Skip to main content

Documentation Index

Fetch the complete documentation index at: https://gpars.io/llms.txt

Use this file to discover all available pages before exploring further.

Version0.1.0
StatusDraft
Date2026-03-04

Abstract

An agent is general-purpose when its capabilities are not limited by what is embedded inside it. GPARS achieves this by mandating that all environment-modifying operations go through MCP-compliant servers, not embedded tools. Agents declare their requirements via a manifest, and authorization is enforced by the user at the Action Plane boundary — agents cannot self-authorize or self-assert their identity.

What is GPARS?

The General-Purpose Agent Reference Standard (GPARS) defines a normative structure for separating cognitive agents from external action providers using the Model Context Protocol (MCP). Current agent systems — even those leveraging MCP — embed tool implementations directly within the agent loop. This creates tight coupling between reasoning and execution, produces vendor-specific behavior, and prevents true portability. A general-purpose agent cannot presume intrinsic capabilities; it must operate across environments by composing externalized services. GPARS establishes a strict separation between cognition and action: all Environment-Modifying Operations MUST be externalized through MCP-compliant servers. Agents declare their intended capabilities via a machine-readable manifest, while environments provide a composable and governable tool surface.
This specification targets MCP 2025-11-25 (latest stable revision at time of writing). Future GPARS versions MAY update this dependency as MCP evolves.

Key principles

Cognition / Action separation

Agents reason internally but act exclusively through MCP servers. No embedded tools that touch the environment.

User-owned security

The user controls the Action Plane and defines what agents are permitted to do. Agents cannot self-authorize.

Declarative manifests

Agents declare intended capabilities. The manifest is descriptive, not an authorization grant.

Discovery-based authorization

Agents discover their permission boundaries by receiving denials, just like OS processes.