Declarative tool interface contracts for agentic runtimes — typed parameters, command templates, evidence envelopes, session and browser modes
Project description
ToolClad
Declarative tool interface contracts for agentic runtimes.
ToolClad is a manifest format (.clad.toml) that defines the complete behavioral contract for a tool: typed parameters, validation rules, invocation mechanism, output parsing, and policy metadata. Three execution modes share a common governance layer:
- Oneshot (default): Single CLI command execution
- Session: Interactive CLI tools via PTY (msfconsole, psql, redis-cli) with per-interaction Cedar gating
- Browser: Governed headless browser via CDP/Playwright with URL scope enforcement and page state policies
The Problem
Every team building agentic systems writes custom glue code per tool: argument sanitization, timeout enforcement, output parsing, evidence capture, Cedar mappings, DSL capabilities, and policies. That's 7 steps per tool. It doesn't scale.
The Solution
# tools/whois_lookup.clad.toml
[tool]
name = "whois_lookup"
version = "1.0.0"
binary = "whois"
description = "WHOIS domain/IP registration lookup"
timeout_seconds = 30
risk_tier = "low"
[args.target]
position = 1
required = true
type = "scope_target"
description = "Domain name or IP address to query"
[command]
template = "whois {target}"
[output]
format = "text"
envelope = true
[output.schema]
type = "object"
[output.schema.properties.raw_output]
type = "string"
The agent fills typed parameters. The executor validates, constructs the command from the template, executes with timeout, and returns structured JSON. The agent never sees or generates a shell command.
Security Model
ToolClad inverts the sandbox approach:
- Sandbox: LLM generates command -> sandbox intercepts -> allow/deny (deny-list)
- ToolClad: LLM fills typed parameters -> policy gate -> executor validates -> constructs command from template (allow-list)
The dangerous action cannot be expressed because the interface doesn't permit it.
Reference Implementations
| Language | Directory | CLI | Status |
|---|---|---|---|
| Rust | rust/ |
cargo run -- validate manifest.clad.toml |
Complete |
| Python | python/ |
toolclad validate manifest.clad.toml |
Complete |
| JavaScript | js/ |
npx toolclad validate manifest.clad.toml |
Complete |
| Go | go/ |
go run ./cmd/toolclad validate manifest.clad.toml |
Complete |
Each implementation provides:
- Manifest parsing -- load and validate
.clad.tomlfiles - Argument validation -- 10 core types with injection sanitization
- Command construction -- template interpolation with mappings and conditionals
- Execution -- run with timeout, capture output, SHA-256 evidence hashing
- MCP schema generation -- auto-generate JSON Schema for LLM tool use
- CLI --
validate,run,schema,test(dry run) subcommands
Quick Start
# Rust
cd rust && cargo run -- test ../examples/whois_lookup.clad.toml --arg target=example.com
# Python
cd python && pip install -e . && toolclad test ../examples/whois_lookup.clad.toml --arg target=example.com
# JavaScript
cd js && npm install && node src/cli.js test ../examples/whois_lookup.clad.toml --arg target=example.com
# Go
cd go && go run ./cmd/toolclad test ../examples/whois_lookup.clad.toml --arg target=example.com
Type System
| Type | Validates | Examples |
|---|---|---|
string |
Non-empty, injection-safe | General text |
integer |
Numeric, optional min/max with clamping | Thread counts |
port |
1-65535 | Network ports |
boolean |
Exactly "true" or "false" | Feature flags |
enum |
Value in declared allowed list |
Scan types |
scope_target |
Injection-safe + no wildcards | IPs, CIDRs, hostnames |
url |
Valid URL, optional scheme restriction | Web targets |
path |
No traversal (../) |
File paths |
ip_address |
Valid IPv4 or IPv6 | Addresses |
cidr |
Valid CIDR notation | Network ranges |
All types reject shell metacharacters by default.
Symbiont Integration
ToolClad is the tools/ directory convention for Symbiont. The runtime auto-discovers .clad.toml files, registers them as MCP tools, and wires them into the ORGA reasoning loop with Cedar policy evaluation.
See TOOLCLAD_DESIGN_SPEC.md for the full specification.
License
- Protocol specification (manifest format, type system, evidence envelope): MIT
- Symbiont integration (Cedar gating, ORGA enforcement, scope enforcement): Apache 2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file toolclad-0.4.1.tar.gz.
File metadata
- Download URL: toolclad-0.4.1.tar.gz
- Upload date:
- Size: 17.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a876108e19365e0c8b7a3a5c1d7fcaa4d275222c70a24d77ef951615f89124a0
|
|
| MD5 |
828a4a28b29d0716aec4dc46b61925fe
|
|
| BLAKE2b-256 |
d43f73cf058b52e5e2bbb9ee38d8b3218e2a964f55d65824359d6ef3056ddfc3
|
File details
Details for the file toolclad-0.4.1-py3-none-any.whl.
File metadata
- Download URL: toolclad-0.4.1-py3-none-any.whl
- Upload date:
- Size: 17.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
038cd3d7fcf25ecc5632c73c86f57704ee2a4458ea91715ed29b8b04eae8f7f3
|
|
| MD5 |
a5f102d17906bd9397eb145737b5ad34
|
|
| BLAKE2b-256 |
0e7e9c343d7029b9e843742f6f8613a7c9367ac96ee8921bac82e666f9f25b23
|
