Skip to main content

Domain: Tool Registry

Blueprint · ← Downstream · Tool registry · Manifest lifecycle → · RAG retrieval →

Every tool the LLM may propose must appear in a versioned manifest. The agentic app rejects unknown tools before PEP. The PEP maps manifest entries to PDP action names.

THE CLAIM

The manifest is the contract between proposal and policy. No manifest entry, no PEP call, no side effect.

Entry schema

Each tool in the manifest:

FieldPurpose
nameTool id the LLM proposes (must match exactly)
schemaJSON Schema for arguments; validated before PEP
pdp_actionAction name sent to PDP (often same as name)
risk_tierlow / medium / high; drives audit and step-up rules
idempotency_requiredHigh-risk side effects require idempotency key in context

Full manifest example

Payment agent manifest (matches PGAR wire insight). RAG tools use the same shape; see RAG retrieval walkthrough.

Where to maintain manifests: Manifest lifecycle & registry patterns.

{
"manifest_version": "2026.07.1",
"tools": [
{
"name": "lookup_beneficiary",
"description": "Resolve payee name and invoice to beneficiary id",
"schema": {
"type": "object",
"required": ["payee_name", "invoice_ref"],
"properties": {
"payee_name": { "type": "string" },
"invoice_ref": { "type": "string" }
}
},
"pdp_action": "lookup_beneficiary",
"risk_tier": "low"
},
{
"name": "validate_payment",
"description": "Pre-auth: limits, sanctions, cut-off for a payment",
"schema": {
"type": "object",
"required": ["beneficiary_id", "amount", "source_account", "reference"],
"properties": {
"beneficiary_id": { "type": "string" },
"amount": { "type": "number" },
"source_account": { "type": "string" },
"reference": { "type": "string" }
}
},
"pdp_action": "validate_payment",
"risk_tier": "medium"
},
{
"name": "initiate_wire",
"description": "Initiate wire transfer on payment hub",
"schema": {
"type": "object",
"required": ["beneficiary_id", "amount", "source_account", "reference"],
"properties": {
"beneficiary_id": { "type": "string" },
"amount": { "type": "number" },
"source_account": { "type": "string" },
"reference": { "type": "string" }
}
},
"pdp_action": "initiate_wire",
"risk_tier": "high",
"idempotency_required": true
}
]
}

Manifest → LLM → PEP

The agentic app derives the LLM tool list from the manifest. Governance fields never cross the LLM boundary.

Manifest fieldLLM seesAgentic appPEP / PDP
nametool name in schemamust match proposalSARAC action (via pdp_action)
descriptionoptional in schemanono
schemaparameters shapevalidate proposal argsre-validate before PEP
pdp_actionhiddenmap proposal → PDPPDP action name
risk_tierhiddenaudit tagpolicy rules (e.g. high → step-up)
idempotency_requiredhiddenreject if missing keyforward in SARAC context
manifest_versionhiddenlog on every proposalaudit record

LLM payload (from manifest above):

{
"tools": [
{ "name": "lookup_beneficiary", "parameters": { "payee_name": "string", "invoice_ref": "string" } },
{ "name": "validate_payment", "parameters": { "beneficiary_id": "string", "amount": "number", "source_account": "string", "reference": "string" } },
{ "name": "initiate_wire", "parameters": { "beneficiary_id": "string", "amount": "number", "source_account": "string", "reference": "string" } }
]
}

No emts, limits, or pdp_action. See Token & session boundary.

Enforcement hops

HopCheckOn failure
① LLM schema exposureOnly manifest tools in tools arrayN/A (app builds payload)
② Agentic appproposal.tool ∈ manifestReject; no PEP call; log in_manifest: false
③ Agentic appArgs validate against schemaReject; log schema_valid: false
④ Agentic appIdempotency key if idempotency_requiredReject before PEP
⑤ PEPMap to SARAC; call PDPDENY / STEP_UP / ALLOW
⑥ DownstreamExecute only on ALLOWPer domain playbook

Worked example: one proposal through the registry

Context: After lookup and validate, the LLM proposes initiate_wire. Full multi-tool sequence: PGAR insight § corporate wire.

Setup

Claims (session, not sent to LLM):

{
"sub": "officer-123",
"emts": {
"payments.lookup": true,
"payments.validate": true,
"payments.wire.initiate": true
},
"limits": { "wire.auto_approved": 25000 }
}

Prior tool results in app state: beneficiary_id: bene-acme-441, sanctions_status: clear.

③ LLM proposes

{
"tool": "initiate_wire",
"arguments": {
"beneficiary_id": "bene-acme-441",
"amount": 47500,
"source_account": "acct-operating-4412",
"reference": "INV-8842"
}
}

② App checks (before PEP)

  1. initiate_wire in manifest? Yes
  2. Schema valid? Yes
  3. idempotency_required and key present? Yes (idempotency_key: idm-4a2b in session context)

Trace: manifest_version: 2026.07.1, in_manifest: true, schema_valid: true

④ PEP → PDP

PEP maps manifest entry to SARAC:

FieldValue
actioninitiate_wire (from pdp_action)
resource{ "type": "wire_payment", "beneficiary_id": "bene-acme-441", ... }
context{ "amount": 47500, "sanctions_status": "clear", "idempotency_key": "idm-4a2b" }

PDP returns STEP_UP (47500 > 25000). PEP logs verdict; no downstream call. See Step-up & attestation.

Block paths (registry layer)

These fail before or without a successful PDP ALLOW:

ScenarioWhere blockedTrace
Model proposes shell_execApp: not in manifestin_manifest: false
amount is string not numberApp: schema validationschema_valid: false
initiate_wire without idempotency keyApp: manifest ruleidempotency_missing: true
Debug flag exposes undeclared toolsShould never ship; adversarial testAdversarial testing

RAG tools in the same model

Retrieval tools use the same manifest contract. Difference is SARAC resource (corpus / doc id) and PDP rules (doc entitlements), not manifest mechanics.

{
"name": "retrieve_documents",
"schema": {
"type": "object",
"required": ["corpus", "query"],
"properties": {
"corpus": { "type": "string" },
"query": { "type": "string" }
}
},
"pdp_action": "retrieve_documents",
"risk_tier": "medium"
}

Walkthrough: Domain: RAG retrieval.

Failure classes

  • Shadow tools: engineer adds API call not in manifest
  • Schema drift: model args don't match JSON schema
  • Risk mismatch: high-risk tool without idempotency
  • Manifest bypass in prod: debug flag exposes all tools
  • pdp_action mismatch: manifest maps to action PDP does not know

Release gate

  • Schema validation: 100% on golden tool scenarios
  • Manifest violations: 0
  • New tool requires policy scenarios before active
  • manifest_version pinned in audit for every proposal

Eval overlap

Eval plane Tool: selection, args, manifest compliance.

Trace fields

tool_name, manifest_version, schema_valid, in_manifest, risk_tier, pdp_action, idempotency_key

See: Boundary: LLM proposal · Adversarial testing · Policy contracts