a policy number, or invents a citation is more dangerous than an agent that throws an error. The mitigation is structural: ground the model in retrieved context, strip phantom outputs in post-processing, and fail loudly when confidence is low. That's why the responder on this site post-processes citations against the router's output instead of trusting Sonnet's text.

Attack surface scales with capability. When an agent has shell access, browser control, and email, a single prompt injection or auth flaw becomes the front door. Shipping <node_body> delimiters and a kill switch isn't paranoia — it's table stakes for anything user-facing.

Skill atrophy is asymmetric. Karpathy himself said his ability to write code by hand is degrading. That's manageable for him because his judgment is intact. It's dangerous for a junior who never built that judgment in the first place. The same dynamic will hit every domain that AI agents touch — and the gap between looks like an expert and is an expert will widen quietly until an incident exposes it. (This is the thread I pulled on harder in From Coders to Owners.)

The Era of Asking

The wall is broken.

For sixty years, humans accommodated machines — learning their languages, memorizing their interfaces, organizing our thinking around their data structures. Now machines accommodate humans. Same shift, same direction, every layer: knowledge agents on websites, vertical agents in business software, personal assistants on phones, coding agents in IDEs, design agents on canvases.

No software is silent anymore.

This isn't a feature cycle. It's a reorientation of the entire relationship between humans and the tools they build. The question stops being how do I use this software? and becomes what do I want? — and the only skill that matters is the clarity with which you answer.

I built /agent on this site because I wanted to live the bet. Open source. Forkable. About 500 lines. If you're reading this thinking I should do this for my own site — yes, you should. Fork the repo, swap the markdown nodes, ship it. You'll learn more about agent architecture in a weekend of doing this than a month of reading about it.

The era of clicking is giving way to the era of asking.

The people who'll thrive aren't the ones who know the most keyboard shortcuts. They're the ones who can think clearly, speak precisely, and ask the right questions.

Software can talk now. The question is whether we can learn to ask.

The Inversion, at a Glance

What the contract between humans and software looked like through every era — and what each one selected for.

1960s
The CLI Era Humans memorized syntax. Exact commands, exact order, exact grammar. Powerful, unforgiving, unlimited — if you spoke the dialect. The interface was a translation layer; the user paid the cost. Syntax · Composability · Expert-Only
1980s
The GUI Era Spatial memory replaced syntax memory. Folders, windows, drag-and-drop. Friendly, accessible, bounded by what the designer anticipated. The cost moved from grammar to geography — but stayed on the human. WIMP · Spatial Memory · Anticipated Paths
2010s
Enterprise Bloat ERPs, CRMs, HRMS. Weeks of training. Certifications. Manuals. Institutional knowledge was often just knowing which screen held which field in which module. The cost compounded. SAP · Salesforce · Training-Heavy · Module-Bound
2024+
The Inversion The system translates the user's grammar into intent. Spatial memory becomes worthless. Articulation becomes the scarce skill. Knowledge bases become markdown the agent reads. Domain models become tools the LLM composes. The translation layer moved to the machine side. The wall is broken. LLMs · MCP · Function Calling · Articulation