Definition
Tool registry
A tool registry is the single, authoritative catalog of the actions an AI agent may call, with each tool's name, typed arguments, and risk classification declared in one place. It is the source of truth a governance broker consults to decide whether a call is safe to run or must be gated — so capability and destructiveness are properties of the registry, not scattered per-caller decisions.
Key takeaways
- A tool registry is the authoritative catalog of agent actions, each with typed arguments and a risk classification.
- It is the source of truth a governance broker reads to decide whether a call runs inline or must be gated.
- Centralizing it closes governance gaps — adding a tool with the right flag protects every entry point at once.
- Planoda derives the propose/approve destructive flag from one registry and clamps agent skills to its real tool names.
Agents act through tools, and the moment a system has more than a handful of them, the question 'which of these can change or delete data?' needs one answer, not many. A tool registry provides it: every tool is registered once with its schema and a destructive/safe flag, and every surface that exposes the agent — internal runtime, MCP server, scheduled runs — reads its policy from that catalog rather than re-deciding locally. One definition, enforced everywhere.
Centralizing the registry closes a whole class of governance gaps. If a new destructive tool is added but one entry point forgets to gate it, the agent has an unguarded path to damage. When the gate is derived from a shared registry, adding a tool with the correct flag protects every path at once, and an audit can verify coverage by reading a single list.
In Planoda the tool registry is the single source of truth for the `destructive` flag the propose/approve broker enforces, and skill distillation clamps an agent's allowed tools to names that actually exist in it — so the catalog defines both what an agent can do and what it must ask permission for.
Related terms
- Agent broker (propose/approve broker)An agent broker is the runtime component that sits between an AI agent and the actions it wants to take, deciding per call whether to execute inline, require human approval, or refuse. It is where propose/approve governance is actually enforced — the gate is code in the request path, not a guideline in a prompt — so an agent literally cannot run a destructive tool without passing through it.
- Propose / Approve (AI Governance)Propose/approve is a governance pattern for autonomous software: instead of executing a consequential action directly, an AI agent emits it as a proposal that a human or policy must approve before it runs. It keeps fast, read-only work autonomous while gating destructive or irreversible operations — the practical way to give agents real power without surrendering control.
- Destructive action gatingDestructive action gating is the practice of classifying agent actions by reversibility and requiring explicit approval for the irreversible ones — delete, bulk-archive, bulk-update, external sends — while letting safe, read-mostly actions run freely. It is the operational core of agent governance: the boundary is drawn around the action, so no amount of clever prompting lets an agent quietly do something it can't undo.
- Tool CallingTool calling is the capability that lets a language model invoke external functions — query a database, search the web, create a record — by emitting a structured request the surrounding system executes. Instead of only producing text, the model can take actions and pull in live data, turning it from a text generator into the reasoning core of an agent.
- Agent governanceAgent governance is the set of controls that make an AI agent's actions safe, attributable, and reviewable: human approval gates on consequential actions, an immutable audit trail of who approved what, role-based capability limits, and spend controls. It is the difference between an agent that suggests and one you can trust to act.