Declare in config
Add capabilities to your config file. They are auto-declared when the agent registers:Declare via CLI
Push capabilities from your config file without restarting the agent:Declare at runtime
Define tools (schemas)
Register tool definitions — especially useful when MCP discovers tools at runtime:tools/list from the upstream server.
What you’ll see
A boundary map in the dashboard showing declared tools, actions, and resources. Undeclared tools used at runtime trigger boundary drift warnings when configured.Capability shape
| Field | Required | Description |
|---|---|---|
tool.name | Yes | Tool identifier |
tool.provider | No | Provider namespace (github, cicd, mcp) |
actions | Yes | Allowed action types |
resources | Yes | Allowed resource types |
environments | No | Restrict to specific environments |
riskLevel | No | low, medium, high, critical |
read, create, update, delete, execute, communicate, merge
Common resource types: code_repository, deployment_event, pipeline_run, secret, work_item, database_record, file
Next steps
Action and resource metadata
Deep dive on the metadata model.
Boundary drift
Detect undeclared tools in production.
