Verify OPA bundle signature

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

Annotations already indicate read-only, non-destructive, idempotent behavior. The description adds valuable details: it uses `opa eval`, checks `.signatures.json`, and declares that tampered/unsigned bundles fail with `INVALID_BUNDLE`. It also specifies the success return format. No contradictions with annotations.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is three sentences long, with the first sentence immediately stating the tool's purpose. Each subsequent sentence adds critical context (prerequisite, behavior, return format). No unnecessary words or redundancies.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (5 parameters, no output schema, good annotations), the description covers prerequisites, behavior, and success return format. It only briefly touches on failure (INVALID_BUNDLE), but this is sufficient for an agent to understand the outcome. Slightly incomplete regarding failure details, but still very helpful.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

All five parameters have descriptions in the schema (100% coverage). The description does not add further parameter-specific guidance beyond referencing the underlying `opa eval` command. It meets the baseline but does not enhance parameter understanding.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states it verifies the cryptographic signature of a signed OPA bundle, using specific command-line details. It distinguishes from sibling tools like opa_bundle_sign (which signs) and conftest_verify (which is for conftest), leaving no ambiguity about the tool's purpose.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description explicitly notes that the bundle must have been signed with `opa sign` or `opa_bundle_sign`, establishing a clear prerequisite. While it doesn't directly compare to alternative tools, the context implies this is the appropriate tool for verification after signing, which is sufficient given the sibling list.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.