Skip to main content
A capability is anything an agent can use. Not just tools: the governed object in the control loop.

Definition

A capability is any resource an agent can use. The mental shift from the conventional “tool” framing is intentional: capabilities include tools, models, memory, databases, MCP servers, sandboxes, secrets, and other agents. Everything that can cause a consequence is a governed capability. Without capabilities, an agent calls code. With capabilities, the runtime knows what is behind the door: the risk, the effect, the side effects, the required scopes, the tenant, the environment, and the data namespace. That metadata is what makes policy possible.

Registering Capabilities

Register capabilities with the decorator:
Or register a capability directly:

Fields

Computed Properties

  • is_high_risk: True if risk is high or critical
  • has_side_effects: True if side_effects is non-empty
  • disableable_side_effects: list of side effects with can_disable=True

Capability Types

Risk Levels

  • none: no meaningful risk
  • low: read-only, reversible, internal only
  • medium: writes to internal state or reads external data
  • high: external writes, financial actions, credential access, irreversible changes
  • critical: destructive, broadly scoped, or impossible to audit after the fact
Risk is metadata. It does not enforce anything by itself. Policies use ctx.is_high_risk to enforce behavior.

Naming Conventions

Flat strings work. Namespaced names are recommended for complex deployments:
The wildcard policy target "*" matches all capabilities regardless of naming.

Why Not Just Tools

Tool is only one capability type. Model calls consume budget, affect quality, and route to different providers. Memory writes can poison future context. Secrets, if misused, expose credentials. MCP servers expose entire action surfaces. Treating all of these as capabilities gives the same policy runtime governance over the entire agent action surface, not just the tools the developer explicitly thought about.