Central tool registry for all agent-callable tools. Manages registration, schema validation, rate limiting, security tier classification, and hook-mediated execution. ToolRegistry is the single source of truth for what tools an agent can call.
- Schema-validated dispatch — every tool call validates input against
input_schema(JSON Schema) before invoking the handler. - Hook interception — if a
HookRegistryis attached,run_pre_hooksfires before handler andrun_post_hooksfires after.HookErroraborts the call before the handler runs. - Rate limiting — tools with a
ToolRateLimitare tracked in a sliding-window counter. Exceedingmax_callswithinwindow_secondsraisesToolExecutionError. - Security tier — each tool has a security tier (
Low,Medium,High,Critical) derived fromToolAnnotationsorcapability_manifest. The approval manager uses this tier. - Thread safety —
ToolRegistry._call_countsis protected by a per-tool lock. - Idempotency annotation —
ToolAnnotations.idempotent=Trueis purely declarative; the registry does not deduplicate calls.
tool call request (tool_name, arguments)
│
├── validate tool_name exists → ToolExecutionError if not
├── validate input_schema → ToolValidationError if invalid
├── check rate limit → ToolExecutionError if exceeded
├── run_pre_hooks(tool_name, arguments) → may raise HookError or modify args
├── handler(arguments) → dict[str, Any]
└── run_post_hooks(tool_name, arguments, result) → may modify result
- A registered tool's
nameis globally unique within a registry instance. input_schemamust be a valid JSON Schema object (type: object).handlermust return adict[str, Any].ToolAnnotations.destructive=Trueimplies security tierHighunless overridden bycapability_manifest.