Skip to main content

Manifest Lifecycle & Registry Patterns

Blueprint · ← Tool registry · Manifest lifecycle · RAG retrieval →

The tool manifest defines what tools exist and how proposals are enforced. This page covers where manifests live, how apps load them, and which pattern fits your scale.

THE CLAIM

The manifest is versioned platform config, not application business logic and not LLM prompt text. Every proposal audit must pin manifest_version.

What you are deciding

Before picking storage, these requirements are non-negotiable in PGAR:

RequirementWhy
Version id (2026.07.1)Examiners ask which contract was active
Pin per session or requestMid-session manifest swap breaks replay
Agentic app loads; LLM never owns filePGAR test: no credentials or policy in model payload
CI gate on changeNew tool = schema + policy scenarios
Audit fieldmanifest_version on every proposal (Audit & replay)

Manifest shape and enforcement live in Tool registry. This page is operations and architecture choice.

Pattern comparison

PatternMaintain whereApp loads howBest for
Hardcoded in codePython/TS dict in agent repoCompile timeDemos, unit tests only
Versioned file in repomanifests/payments-agent/2026.07.1.jsonPath from env at startupSingle team, few agents
Object storage + GitOpsGit source; S3/GCS published artifactFetch on deploy or startupRegulated, auditable releases
Manifest registry APIPlatform service; git or UI as sourceGET /manifests/{agent}/activeMany agents, central ops
Config serviceConsul, AppConfig, etc.SDK watch + cacheExisting enterprise config stack

Pros and cons

Hardcoded in code

ProsCons
Fastest spikeNo independent versioning
Simple local devCouples policy to app deploy
manifest_version often missing or fake
Not production PGAR

Versioned file in repo

ProsCons
Git review on every tool changeEach app deploy picks up manifest
Easy CI validationNo central runtime rollback without redeploy
Clear audit trail in VCSMulti-region sync is manual
Good first production step

Typical layout:

platform/manifests/
payments-agent/
2026.07.1.json
2026.08.1.json
policy-assistant/
2026.07.1.json

Load: MANIFEST_PATH=/config/manifests/payments-agent/2026.07.1.json or MANIFEST_AGENT=payments-agent + resolve active version from small index file.

Object storage + GitOps

ProsCons
Immutable published artifactsExtra pipeline to build/publish
Rollback = repoint active pointerApps need fetch + cache logic
Matches policy-as-artifact mindsetLatency on cold start unless cached

Flow: Merge to git → CI validates → publish s3://manifests/payments-agent/2026.07.1.json → update active pointer → apps refresh on interval or signal.

Manifest registry API

ProsCons
Single source of truthService to build and operate
Runtime rollback without app redeployCache consistency across instances
Per-agent, per-tenant manifestsSession must pin version at start
Natural home for manifest_version audit

Example:

GET /v1/manifests/payments-agent/active
→ { "manifest_version": "2026.07.1", "tools": [ ... ] }

Session pin: On session open, app fetches manifest and stores manifest_version on the session. All proposals in that session use the same version even if registry publishes 2026.08.1 mid-flight.

Use cases

Single payments agent (one team)

Pattern: Versioned file in repo → env var at deploy.

One manifest per agent. CI runs schema + policy scenario suite. Deploy agent + manifest together.

Policy assistant (RAG tools)

Pattern: Same as above; separate manifest file or separate agent id.

RAG tools (retrieve_documents, etc.) use the same JSON shape as payment tools. See Tool registry § RAG tools.

Composed manifest (platform merges modules)

Pattern: Registry API or build-time merge in CI.

base-tools.json + payments-tools.json + rag-tools.json
→ build → payments-agent/2026.07.1.json (published)

Platform owns merge rules; squads own fragment files. One published manifest_version.

Multi-tenant SaaS

Pattern: Registry API with tenant dimension.

GET /v1/manifests/{agent_id}?tenant=bank-eu

Tenant-specific tool subsets or schemas. PDP still decides authorization; manifest defines what can be proposed at all.

Runtime load sequence

  1. Startup or session open: App loads manifest (cached).
  2. Pin version: Store manifest_version on session.
  3. Derive LLM tools: Strip pdp_action, risk_tier, entitlements (Tool registry § manifest → LLM).
  4. On proposal: Validate against pinned manifest; log manifest_version; route to PEP.

Boundary detail: Agentic app.

Release and rollback

EventAction
New tool addedBump manifest version; add policy scenarios; CI must pass
Schema changeSame; treat as breaking unless backward compatible
PromotePoint active to new version (file pointer, S3 object, or registry)
RollbackRepoint active to prior version; no LLM redeploy required if using registry/S3
AuditEvery PEP log includes manifest_version from session pin

Align manifest promotion with PGAR blueprint release gate matrix: tool / ACL changes re-run Tool + Action evals.

Anti-patterns

Anti-patternWhy it fails PGAR
Manifest only in system promptNot enforceable; model can ignore
Per-instance ad hoc tool listsDrift; audit cannot replay
Debug flag exposes all toolsBypass manifest; Adversarial testing must catch
Download manifest from LLMModel must not own contract
No manifest_version in auditExaminers cannot identify active contract
Swap manifest mid-session without pinProposal 1 vs proposal 2 incomparable in replay

Ownership

RoleOwns
AI platformRegistry service, publish pipeline, session pin contract
Agent / domain squadTool entries, schemas, fragment files
GovernancePolicy scenarios for new tools; approve high risk_tier additions
SRECache, rollback runbooks, active pointer alerts

Trace fields

manifest_version, manifest_source, manifest_loaded_at, session_manifest_pin, active_manifest_pointer

See: Tool registry · Boundary: Agentic app · Audit & replay