Worth separating two distinct contract questions though:
1. Capability contract: what can this tool do? (what Sonde addresses — commands, inputs, outputs, discovery) 2. Authorization contract: what is this agent allowed to do with this tool, in this context?
The first contract lives in the tool. The second can't. Even with a perfect manifest, an agent that reads it learns what's possible — not what's permitted for this specific task.
The manifest helps the agent construct a valid request. The enforcement layer decides whether to grant it. Those are separate surfaces, and conflating them is where a lot of agent security debt accumulates.
Concrete example: an agent reads the manifest for a filesystem tool, discovers `delete_file`, constructs a valid call with correct parameters. The manifest says it's a valid call. What stops the agent from running it on a file outside its working scope? That can't be encoded in the manifest — it requires external enforcement that knows the task context, not just the tool schema.
Sonde looks like a clean foundation for the capability side. Curious if you're thinking about the authorization layer as a next step.
valentinprgnd•3h ago
The idea is simple: most CLIs were designed for humans reading terminal output. AI agents interacting with tools need something closer to a machine-readable contract.
Sonde is an early experiment exploring a small manifest that lets tools describe their commands, inputs and outputs so agents can discover and execute them without scraping terminal output.
This is still very early and I'm mainly interested in feedback from people building developer tooling or agent workflows.