Definition
A capability is any resource an agent can use. The mental shift from the conventional “tool” framing is intentional: capabilities include tools, models, memory, databases, MCP servers, sandboxes, secrets, and other agents. Everything that can cause a consequence is a governed capability. Without capabilities, an agent calls code. With capabilities, the runtime knows what is behind the door: the risk, the effect, the side effects, the required scopes, the tenant, the environment, and the data namespace. That metadata is what makes policy possible.Registering Capabilities
Register capabilities with the decorator:Fields
Computed Properties
is_high_risk:Trueifriskishighorcriticalhas_side_effects:Trueifside_effectsis non-emptydisableable_side_effects: list of side effects withcan_disable=True
Capability Types
Risk Levels
none: no meaningful risklow: read-only, reversible, internal onlymedium: writes to internal state or reads external datahigh: external writes, financial actions, credential access, irreversible changescritical: destructive, broadly scoped, or impossible to audit after the fact
ctx.is_high_risk to enforce behavior.
Naming Conventions
Flat strings work. Namespaced names are recommended for complex deployments:"*" matches all capabilities regardless of naming.
