CapabilityDeniedError and the original function does not run.
This is the right boundary for production agents because most agent risk comes from what tools do, not only from what the model says.
Tool Calls Are Capabilities
In Brane, a tool is one kind of Capability:Example: Require Approval Signal For A Destructive Tool
Example: Tenant Isolation
Tool Governance Checklist
For every production tool, define:- Capability name
- Capability type
- Risk level
- Owner
- Tenant or data namespace
- Required scopes
- Before-capability policies
- After-capability policies for output checks
