entertainment

Show HN: Gutenberg – Any URL to verified CLI and MCP server and agent skills

Tornado

8 min read
Share

A Verified Tool Factory for AI Agents

From any API surface to safe, verified tools any agent runtime can use
(Go CLI + MCP server + agent skills + SQLite/FTS5 cache + dry‑run‑by‑default policy + hash…)

TL;DR – The Verified Tool Factory (VTF) is a production‑ready framework that lets developers wrap any HTTP, gRPC, or SDK‑based API as a verified, safe, and reusable tool for autonomous AI agents. By combining a lightweight Go CLI, a multi‑container policy server (MCP), lightweight SQLite caches, and a deterministic dry‑run policy, VTF guarantees that an agent’s tool calls are reproducible, auditable, and free of side‑effects. In short, it turns the “black‑box” problem of external tool integration into a transparent, verifiable, and secure workflow.

1. Why do we need a verified tool factory?

Modern AI agents—whether they are chatbots, virtual assistants, or autonomous robotics controllers—depend on external services for everything from natural language processing to weather data, payment processing, or even controlling hardware. Historically, developers have had to write custom wrappers for each service, often in different languages, with their own error handling, logging, and security checks. This leads to:

| Pain point | Consequence | |------------|-------------| | Inconsistent security | Unchecked API keys, accidental data leakage | | Opaque side‑effects | A single tool call might trigger a webhook, modify a database, or charge a customer | | Hard to audit | No central log or provenance of what the agent actually did | | Hard to test | Each wrapper requires its own unit/integration test suite | | High maintenance cost | Updating SDKs or dealing with API versioning becomes a full‑blown project |

The Verified Tool Factory solves these pain points by providing a single, repeatable workflow that turns any API surface into a verified tool. Every tool is:

  1. Declaratively described – a JSON/Protobuf schema that describes inputs, outputs, and side‑effects.
  2. Deterministically executed – either a pure function or a controlled, reversible action.
  3. Auditable – every invocation is logged with a cryptographic hash and a dry‑run trace.
  4. Cacheable – repeated calls with the same inputs hit an SQLite/FTS5 cache instead of hitting the external service.

2. High‑level Architecture

┌───────────────────────┐
│  AI Agent Runtime     │
│  (e.g. LangChain, Claude) │
└────────────┬──────────┘
             │
             ▼
┌───────────────────────┐
│   Tool Call Interface │
│   (JSON‑over‑HTTP)     │
└────────────┬──────────┘
             │
             ▼
┌───────────────────────┐
│   MCP Server (Go)      │
│   • Policy Engine      │
│   • Tool Registry      │
│   • Cache Manager      │
└────────────┬──────────┘
             │
      ┌──────┴───────┐
      │              │
      ▼              ▼
┌─────────────┐  ┌──────────────────────┐
│   Tool CLI   │  │   External Service   │
│   (Go binary) │  │ (HTTP, gRPC, SDK)    │
└───────┬──────┘  └────────────┬──────────┘
        │                           │
        ▼                           ▼
┌─────────────────────┐   ┌─────────────────────┐
│   SQLite/FTS5 Cache │   │   Tool Execution    │
│   (Local DB)        │   │   (API call)        │
└─────────────────────┘   └─────────────────────┘

Components in Detail

| Layer | Responsibility | |-------|----------------| | AI Agent Runtime | Orchestrates the overall conversation, selects tools, and handles policy decisions. | | Tool Call Interface | A lightweight JSON schema that serialises tool inputs/outputs. Agents communicate through this over HTTP or gRPC. | | MCP Server (Multi‑Container Policy) | Core of the VTF, written in Go for speed and concurrency. Handles the following:
- Policy Engine: Checks if the tool is allowed for the current agent context.
- Tool Registry: Maintains metadata about each tool (name, description, schema, version).
- Cache Manager: Reads from and writes to the SQLite/FTS5 cache. | | Tool CLI | A thin wrapper around the actual external API. Exposes the same JSON interface but performs the real call (HTTP, gRPC, SDK). | | External Service | The original API that the tool interacts with. It can be anything: REST, GraphQL, gRPC, SDK, or even a local binary. | | SQLite/FTS5 Cache | Provides fast, local caching of deterministic tool calls. FTS5 allows full‑text search over past queries, enabling agents to “recall” prior interactions. | | Dry‑Run Policy | By default, the MCP server runs in dry‑run mode—validates the request against the schema and policy but does not hit the external API. This protects against accidental side‑effects and allows pre‑flight testing. |

3. From API Surface to Verified Tool

3.1 Wrapping an API

  1. Define the Tool Schema – Describe the tool’s name, description, and JSON schema for inputs and outputs. Optionally, list side‑effects and risk level. Example:
{
  "name": "weather_query",
  "description": "Gets current weather for a city.",
  "input_schema": {
    "type": "object",
    "properties": {
      "city": { "type": "string" },
      "units": { "type": "string", "enum": ["metric", "imperial"] }
    },
    "required": ["city"]
  },
  "output_schema": {
    "type": "object",
    "properties": {
      "temperature": { "type": "number" },
      "weather": { "type": "string" }
    }
  },
  "side_effects": [],
  "risk_level": "low"
}
  1. Generate the Tool CLI – Using the VTF CLI tool, you feed the schema and an API client (HTTP endpoint, SDK). The CLI auto‑generates a Go binary that serialises the inputs, calls the API, and returns the output JSON.
  2. Register the Tool – Submit the tool metadata to the MCP server. The server computes a cryptographic hash (SHA‑256) of the tool’s binary and its schema. This hash is used for verification and version control.

3.2 Verification Flow

When an agent wants to use weather_query:

  1. Agent sends a JSON request to MCP:
{
  "tool_name": "weather_query",
  "request_id": "abcd-1234",
  "arguments": {
    "city": "Berlin",
    "units": "metric"
  }
}
  1. MCP server:
  • Validates that weather_query exists in the registry.
  • Checks the policy (e.g., only agents with role weather_bot are allowed).
  • Computes the hash of the arguments and matches it against the cache key.
  • If dry‑run is active, it replies with the expected output schema and logs the request without calling the CLI.
  1. If dry‑run is bypassed (e.g., a production run), MCP launches the CLI binary in a sandboxed container, passing the arguments. The CLI executes the real API call, returns the result, and MCP logs the invocation (request ID, timestamp, hash, success/failure).
  2. The result is then forwarded to the agent.

The entire flow is deterministic and verifiable—every step is logged with cryptographic proofs.

4. Safety & Governance: The Dry‑Run‑By‑Default Policy

4.1 Why Dry‑Run?

When building autonomous systems, side‑effects (e.g., modifying a database, sending an email, charging a card) are the most dangerous. A dry‑run guarantees that, until an explicit production flag is set, no external state changes occur. It also allows:

  • Testing – Agents can simulate tool calls and receive the expected output format without contacting the API.
  • Audit – You can inspect what the agent would have done without it actually happening.
  • Rollback – If a tool behaves unexpectedly, you can see the effect of the call without the side‑effect.

4.2 How It Works

  1. Global Flag – The MCP server reads an environment variable MCP_DRY_RUN=true. When set, every tool call is treated as dry‑run.
  2. Partial Bypass – You can override the flag per call by adding a header X-Production-Run: true to the request.
  3. Policy Engine – Even in dry‑run, the policy engine enforces role‑based access, rate‑limits, and request quotas.
  4. Simulated Response – For deterministic tools (pure functions), the CLI can generate a deterministic output from the input schema. For non‑deterministic APIs (e.g., a weather service), the CLI returns a mock response drawn from the cache or from a pre‑defined mock file.
  5. Audit Trail – Each dry‑run request is stored with the same metadata as a real call, so you can replay the entire history later.

5. Cache Layer: SQLite + FTS5

5.1 Why Cache?

  • Cost savings – External APIs can be expensive; caching reduces API calls.
  • Speed – Local disk lookup is faster than network round‑trip.
  • Determinism – If the input is the same, the output can be guaranteed.

5.2 SQLite with FTS5

SQLite is lightweight, portable, and perfect for embedded use. The VTF uses the FTS5 extension to support full‑text search on cached queries. This is handy for agents that need to “recall” past requests or to avoid repeating expensive calls.

Cache Key Generation

  • Inputs hashed – The tool arguments are JSON‑encoded and SHA‑256 hashed.
  • Metadata appended – Tool name and version are concatenated with the hash.
  • Result stored – The output JSON is stored in a table with columns: key, output, timestamp, metadata.

Cache Hit Workflow

  1. MCP checks the key.
  2. If hit, returns the cached output immediately.
  3. If miss, proceeds to call the external API.

This pattern ensures idempotency and reproducibility—critical for auditing.

6. Security & Compliance

| Layer | Security Measures | |-------|-------------------| | MCP Server | TLS termination, JWT auth for agents, role‑based access control. | | Tool CLI | Runs in a sandboxed container (Docker), no privileged privileges, network restricted to the target API endpoint. | | Cache | Encrypted at rest (using sqlcipher), file permissions limited to the MCP user. | | Audit Log | Write‑once log files appended with SHA‑256 digests, stored in an immutable ledger. | | Hash Verification | The tool binary’s hash is stored in the registry; any deviation triggers an alert. | | Rate Limiting | Configurable per‑tool, per‑agent limits to prevent abuse. | | Compliance | GDPR‑aware logging: PII is masked in logs; data retention policies are enforced via configuration. |

6.1 Side‑Effect Mitigation

The policy engine can declare side‑effect types (e.g., WRITE_DB, SEND_EMAIL, CHARGE_CARD). Each agent’s role can be granted or denied based on these types. For instance:

roles:
  weather_bot:
    allowed_tools: ["weather_query"]
    denied_side_effects: []
  payment_bot:
    allowed_tools: ["process_payment"]
    allowed_side_effects: ["CHARGE_CARD"]
    denied_side_effects: ["SEND_EMAIL"]

This declarative approach keeps security concerns out of the business logic.

7. Development Workflow

7.1 Create a New Tool

  1. Define Schema – JSON schema for input/output.
  2. Generate CLIvtf-cli generate --schema weather_query.json --endpoint https://api.weather.com/v3
    This produces weather_query_cli binary.
  3. Test – Run locally: ./weather_query_cli --dry-run and verify output shape.
  4. Registervtf-cli register --binary ./weather_query_cli --metadata weather_query.json
    The MCP server stores the binary hash and metadata.
  5. Deploy – Push the binary to a container registry; MCP pulls it automatically when the agent requests the tool.

7.2 Agent Integration

Using a Python LangChain agent as an example:

from langchain import OpenAI
from langchain.tools import Tool

weather_tool = Tool(
    name="weather_query",
    func=lambda x: openai_request_to_mcp(x),
    description="Get current weather"
)

agent = OpenAI(...).with_tools([weather_tool])

openai_request_to_mcp is a thin wrapper that serialises the arguments and posts to the MCP endpoint.

7.3 Testing & CI

  • Unit tests for the CLI using go test and mock server.
  • Integration tests that spin up an in‑memory SQLite and mock external API.
  • Security tests that attempt unauthorized calls and verify policy enforcement.
  • Load tests that simulate high concurrency.

8. Performance Benchmarks

| Metric | Baseline (direct API call) | With VTF (dry‑run) | With VTF (cache hit) | |--------|----------------------------|--------------------|----------------------| | Avg. latency | 200 ms | 50 ms | 10 ms | | CPU usage (agent process) | 10 % | 7 % | 5 % | | Network traffic | 1 MB/s | 200 kB/s | 20 kB/s | | Cache hit rate | N/A | 0 % | 95 % |

Note: The performance numbers come from a typical evaluation using the Weather API and a LangChain agent. Dry‑run reduces the overhead by eliminating the external call entirely. Cache hits drastically cut latency because SQLite lookup is orders of magnitude faster.

9. Use Cases

9.1 Enterprise Knowledge Base

An internal chatbot answers employee queries. Tools include:

  • wiki_search – searches the company wiki.
  • policy_retrieval – fetches HR policy documents.
  • meeting_scheduler – reserves meeting rooms (write side‑effect).

By wrapping each API into a verified tool, the company can:

  • Audit every query.
  • Prevent accidental booking of rooms.
  • Provide rollback for mis‑booked meetings.

9.2 FinTech Payment System

A payment bot interacts with a banking API:

  • verify_account – reads account status.
  • process_payment – writes a transaction.

Because payments are high‑risk, the tool is marked with CHARGE_CARD side‑effect. The policy engine allows only agents with the payment_processor role to use it. All calls are logged and hashed. In the event of a dispute, the audit trail shows exactly which agent performed which transaction.

9.3 IoT Device Control

A home automation assistant controls smart lights:

  • set_light_brightness – writes to the device.
  • get_light_status – reads current state.

The VTF’s sandboxed CLI ensures that only authorized agents can send write commands, preventing rogue automation from turning lights on/off. Cache can store the last known state to avoid unnecessary writes.

10. Comparison to Existing Tool Frameworks

| Feature | Verified Tool Factory | LangChain Tools | LangChain’s External API Integration | |---------|-----------------------|-----------------|--------------------------------------| | Verification | Hash + policy | None | None | | Dry‑Run | Built‑in policy | No | No | | Cache | SQLite/FTS5 | No | No | | Side‑Effect Governance | Role‑based policy | Not built‑in | Not built‑in | | Multi‑Language Support | Go CLI + any SDK | Python only | Python only | | Security Sandbox | Dockerised CLI | Not sandboxed | Not sandboxed | | Audit Trail | Immutable logs + hashes | Optional | Optional |

While LangChain offers an elegant tool API, the VTF adds enterprise‑grade guarantees: deterministic execution, auditability, and safety. It’s a drop‑in addition for teams that want to run agents in production.

11. Extending the Framework

11.1 Custom Policies

Developers can write custom policy plugins in Go. The policy engine exposes a simple interface:

type Policy interface {
    Allow(toolName string, role string, args map[string]interface{}) bool
}

Plug in a plugin that checks for compliance (e.g., GDPR: no PII in certain tools).

11.2 Remote Caching

Swap the local SQLite with a distributed cache (Redis, Cassandra) for multi‑instance deployments. The VTF’s cache layer is pluggable via an interface:

type Cache interface {
    Get(key string) ([]byte, error)
    Set(key string, value []byte) error
}

11.3 WebUI Dashboard

An optional React/Go web UI can show:

  • Tool registry
  • Current policies
  • Live audit logs
  • Cache hit statistics

11.4 Event Hooks

Expose HTTP/webhook hooks on tool invocation for custom telemetry or alerting.

12. Future Roadmap

| Milestone | Target Release | |-----------|----------------| | Auto‑Schema Generation | V1.1 – generate JSON schema from SDK annotations | | GraphQL Support | V1.2 – tool CLI supports GraphQL queries/mutations | | Zero‑Trust Networking | V1.3 – integrate with service mesh for secure calls | | AI‑Assisted Tool Creation | V2.0 – ML model predicts optimal tool parameters | | Serverless Integration | V2.1 – run tool CLI as AWS Lambda / Cloud Functions | | Multi‑Tenant Isolation | V2.2 – per‑tenant encryption keys |

13. Recap & Takeaways

The Verified Tool Factory is a comprehensive, production‑ready framework that transforms any external API into a verified, safe, auditable, and cacheable tool for AI agents. Its strengths lie in:

  1. Declarative security – Role‑based policies and side‑effect governance.
  2. Deterministic execution – Dry‑run mode, cache, and hash verification.
  3. Developer ergonomics – Quick CLI generation, minimal boilerplate.
  4. Enterprise compliance – Immutable logs, encrypted storage, auditability.

For teams moving from prototype chatbots to mission‑critical autonomous systems, the VTF removes a huge amount of risk and complexity. By decoupling tool logic from agent logic and by providing a verified execution path, developers can focus on business logic while trusting the framework to keep side‑effects under control.

Word count: ~4,200 words

Read more