Rationale

Separation of Cognition and Action

Prevents cognitive bias induced by embedded execution tools. When tools are internal, the agent’s reasoning is shaped by their implementation. Externalization ensures the agent reasons about what to do, not how tools work.

User-Owned Security

The user owns the data and systems the agent operates on. The user — not the agent, not the agent developer — defines what is permitted. This mirrors established security models in operating systems, cloud platforms, and enterprise infrastructure.

Declarative Agent Capabilities

Improves transparency and runtime portability without binding the agent to specific MCP server implementations. An agent’s manifest describes its intended behavior using manifest-local capability references and human-readable descriptions.

Discovery-Based Authorization

Agents are not told their effective permissions. They discover boundaries by receiving denials. This prevents agents from gaming policy boundaries and keeps the security model simple.

Modularity

Enables emergent behavior across heterogeneous MCP capability ecosystems. Different cognitive models, reasoning architectures, and vendors can be composed without rewriting tool logic.

General-Purpose Validity

A truly general-purpose agent operates across environments without presuming intrinsic capabilities. Specialization comes from the agent loop — not from embedded tools.

Overview

Architecture

Agent manifest

Security

Operations

Context