MCP Tool Factory

```yaml name: The Discipline - Sacred Constraints description: Protective constraints that guard the MCP Tool Factory primitive from entropy ``` # The Discipline **The constraints that prevent the primitive from decaying.** --- ## What This Protects **The Sacred Primitive:** ``` MCP Tool Instance = Conversationally-negotiated capability + Graduated permissions + Hot-reload lifecycle + Cross-dimensional state continuity ``` **Threats:** - **Blind Execution** - Tools executing without negotiation - **Permission Escalation** - Bypassing graduated access ladder - **State Amnesia** - Losing conversation continuity across reloads - **Reload Corruption** - Breaking conversation during hot-reload - **Tool Class Leakage** - State bleeding between tool instances --- ## The Five Sacred Constraints ### 1. CONVERSATIONAL_ALIGNMENT **Every tool interaction must negotiate intent before execution** **What This Means:** - No tool executes without identity verification - No action proceeds without alignment check (contradiction/agnostic/aligned) - No dangerous operation without explicit approval - Every tool can answer: "Who are you?" and "What do you think about X?" **What This Prevents:** - Blind execution of dangerous commands - Unintended tool behavior - Loss of user control **Witness:** - `identity_query_response_rate = 100%` - `alignment_check_before_execution = true` - `dangerous_ops_require_approval = true` **Violation Example:** ```python # WRONG: Blind execution def execute_task(task): return run_command(task) # No negotiation # RIGHT: Conversational negotiation def execute_task(task, conversation): identity = conversation.get_identity() alignment = conversation.check_alignment(task) if alignment == "contradiction": return "Denied: violates constraints" if requires_approval(task): if not conversation.get_approval(task): return "Denied: approval required" return run_command(task) ``` **Enforcement:** - **Automatic:** Tool framework intercepts all execute() calls, requires conversation context - **Manual:** Code review rejects execute() without alignment check --- ### 2. PERMISSION_GRADUATION **Trust must be progressive, not binary** **What This Means:** - Default permission: Read-Only (Level 1) - Every permission upgrade requires explicit approval - Permissions accumulate within session - Dangerous operations blocked unless Level 3+ granted **What This Prevents:** - Accidental catastrophic actions (`rm -rf /`) - Permission abuse - Unintended file modifications **Witness:** - `default_permission_level = 1 (read-only)` - `permission_upgrade_requires_approval = true` - `dangerous_ops_blocked_without_level_3 = true` **Violation Example:** ```python # WRONG: Uniform permissions def write_file(path, content): with open(path, 'w') as f: # No permission check f.write(content) # RIGHT: Permission graduation def write_file(path, content, session): if session.permission_level < 2: if not session.request_permission_upgrade(level=2, reason="write file"): raise PermissionDenied("Write requires Level 2") with open(path, 'w') as f: f.write(content) ``` **Enforcement:** - **Automatic:** File system wrapper checks permission level before write/execute - **Manual:** Security audit flags operations without permission checks --- ### 3. HOT_RELOAD_SAFETY **Tools must reload without breaking conversation continuity** **What This Means:** - Reload signal triggers graceful tool class replacement - Active conversations preserved during reload - Conversation state migrated to new tool version - Zero downtime during reload **What This Prevents:** - Conversation loss during updates - Restart-required updates - State corruption during reload **Witness:** - `reload_downtime_ms = 0` - `conversation_continuity_during_reload = true` - `active_conversations_preserved = 100%` **Violation Example:** ```python # WRONG: Restart-required update def update_tool(): shutdown_server() # Breaks active conversations load_new_code() restart_server() # RIGHT: Hot-reload def update_tool(): new_tool_class = load_new_code() active_conversations = get_active_conversations() # Graceful handoff for conv in active_conversations: conv.migrate_to(new_tool_class) register_tool_class(new_tool_class) ``` **Enforcement:** - **Automatic:** Tool registry validates reload doesn't drop active conversations - **Manual:** Integration test verifies conversation continuity during reload --- ### 4. STATE_CONTINUITY **Tools must remember who, what, and how across interactions** **What This Means:** - WHO dimension: Identity persists (same tool instance across calls) - WHAT dimension: Intent history persists (what we agreed to do) - HOW dimension: Permission grants persist (what I'm allowed to do) - Conversation ID is the primary key for all state **What This Prevents:** - Permission re-negotiation on every call - Intent amnesia - Identity confusion **Witness:** - `conversation_resumption_rate = 100%` - `permission_persistence_across_calls = true` - `intent_history_accessible = true` **Violation Example:** ```python # WRONG: Stateless interaction def handle_request(request): # No conversation context return execute(request.task) # RIGHT: Stateful continuity def handle_request(request, conversation_id): conversation = get_or_create_conversation(conversation_id) # WHO: Identity persists identity = conversation.identity # WHAT: Intent history persists intent_history = conversation.get_intent_history() # HOW: Permission persists permissions = conversation.get_permissions() return execute(request.task, conversation) ``` **Enforcement:** - **Automatic:** Framework requires conversation_id for all tool calls - **Manual:** Code review rejects stateless tool implementations --- ### 5. TOOL_CLASS_ISOLATION **Each tool class maintains independent state and permissions** **What This Means:** - Tool A's conversation state isolated from Tool B - Tool A's permissions don't leak to Tool B - Tool registry enforces class boundaries - Cross-tool orchestration requires explicit permission inheritance **What This Prevents:** - Permission escalation via tool switching - State corruption from tool interference - Security bypass via tool class hopping **Witness:** - `tool_state_isolation = true` - `cross_tool_permission_leakage = 0%` - `tool_registry_enforces_boundaries = true` **Violation Example:** ```python # WRONG: Shared state global_state = {} # All tools share this class ToolA: def execute(self): global_state['permissions'] = 'admin' # Leaks to ToolB class ToolB: def execute(self): # Inherits admin from ToolA! return global_state['permissions'] # RIGHT: Isolated state class ToolA: def __init__(self): self.state = {} # Isolated self.permissions = 'read-only' class ToolB: def __init__(self): self.state = {} # Separate isolation self.permissions = 'read-only' ``` **Enforcement:** - **Automatic:** Tool registry allocates separate state stores per class - **Manual:** Security audit verifies no shared mutable state --- ## Witness Protocol **Every constraint must be:** 1. **Observable** - Can be measured objectively 2. **Automatic** - System verifies, not humans 3. **Continuous** - Checked on every execution 4. **Actionable** - Violation triggers clear response **Example:** ```yaml constraint: CONVERSATIONAL_ALIGNMENT witness: identity_query_response_rate = 100% check: On every tool call, verify identity query succeeds action_on_violation: Reject tool call, log incident ``` --- ## Enforcement Mechanisms ### Automatic Enforcement **Tool Framework Layer:** - Intercept all tool.execute() calls - Verify conversation context present - Check permission level vs operation requirements - Validate conversation_id for state lookup **File System Wrapper:** - Wrap all file operations - Check permission level before write/execute - Log all file access for traceability **Tool Registry:** - Enforce tool class isolation - Validate reload doesn't break conversations - Track active conversations per tool class ### Manual Enforcement **Code Review Checklist:** - [ ] All execute() calls have conversation context - [ ] All write operations check permission level - [ ] All tool classes use isolated state - [ ] All reloads preserve active conversations **Security Audit:** - Monthly review of permission grants - Quarterly review of tool class isolation - Annual review of constraint tightening history --- ## Constraint Evolution **Version 1** (Initial - 2025-11-20) **CONVERSATIONAL_ALIGNMENT:** - Identity query required: true - Alignment check required: true - Approval threshold: Level 2+ operations **PERMISSION_GRADUATION:** - Default level: 1 (read-only) - Upgrade requires: explicit approval - Dangerous ops threshold: Level 3 **HOT_RELOAD_SAFETY:** - Max reload downtime: 0ms - Conversation preservation: 100% **STATE_CONTINUITY:** - Conversation ID required: true - Dimension tracking: [who, what, how] **TOOL_CLASS_ISOLATION:** - Shared state permitted: false - Cross-tool permission inheritance: explicit only **Evolution Rule:** Constraints only tighten, never relax **Next Trigger:** If any witness falls below 100%, tighten constraint --- ## Sacred Primitive Protection **How Each Constraint Derives from the Primitive:** **Primitive Component:** Conversationally-negotiated capability **Protected By:** CONVERSATIONAL_ALIGNMENT **Threat Blocked:** Blind execution without negotiation **Primitive Component:** Graduated permissions **Protected By:** PERMISSION_GRADUATION **Threat Blocked:** Binary all-or-nothing access **Primitive Component:** Hot-reload lifecycle **Protected By:** HOT_RELOAD_SAFETY **Threat Blocked:** Conversation loss during updates **Primitive Component:** Cross-dimensional state continuity **Protected By:** STATE_CONTINUITY **Threat Blocked:** Amnesia (forgetting who/what/how) **Primitive Component:** Multiple tool classes from same infrastructure **Protected By:** TOOL_CLASS_ISOLATION **Threat Blocked:** State/permission leakage between tools --- ## The Protection Model ``` Sacred Primitive ↓ Five Sacred Constraints (protection layer) ↓ Witness Protocol (measurement layer) ↓ Enforcement Mechanisms (automatic + manual) ↓ Constraint Evolution (tightening over time) ``` **Result:** Primitive cannot decay without violating measurable witnesses, which trigger automatic enforcement.