Skip to main content

Behavior profiles & granting tools

A behavior profile is an agent's approved operating envelope โ€” the explicit allowlist of tools it may see and call. It is the heart of AGP's deny-by-default model: an empty profile means the agent can invoke nothing.

agp setup creates one profile per agent named <agent>.local.default, active but with zero business tools. This page is how you populate it.

The fail-closed ruleโ€‹

An agent can only see and call tools explicitly listed in its behavior profile. A tool that isn't granted does not exist from the agent's perspective โ€” it can't be listed, planned with, or invoked.

This is enforced at the proxy, on every call. It is not a prompt the agent can argue with. See How tool visibility works for what the agent actually sees.

Grant toolsโ€‹

Tools must already be in the catalog (Govern your first MCP server). Grant by their fully-qualified names:

agp behavior-profile grant-tools \
--behavior-profile-id my-agent.local.default \
--tools car-db-ops__list-reservations,car-db-ops__read-reservation \
--reason "read-only access for the reservations demo"

The --reason is recorded in the audit trail โ€” every change to an envelope is attributable.

In the console, the same thing lives under Behavior Profiles โ†’ <profile>, where you check the tools to grant.

Revoke toolsโ€‹

agp behavior-profile revoke-tools \
--behavior-profile-id my-agent.local.default \
--tools car-db-ops__read-reservation \
--reason "no longer needed"

Inspect a profileโ€‹

agp behavior-profile get --behavior-profile-id my-agent.local.default
agp behavior-profile list --agent-id my-agent
agp behavior-profile list-events --behavior-profile-id my-agent.local.default

get shows the current allowed_tools; list-events shows the full grant/revoke/lifecycle history.

Profile lifecycleโ€‹

Profiles have a status, and only an active profile grants access:

CommandEffect
create --file <json>Create a profile from a payload.
approve --behavior-profile-id <id>Approve a newly-created profile.
activate --behavior-profile-id <id>Reactivate a suspended profile.
suspend --behavior-profile-id <id>Freeze access without deleting the profile.
retire --behavior-profile-id <id>Permanently end-of-life a profile.

Each lifecycle command takes --actor and --reason for the audit record. Example โ€” pause an agent during an investigation, then restore it:

agp behavior-profile suspend --behavior-profile-id my-agent.local.default --actor admin --reason "investigating anomaly"
agp behavior-profile activate --behavior-profile-id my-agent.local.default --actor admin --reason "cleared"

A good first grantโ€‹

Start read-only. Reads flow without approval, so you'll see tools working immediately while destructive operations stay held for you:

agp behavior-profile grant-tools \
--behavior-profile-id my-agent.local.default \
--tools car-db-ops__list-reservations,car-db-ops__read-reservation \
--reason "start read-only, add writes later"

Then, in your client, ask the agent to list reservations and watch the call land in the console's Activity feed.

Nextโ€‹

How tool visibility works โ†’ ยท The approval workflow โ†’