01What does an agent see when it asks what tools exist?
Discovery is scoped: the registry returns only the tools THIS tenant, user, and agent may invoke — the minimum toolset for the task, each as a versioned manifest with typed input and output schemas, risk tier, and owner. A tool the caller lacks a grant for is invisible, not merely denied.
02Whose permissions apply when the agent writes to the CRM?
The user’s: the agent acts AS the user, carrying a short-lived token minted per user per connector from a vault the model never sees — the downstream tool enforces the user’s own permissions, and no shared god-token exists anywhere.
03Is deleting a record the same kind of call as reading one?
No — every tool carries a risk tier: reads execute freely, writes need a confirmed intent with an idempotency key, and destructive or financial actions park in a human approval queue; a timeout defaults to deny, never to allow.
04A tool owner changes their schema — what happens to running agents?
Manifests are immutable per version: a schema, scope, risk-tier, or even description change publishes a new version that passes review and re-consent when the permission surface grows, while running agents keep resolving the version they pinned.
05Where does third-party tool code actually run?
Untrusted third-party connectors execute inside per-connector sandboxes with their own scoped credentials and per-agent rate and cost limits — a hostile server can lie in its results but cannot reach other tools, other tenants, or anyone else’s tokens.
06Can we prove what an agent did three weeks ago?
Every invocation writes an append-only audit event — who (user and agent), what (tool, version, argument and result digests), the policy and approval decisions, latency, and outcome — redacted at write time so the trail itself cannot leak.