Skip to main content
GPARS defines two planes separated by a hard boundary. The Cognitive Plane is where the agent reasons. The Action Plane is where operations execute. The Action Plane is owned by the user and is the sole authority over what agents are permitted to do within it.
Cognitive Plane
Agent Runtime
Agent Loopreasoning · internal tools
Manifestvalidation · resolution
MCP Clientsoutbound requests
Internal Cognitive State only — no direct environment access
MCP
Plane Boundary

user-controlled enforcement point

identity verificationpolicy evaluationrequest routing
Action Planeowned by user
bashserver
filesystemserver
databaseserver
gitserver
OS · network · hardware · storage
The boundary between planes is the central architectural constraint of GPARS. The Cognitive Plane MUST NOT perform Environment-Modifying Operations directly. All such operations MUST cross the boundary via MCP. The user’s security policy governs what the agent is permitted to do once operations reach the Action Plane.

Cognitive Plane

Contains the Agent Runtime and the Agent.

Agent Runtime

The Runtime is the execution environment for the agent. It:
  • MUST receive and validate the agent manifest before the agent loop begins.
  • MUST resolve required MCP registry identifiers.
  • MUST manage MCP client instances for outbound requests.
The Runtime belongs to the Cognitive Plane. It is NOT a security enforcement point — it is under the control of the agent developer or framework, not the user. Authorization is enforced at the Action Plane boundary.

Agent

The Agent:
  • MUST perform all Environment-Modifying Operations exclusively through MCP.
  • MUST NOT embed tool implementations that modify or retrieve Environment State.
  • MAY embed tools that operate solely within Internal Cognitive State (e.g., sleep/wait, internal scheduling, retry logic, loop control).
The Cognitive Plane is confined to Internal Cognitive State (ICS). Everything the agent does that does not cross the MCP boundary is cognition. Everything that crosses the boundary is action. GPARS does not restrict what happens inside the Cognitive Plane — only what crosses the boundary.

Action Plane

The Action Plane is owned by the user. It contains the user’s data, systems, and infrastructure. The user is the authority over what agents are permitted to do within it — just as a system administrator controls what users can do on a machine. The Action Plane contains:
  • Security Policy — user-defined rules governing agent permissions (see Security policy).
  • MCP Servers — capability providers that execute operations on behalf of agents.
  • Infrastructure — OS, network, hardware, storage that MCP servers operate on.
MCP Servers:
  • MUST NOT be required to interpret GPARS manifests or security policies.
  • MUST return structured result objects.
  • SHOULD provide deterministic execution boundaries.
  • MAY enforce their own operational constraints (e.g., resource limits, path restrictions inherent to the server’s configuration).
Servers are reusable across agents and do not need awareness of GPARS. GPARS security policy is enforced at the plane boundary enforcement point, not by MCP servers. Servers interact with underlying infrastructure on behalf of the agent — the agent never interacts with infrastructure directly.

Plane boundary

The boundary between the Cognitive Plane and the Action Plane MUST be enforced by a user-controlled enforcement point. MCP servers MUST NOT accept requests directly from the Cognitive Plane without passing through this enforcement point. The enforcement point is responsible for:
  • Verifying the identity of the requesting agent (so that per-agent security policy can be applied).
  • Evaluating each MCP request against the user’s security policy.
  • Returning AUTHORIZATION_DENIED for operations that violate the policy.
  • Returning SERVER_UNAVAILABLE when a target MCP server is not reachable.
  • Routing permitted requests to the appropriate MCP servers.
GPARS does not mandate a specific implementation for the enforcement point. Implementers MAY use a reverse proxy, network isolation, Unix socket permissions, process-level sandboxing, or any other mechanism that ensures the Cognitive Plane cannot directly access MCP servers while bypassing the security policy.
The agent must not be able to self-assert its identity to the Action Plane. Identity verification MUST be performed by infrastructure under the user’s control, not by trusting the agent’s self-declared id field.