Tools & capabilities
A step declares the tools it is allowed to call; it never imports them. That allow-list is the step's capability boundary, and a conforming runtime honors it as one.
The allowedTools list
On an agent step, allowedTools is a list of tool names. A name resolves against the document's own embedded tools array and the runtime's tool registry; a call to any name not on the executing step's list is refused.
{
"id": "recover",
"kind": "agent",
"agent": "lou",
"purpose": "Draft a recovery email for the failed charge and record the attempt.",
"allowedTools": [
"customer.get",
"charge.history",
"mcp.acme.search_orders"
],
"next": "gate"
}Three naming families cover the surface:
- Built-in tools, plain names over the runtime's primitives:
customer.get,today.surface. - Connector tools, named by the provider's tool set:
charge.historyfrom the Stripe connector, and kin, documented per provider. - MCP tools, composed as
mcp.<server>.<tool>where<server>is a logical name the document declares inrequires.mcpServers. The name is a local handle: never a URL, never auth material.
Embedded tool definitions
A document carries the definitions of the tools it references in its tools array, so a foreign reader can explain what the playbook does without any registry. Each entry:
The requires declaration
The envelope's requires block is the machine-readable statement of what a harness must satisfy before the playbook can run: provider connections, MCP servers by logical name, and named secrets. Names and purposes only; never credentials.
Future direction
A richer per-reference object form, carrying a kind discriminator, declared operations for credit pricing, and skill:// references to SKILL.md procedural knowledge, is planned direction for a future OpenPlaybook version. It is not part of the current wire format: today's documents declare tool names, and the current schemas are the contract. Track the evolution in the spec repository's RFC process.