generate_compliance_report

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, and the description does not disclose behavioral traits such as side effects, permissions required, or rate limits. It only states the output is a JSON report, leaving the agent unaware of potential write operations or authentication needs for a tool that likely reads cryptographic data.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is reasonably concise, with two main sentences followed by a parameter list. It avoids unnecessary details and uses line breaks for readability. The parameter descriptions are succinct but informative.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool has five parameters and an output schema exists, the description sufficiently covers the report's scope and all parameters. It explains what the report covers and what each parameter does, though it could mention the output format or any constraints on the algorithms parameter.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Despite 0% schema description coverage, the description adds meaningful details for each parameter: algorithms as comma-separated names, scan_text as optional source code, system_type with listed options (nss, federal, general), data_sensitivity with levels, and data_shelf_life_years as years. This compensates for the bare schema and aids correct invocation.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool generates a comprehensive cryptographic compliance report covering FIPS 140-3, CNSA 2.0, post-quantum readiness, and code audit. This specific verb-resource combination distinguishes it from sibling tools like check_fips_compliance or analyze_cnsa_compliance, which focus on individual standards.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description mentions the tool is suitable for security assessments, compliance audits, and migration planning, but does not explicitly state when to use this tool versus more specific siblings. The context suggests it is the comprehensive option, but no direct guidance or exclusions are provided.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.