Skip to main content

MCP Tools (Model Context Protocol)

Manasvi can connect to MCP servers and expose their tools to the agent — without giving up its governance model. Every MCP tool goes through the same path as a built-in tool: the model proposes a call, policy decides, an approval gate runs if required, a signed execution intent is created, and only then does the call reach the MCP server.

This lets you add large amounts of capability (filesystem servers, database servers, API servers, and the growing MCP ecosystem) while keeping the rule that model output is a proposal, not permission.

How it works

MCP server (separate process)
▲ tools/list, tools/call (JSON-RPC over stdio)

Execution Manager ── hosts MCP servers, runs the call AFTER policy/approval

│ registers discovered tools at startup (GET /mcp/tools)

Orchestrator ── plans with MCP tools like any other governed tool
  1. The execution manager starts each configured MCP server and lists its tools.
  2. Each MCP tool becomes a Manasvi tool manifest with id mcp:<server>:<tool>.
  3. The orchestrator registers those manifests at startup.
  4. When the agent proposes an MCP tool, it is policy-evaluated, approval-gated if required, and then executed by calling the MCP server.

Safety defaults

MCP tools are approval-gated by default. A newly discovered MCP tool is treated as a side-effecting execute action and requires approval before it can run. You can declare a server (or specific tools) read-only, in which case those tools map to a read action that policy can allow without approval.

This means connecting a new MCP server never silently grants the model the ability to cause side effects.

Configure

Set MCP_SERVERS_JSON on the execution manager:

{
"servers": [
{
"id": "files",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "/data"],
"readOnlyTools": ["read_file", "list_directory", "search_files"]
},
{
"id": "weather",
"command": "python",
"args": ["-m", "my_weather_mcp"],
"readOnly": true
}
]
}

Fields per server:

FieldMeaning
idShort identifier; becomes part of the tool id (mcp:<id>:<tool>)
command, argsHow to launch the MCP server process
env, cwdOptional process environment and working directory
readOnlyTreat all of this server's tools as read-only (no forced approval)
readOnlyToolsMark specific tool names read-only even if the server is not
requestTimeoutMsPer-call timeout (default 30000)

Restart the execution manager and orchestrator after changing this.

Inspect

MCP tools appear alongside built-in tools:

pnpm manasvi tools list
# look for ids beginning with mcp:

The execution manager exposes discovery at GET /mcp/tools.

Notes and limits

  • MCP servers run as separate processes, not inside Manasvi's JavaScript sandbox. Treat them like any external integration: only connect servers you trust, and prefer readOnly where possible.
  • MCP tool output is classified as untrusted external content — it cannot silently become trusted memory or authority.
  • Argument validation is delegated to the MCP server (it validates and reports its own errors); Manasvi enforces governance, not the tool's own schema.