Tool Use as Capability

The pattern: tools are typed RPC the agent can call. Each has a JSON Schema input and output. Agents declare which tools they need; the platform enforces the allowlist. Every call is audited to a system of record. MCP standardizes the contract — any client speaks MCP, any server speaks MCP, the M×N integration matrix collapses to M+N.

The trade-off: flexibility vs. safety. “Agent can do anything” is dangerous. “Agent can call only these 5 tools, with these schemas, with this audit, with these approval gates for destructive ops” is a system. Typed tools, capability allowlists, approval gates, and audit logs are what make agents production-deployable rather than demo-only.

Deepens in Year 5 Phase 26: Agent Development (typed tools) and Phase 27: MCP (the DEEP synthesis: basecamp-mcp + capability allowlisting). Phase 28: AIOps and services/aiops/ consume tools under read-only-by-default and approval-gated destructive constraints.

Related patterns

• agent-loop — the state machine that calls these tools.
• prompt-as-program — tool schemas and prompts version together.
• inference-shapes — every tool call is itself a typed inference boundary.
• feature-store — common backing store behind retrieval tools.