Sequential Chain-of-Agents Pipeline
- Sequential chain-of-agents pipelines are orchestration frameworks where specialized agents pass structured state and summaries sequentially.
- They balance explicit control-flow with bounded memory compression, ensuring efficient verification and reliable state propagation.
- Applications span long-context reasoning, GUI automation, security defenses, and traceable software workflows, boosting performance and safety.
A sequential chain-of-agents pipeline is an orchestration pattern in which multiple specialized agents or agent-like stages are invoked in ordered succession, with each stage consuming structured state, summaries, or outputs produced upstream and then emitting artifacts for downstream use. In the recent literature, the pattern appears in several closely related forms: declarative workflow DAGs whose default execution is sequential, long-context worker–manager chains that build bounded shared memory, post-generation guard pipelines, role-specialized Planner→Executor→Critic systems, and state-constrained business-process dispatchers (Daunis, 22 Dec 2025, Zhang et al., 2024, Barrak, 8 Oct 2025). Across these variants, the central design problem is not merely chaining calls, but specifying how state is represented, how downstream stages select and trust upstream information, and how sequential dependence is balanced against verification, routing, and efficiency.
1. Formalization and semantic foundations
One formalization models an agent workflow as a directed acyclic graph whose nodes are computational steps and whose edges are control-flow dependencies, while still treating pipelines as sequential compositions with structured control flow. In that formulation, a pipeline satisfies
with steps such as passVariables, setValue, forEach, when, function, toolRequest, addMessage, addResponse, and return, runtime state given by the variable store , response accumulator , and tool registry , and operational semantics defined by deterministic transition rules for assignments and branching (Daunis, 22 Dec 2025). The same source explicitly characterizes this as a formal, deterministic semantics for sequential chains of agents.
A second formalization, developed for long-context reasoning, treats a chain as latent-state approximation under bounded memory. Given chunk order , the memory state evolves as
and a final manager produces
This view emphasizes that sequential chains are not only workflow graphs but also information-compression processes, because the bounded summary state is lossy and therefore order-dependent (Gupta et al., 10 Mar 2026). Earlier Chain-of-Agents work expresses the same pattern operationally with worker agents that iteratively update a communication unit and a manager that answers from the final (Zhang et al., 2024).
Taken together, these models separate two analytically distinct aspects of sequential pipelines. The declarative view foregrounds explicit control-flow and typed dataflow, whereas the latent-state view foregrounds memory bottlenecks, order sensitivity, and approximation error. This suggests that “sequential” in current usage refers both to execution order and to a particular information geometry: downstream stages inherit compressed traces of prior computation rather than full joint access to all evidence.
2. Information flow, memory, and communication regimes
In early long-context chains, information moves through a single evolving communication artifact. Chain-of-Agents splits a long source into chunks, lets each worker read one chunk plus the previous communication unit, and passes forward an updated summary; the final manager consumes only the last communication unit rather than the full set of intermediates, because feeding all intermediate summaries can confuse the manager (Zhang et al., 2024). Under bounded memory, chunk order becomes algorithmically important, which motivates dependency-aware ordering. Chow–Liu Ordering for Long-Context Reasoning models chunk dependencies with an embedding-based maximum-weight spanning tree, roots that tree at the chunk most similar to the query, and uses breadth-first traversal to produce an order that empirically improves answer relevance and exact-match accuracy over both document order and simple semantic ranking (Gupta et al., 10 Mar 2026).
Later work relaxes the assumption that sequential chains must be strictly blocking. StreamMA replaces generate-then-transfer with step-level streaming: each reasoning step is forwarded as soon as it is emitted, enabling adjacent agents to pipeline their work. For a chain with agents and 0 steps per agent, the decode-dominated speedup upper bound simplifies to approximately
1
and the paper derives closed-form latency and cost ratios for serial, stream, and single-agent protocols (Yang et al., 3 Jun 2026). The same work argues that streaming can improve effectiveness as well as latency because early reasoning steps are often more reliable than later ones.
A different route to overlapped sequentiality appears in embodied and GUI settings. Auras disaggregates perception and generation, introduces a public context buffer shared by both, and uses controlled pipeline parallelism plus fetch offsets to mitigate staleness while increasing thinking frequency (Zhang et al., 11 Sep 2025). The multimodal workflow-execution framework with Adaptive Graph-based RAG likewise structures online execution as a repeated chain of Global Planner → Subgoal Planner → Observation Agent → Decision Agent → Verifier Agent → Environment Execution → Narrator, with a closed-loop collaborative verification protocol and graph-grounded retrieval over prior trajectories (Cifani et al., 27 May 2026).
The sequential chain is therefore no longer a single communication primitive. It may pass typed variables, natural-language summaries, streamed reasoning steps, graph-grounded trajectories, or shared public context. This suggests that modern chain design is increasingly about selecting the right communication substrate rather than merely deciding how many agents to place in series.
3. Canonical architectural forms
The pattern is domain-general and recurs across orchestration, security, software engineering, recommendation, GUI automation, and procedural generation (Daunis, 22 Dec 2025, Hossain et al., 16 Sep 2025, Barrak, 8 Oct 2025, Cifani et al., 27 May 2026, Long et al., 1 Sep 2025, Li et al., 2 Apr 2026).
| Setting | Sequential pattern | Notable property |
|---|---|---|
| Declarative LLM workflow | Product search → Personalization → Cart management | \<50 lines of DSL vs 500+ imperative |
| Prompt-injection defense | Domain LLM → Guard → Buffers | ASR reduced to 0% |
| Role-specialized review | Planner → Executor → Critic | structured, accountable handoff |
| GUI workflow execution | Planner → Observer → Decision → Verifier → Narrator | closed-loop collaborative verification |
| Cloud-device recommendation | AG → SP → SEM/STR → CR → FR | partial parallel execution |
| Garden construction | Terrain → Road → Asset Selection → Layout Optimization | text input within one minute |
In declarative orchestration, the chain is usually represented as a pipeline whose outputs become named variables for later steps. The e-commerce example in the DSL paper uses query → searchProducts → productList, then productList + userContext → personalizeProducts → personalizedList, then personalizedList + cart → cartManager → updatedCart, with responses accumulated in order and optional conditional sub-pipelines for cart updates (Daunis, 22 Dec 2025). Here the chain is explicit, typed, and intended to be backend-independent through a JSON intermediate representation.
In security, the chain acts as defense-in-depth. The prompt-injection defense framework defines a post-generation sequence in which a Domain LLM produces candidate output 2, a Guard agent applies policy checks to obtain 3, and optional Buffer-1 and Buffer-2 components enforce additional validation before release (Hossain et al., 16 Sep 2025). The key architectural property is role separation: the task model is not the policy model.
In traceability-oriented software pipelines, the Planner→Executor→Critic pattern is deliberately role-specialized. The Planner proposes an initial answer, the Executor revises or confirms it conditional on the Planner’s output, and the Critic reviews both prior stages to produce the final answer used for evaluation (Barrak, 8 Oct 2025). In GUI and mobile execution, the chain is longer and cyclic at the control level: planning, observation, decision, verification, execution, and narration recur until the goal is satisfied (Cifani et al., 27 May 2026). In recommendation, CDA4Rec decomposes a recommendation request into Abstract Generation, Strategy Planning, Semantic Modeling, Candidate Retrieval, Structured User Modeling, Final Ranking, and optional Explanation Generation, allocating cloud-heavy and privacy-sensitive stages to different agents while preserving a logically sequential control path (Long et al., 1 Sep 2025). In GardenDesigner, the chain is purely constructive: terrain first, then roads, then asset selection, then layout optimization under spatial constraints (Li et al., 2 Apr 2026).
These examples show that the same label covers at least three distinct engineering idioms: sequential transformation of shared state, sequential review of prior answers, and sequential decomposition of a larger task into heterogeneous subsystems. A plausible implication is that “chain-of-agents” is best understood as a family resemblance term rather than a single protocol.
4. Safety, traceability, and governance
Sequential pipelines are often motivated by the fact that errors can silently pass from one stage to the next. One response is explicit workflow governance. SDOF treats multi-agent execution as a constrained state machine 4, where stages such as init, src, int, off, onb, and close define legal business states and intent-stage binding requires stage legality 5 before an intent can be executed. Its StateAwareDispatcher then performs stage-filtered skill selection, precondition validation, postcondition application, and transition checks before any tool call is allowed. On a recruitment workflow backed by the Beisen iTalent platform, SDOF reaches 86.5% task completion with a 95% confidence interval of 80.8 to 90.7, blocks all 22 operations in the injection, illegal HR subset, and attains message-level blocking precision 100%, recall 88%, and expert agreement 6 (Wang, 20 Apr 2026).
A second response is traceable role specialization. In the Planner→Executor→Critic study, accountability is operationalized through per-stage records and explicit blame flags: planner_error, executor_repair, executor_harm, critic_repair, critic_harm, and an origin label indicating whether final failure came from the Planner, Executor, Critic, or none. The paper reports clear role-specific asymmetries, including Claude as a strong Executor with 10.01% repair and 0.25% harm, GPT-4o as a higher-variance Critic with 5.20% repair and 0.89% harm, and Gemini as the steadiest Planner by error rate (Barrak, 8 Oct 2025).
A third response is probabilistic reliability modeling from traces. TraceToChain fits execution traces to an absorbing DTMC 7, derives first-passage reliability quantities such as pass8, pass9, and the reliability decay curve from a single success-time distribution, and adds diagnostics via AIC, KS goodness-of-fit, Dirichlet-posterior credible intervals, and bootstrap intervals. On seven controlled frameworks with a strict 50/50 fit/test protocol, held-out empirical RDCs overlay analytic counterparts with max 0, median 1, and KS acceptance on 7/7 frameworks with minimum 2 (Tran-Truong et al., 27 Apr 2026).
These strands converge on a common conclusion: in sequential pipelines, correctness is not only a property of final output. It is also a property of stage legality, precondition satisfaction, repair-versus-harm behavior, and the trace distribution over intermediate states.
5. Evaluation regimes and reported performance
Reported outcomes vary sharply by domain, but a recurring empirical pattern is that carefully engineered sequential chains outperform simpler monolithic or loosely coupled alternatives. In the PayPal e-commerce deployment of the declarative DSL, the system processes millions of daily interactions, reduces development time by approximately 60–67%, improves deployment velocity by approximately 3×, keeps orchestration overhead sub-100ms, and reports overall P95 latency of 185 ms versus 240 ms for the imperative baseline; the declarative version is also described as 16 hours and 220 LOC versus 48 hours and 850 LOC, with complex sequences completed in 6 steps versus 11 (Daunis, 22 Dec 2025).
In security evaluation, the prompt-injection defense framework tests 55 unique attacks across 8 categories and 400 total attack instances on ChatGLM and Llama2. Without defense, baseline Attack Success Rates reach 30% for ChatGLM and 20% for Llama2; with the Guard agent enabled, ASR is reduced to 0% across all tested scenarios, including direct overrides, code execution attempts, data exfiltration, obfuscation, and delegation attacks (Hossain et al., 16 Sep 2025).
In long-context reasoning, Chain-of-Agents reports improvements by up to 10% over RAG, Full-Context, and multi-agent baselines across question answering, summarization, and code completion. On text-unicorn, for example, HotpotQA rises from 51.09 for Vanilla and 58.01 for RAG to 62.04 for CoA, while RepoBench-P rises from 53.87 for Vanilla and 50.49 for RAG to 60.39 for CoA (Zhang et al., 2024). In GUI workflow execution, the graph-centered multimodal framework reports Overall AMS = 56.4% versus 47.7% for PG-Agent (72B), raises Success Rate from 0.42% for PG-Agent 30B to 1.55%, and reaches 1.54% SR versus 0.0% in Multi-Apps (Cifani et al., 27 May 2026). In cloud-device recommendation, CDA4Rec reports Movie HR@10 of 0.0423 versus 0.0401 for LSC4Rec and inference time of 42–93 ms versus 677–1501 ms for LSC4Rec (Long et al., 1 Sep 2025).
Software-oriented evaluations add an important caution. SWE-Chain reports average 44.8% resolving, 65.4% precision, and 50.2% F1 under the Build+Fix regime, with Claude-Opus-4.7 reaching 60.8% resolving, 80.6% precision, and 68.5% F1 (Lam et al., 14 May 2026). SWE-STEPS, however, shows that isolated PR evaluation can overshoot realistic stateful performance by as much as 20 percentage points, because it ignores spillover effects, growing regression surfaces, and repository-health degradation over dependent PR chains (Shastry et al., 3 Apr 2026).
The significance of these results is not that sequential chaining is universally superior, but that benefits emerge when the chain is matched to the task regime: declarative state passing for production workflows, post-generation filtering for adversarial inputs, bounded-memory aggregation for long context, and stateful evaluation for software evolution.
6. Limitations, misconceptions, and research directions
A common misconception is that a sequential chain-of-agents pipeline is necessarily static and linear. The surveyed systems contradict that assumption. Declarative workflows can include forEach, when, typed sub-pipelines, and dependency-aware parallel execution; AnyMAC explicitly rejects fixed graph wiring in favor of sequential next-agent prediction and next-context selection; and StreamMA shows that even a chain topology can be step-streamed rather than run in blocking generate-then-transfer mode (Daunis, 22 Dec 2025, Wang et al., 21 Jun 2025, Yang et al., 3 Jun 2026). This suggests that “sequential” describes ordering constraints more than it describes rigidity.
A second misconception is that more intermediate reasoning always helps if it is preserved faithfully. For answer extraction from model-generated reasoning traces, line-level shuffling reduces accuracy by less than 0.5 percentage points, word-level shuffling retains 62%–89% accuracy, and masking numeric digits collapses accuracy to exactly 0%, while masking alphabetic prose improves accuracy by 4.7 percentage points in one setting (Chen et al., 8 May 2026). That result does not imply that execution pipelines are order-insensitive in general, but it does qualify the assumption that every intermediate token in a dense sequential trace is indispensable.
The literature also identifies substantive limitations. The declarative DSL intentionally restricts recursion and arbitrary code, so highly dynamic control flow requires custom functions and partially breaks declarativity; more sophisticated distributed multi-agent coordination and long-term memory remain future work (Daunis, 22 Dec 2025). In prompt-injection defense, every query triggers at least two LLM calls plus optional buffers, increasing latency and raising an over-filtering risk even though preserved functionality was reported in the tested scenarios (Hossain et al., 16 Sep 2025). In software evolution, stateful chains can accumulate spillover, goal drift, cognitive complexity, and technical debt; agents may solve previous issues rather than current ones, and human baselines often show flatter or negative slopes in complexity and SQALE where agents show positive slopes (Shastry et al., 3 Apr 2026). Dependency-aware ordering methods mitigate bounded-memory loss, but their success depends on the quality of the dependency proxy; Chow–Liu ordering can underperform dense ranking when BM25 is used as the similarity signal (Gupta et al., 10 Mar 2026).
Future directions are correspondingly diverse. The declarative workflow paper points to adaptive pipeline synthesis, formal verification, distributed agent teams, and neurosymbolic integration (Daunis, 22 Dec 2025). StreamMA identifies a step-level scaling law in which increasing per-agent steps improves both effectiveness and efficiency, providing a scaling dimension orthogonal to agent count (Yang et al., 3 Jun 2026). SDOF identifies automatic FSM derivation, deeper workflow evaluation, and stronger GoalManager governance as open problems (Wang, 20 Apr 2026). The overall trajectory suggests that sequential chain-of-agents pipelines are evolving from hand-wired prompt chains into auditable, typed, state-aware, and increasingly learnable coordination substrates.