OpenTool

The open framework for governed AI operations

Describe capabilities. Distribute tools. Enforce policy. Audit everything.

Foundation

What is OpenTool?

OpenTool is the open-source foundation that defines how AI agents discover, use, and are governed when using tools. It is not an application — it is the substrate that applications build on. OpenTool provides the manifest format, the capability taxonomy, the policy engine contract, and the audit schema. Any runtime that implements OpenTool inherits its governance guarantees automatically.

Runtime

The Event Loop

Every governed agent session follows this loop. Seven steps. Every step audited.

Discover

Agent session starts. CapabilityRuntime loads manifests. "What tools do I have?"

Reason

Agent receives prompt, plans approach using available tools. "What should I do?"

Request

Agent emits tool_use: { name, input } "I want to call this tool with these params"

Intercept

PolicyEngine evaluates the request against guardrails. "Is this permitted?"

ALLOW BLOCK REDIRECT QUARANTINE

Execute

CapabilityExecutor dispatches through sandbox. Shell, MCP, API proxy — all governed paths. "Do the thing, safely"

Return

Tool result fed back to agent for next reasoning turn. "Here's what happened"

Audit

Every step logged. OTEL spans + persistent storage. "What happened, who did it, was it allowed?"

↺

LOOP — Back to step 2 until task complete.

Contract

The Manifest

opentool.json is the universal contract. Every capability ships with one.

{
  "name": "encryption-suite",
  "kind": "plugin",
  "version": "0.3.0",
  "provides": ["encrypt", "decrypt", "key-generate"],
  "permissions": ["fs:read", "fs:write"],
  "guardrails": {
    "max_file_size": "50MB",
    "blocked_paths": ["/etc/shadow", "~/.ssh/*"]
  },
  "audit": "required"
}

Every tool, skill, plugin, MCP server, workflow, app, provider, CLI, and standard ships with this manifest. The runtime reads it. The policy engine enforces it. The audit log records it.

Taxonomy

9 Capability Kinds

Every capability in the ecosystem is one of these. Each kind has defined behavior, lifecycle, and governance rules.

Tool

Single-purpose function. One input, one output. The atomic unit of agent capability.

Skill

Multi-step procedure with instructions. A recipe the agent follows, not just a function it calls.

Plugin

Persistent extension that adds capabilities to the runtime. Loaded once, available for the session.

MCP Server

Model Context Protocol endpoint. Bridges external tools into the governed agent loop.

Workflow

Directed graph of steps with conditionals. Orchestrates multiple tools and skills in sequence.

App

Full application with UI surface. Runs inside the workspace with its own window and state.

Provider

AI model backend. Anthropic, OpenAI, Ollama, or any LLM. Swappable without changing governance.

CLI

Command-line interface binary. Runs locally with the same manifest and permission model.

Standards

Shared schemas, protocols, and contracts. The rules everything else agrees to follow.

Ecosystem

What OpenTool Enables

Products built on OpenTool inherit its governance guarantees.

◈

> tool_os

The browser-based governed workspace. Desktop environment, window manager, AI chat, file system — all running through the OpenTool event loop.

app.opentool.io →

⚙

toolos_server

Headless runtime for autonomous agent tasks. Same governance, no UI. Deploy agents in production with full audit trails. Coming soon.

Coming soon

Your product here

OpenTool is open. Build your own governed agent runtime, IDE plugin, CLI tool, or enterprise platform on the same foundation.

View on GitHub →

The foundation is open. Build on it.

OpenTool is Apache-2.0 licensed. Star the repo, read the docs, explore the architecture.

Star on GitHub Read the Docs View Architecture