Enforcement model

The manifest and the security policy serve different roles:

Concern	Owner	Where it lives	When it applies
Capability Requirements	Agent developer	Manifest (Cognitive Plane)	Declarative (informational)
Security Policy	User	Action Plane	Continuously during operation

The manifest declares what the agent needs. The security policy determines what the agent is allowed to do. These are independent — an agent may declare a requirement for filesystem: ["read", "write"] but the user’s policy may only permit read on specific paths.

Enforcement points

Boundary

The plane boundary enforcement point verifies agent identity, evaluates requests against the security policy, and routes permitted requests to MCP servers. The agent cannot bypass this point. Unauthorized operations receive AUTHORIZATION_DENIED. Unavailable servers return SERVER_UNAVAILABLE.

Operation

MCP servers may enforce their own operational constraints (e.g., resource limits, invalid parameters) and return standard MCP errors. MCP servers are NOT required to implement GPARS security policy logic.

The agent is never trusted to enforce its own boundaries or assert its own identity. All enforcement occurs outside the Cognitive Plane, under the user’s control.

Security considerationsSecurity properties and implementation guidance for GPARS deployments.

⌘I

Enforcement points

Overview

Architecture

Agent manifest

Security

Operations

Context

Enforcement model

Enforcement points

Boundary

Operation

Overview

Architecture

Agent manifest

Security

Operations

Context

​Enforcement points

Boundary

Operation

Enforcement points