Policy-Filtered Discovery

User, agent, surface, and environment context arrive before the catalog opens.

Why it mattersTool visibility depends on who is asking and where they are acting.

A tool can be approved in the registry and still hidden from a specific agent.

Why it mattersRegistry approval and runtime visibility are different controls.

Group, agent, client, delegator, and rule context focus the visible list.

Why it mattersDiscovery needs policy evaluation, not a static catalog dump.

tools/list passes through session and policy checks, with no bypass path.

Why it mattersUnauthorized tools should not leak through discovery before call-time denial.

The agent receives only the tools that are visible, allowed, low-risk enough, and from the right source.

Why it mattersA small allowed list makes agent behavior easier to reason about.

Hidden tools are not advertised, hinted, or credentialed.

Why it mattersDiscovery is a prevention layer, not just a convenience layer.

The same agent can see different lists in an IDE, support bot, or production app.

Why it mattersClient surface changes risk and intent.

Dev and production discovery stay separated by environment.

Why it mattersProduction tools should not appear because a dev context happened to work.

Risk tier and credential mode affect which tools become visible.

Why it mattersVisibility should account for how the downstream call would be authorized.

Active, expired, and step-up states can require a refreshed list.

Why it mattersA stale discovery list can become an authorization bug.

Delegated authority narrows the visible list through policy.

Why it mattersActing for someone else should not expand capability by accident.

Discovery evidence records policy version, actor context, visible list, and audit receipt.

Why it mattersTeams need to explain why the agent saw a tool before it called it.