MCP Tools (Model Context Protocol)
Manasvi can connect to MCP servers and expose their tools to the agent — without giving up its governance model. Every MCP tool goes through the same path as a built-in tool: the model proposes a call, policy decides, an approval gate runs if required, a signed execution intent is created, and only then does the call reach the MCP server.
This lets you add large amounts of capability (filesystem servers, database servers, API servers, and the growing MCP ecosystem) while keeping the rule that model output is a proposal, not permission.
How it works
MCP server (separate process)
▲ tools/list, tools/call (JSON-RPC over stdio)
│
Execution Manager ── hosts MCP servers, runs the call AFTER policy/approval
▲
│ registers discovered tools at startup (GET /mcp/tools)
│
Orchestrator ── plans with MCP tools like any other governed tool
- The execution manager starts each configured MCP server and lists its tools.
- Each MCP tool becomes a Manasvi tool manifest with id
mcp:<server>:<tool>. - The orchestrator registers those manifests at startup.
- When the agent proposes an MCP tool, it is policy-evaluated, approval-gated if required, and then executed by calling the MCP server.
Safety defaults
MCP tools are approval-gated by default. A newly discovered MCP tool is
treated as a side-effecting execute action and requires approval before it can
run. You can declare a server (or specific tools) read-only, in which case
those tools map to a read action that policy can allow without approval.
This means connecting a new MCP server never silently grants the model the ability to cause side effects.
Configure
Set MCP_SERVERS_JSON on the execution manager:
{
"servers": [
{
"id": "files",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "/data"],
"readOnlyTools": ["read_file", "list_directory", "search_files"]
},
{
"id": "weather",
"command": "python",
"args": ["-m", "my_weather_mcp"],
"readOnly": true
}
]
}
Fields per server:
| Field | Meaning |
|---|---|
id | Short identifier; becomes part of the tool id (mcp:<id>:<tool>) |
command, args | How to launch the MCP server process |
env, cwd | Optional process environment and working directory |
readOnly | Treat all of this server's tools as read-only (no forced approval) |
readOnlyTools | Mark specific tool names read-only even if the server is not |
requestTimeoutMs | Per-call timeout (default 30000) |
Restart the execution manager and orchestrator after changing this.
Inspect
MCP tools appear alongside built-in tools:
pnpm manasvi tools list
# look for ids beginning with mcp:
The execution manager exposes discovery at GET /mcp/tools.
Notes and limits
- MCP servers run as separate processes, not inside Manasvi's JavaScript
sandbox. Treat them like any external integration: only connect servers you
trust, and prefer
readOnlywhere possible. - MCP tool output is classified as untrusted external content — it cannot silently become trusted memory or authority.
- Argument validation is delegated to the MCP server (it validates and reports its own errors); Manasvi enforces governance, not the tool's own schema.