Guides

Classify Tools And Side Effects

Mark tool risk so replay can avoid unsafe behavior and explain fixture dependence.

Tool side-effect classes tell replay and analysts how dangerous it would be to execute or substitute a tool. The value should be set before execution.

Side-Effect Classes

ClassUse for
nonePure computation, formatting, local deterministic transforms.
readDatabase reads, search, retrieval, file reads, HTTP GETs.
writeLocal file writes, cache updates, internal database mutation.
external_mutationSending email, deploying, deleting, purchasing, billing, public API mutation.
unknownAnything not classified. Treat conservatively.

Set It Explicitly

await client.startToolExecution({
  toolName: "send_refund_email",
  args,
  sideEffectClass: "external_mutation",
});

Runtime adapters can infer from tool names, but inference is a fallback. Important tools need explicit classification.

Policy Implications

Side-effect classRecommended replay policy
noneRecorded-only or simulated may be acceptable.
readpause-for-fixture by default; live-readonly only with executor and time-drift awareness.
writeFixture or blocked unless you are in an isolated sandbox.
external_mutationBlock or fixture. Do not live replay in RCA.
unknownTreat like side-effecting until proven otherwise.

Tool Wrapper Checklist

  • Capture proposal before execution.
  • Capture execution start before calling the tool.
  • Capture output or error in all paths.
  • Set sideEffectClass.
  • Store args and results as artifacts for hashing.
  • Add schema version when the tool contract can change.
  • Include implementation version for tools whose behavior changes over time.

On this page