A tool is not just power. It is power with a contract.
From the Daily trail
Agent Tool Menus Are Becoming Runtime Infrastructure: Directly tracks tool menus turning into stateful runtime surfaces.
Agent Runtimes Are Learning to Audit Their Own Tools: Shows tool surfaces being checked, measured, and explained.
Action is mediated
A serious tool-using agent does not touch the world directly. It asks through interfaces. Shell commands, file edits, web fetches, browser actions, API calls, MCP servers, patch tools, search tools, and app connectors are affordances with names and rules.
That mediation is the difference between a model that can imagine an action and an agent that can take one. It is also where risk enters. A tool can reveal too much, write too much, run too much, or describe itself so poorly that the model uses it wrong.
Tool menus are becoming runtime infrastructure
The MCP tools spec describes discovery, invocation, structured results, list-changed notifications, and security expectations around human confirmation. OpenAI's Agents SDK exposes tool and MCP configuration as first-class agent fields. The Daily Edition has watched agent repos harden tool menus, audit tool behavior, and turn tool selection into a stateful runtime problem.
This chapter should make readers feel the difference between a demo and a system. A demo says the agent can call a tool. A system answers harder questions: who exposed the tool, what schema did the model see, what inputs were validated, what output returned, and what did the human approve?
The hand leaves fingerprints
Good agents leave tool receipts. The user can see which operation was attempted, with what scope, under which permission profile, and why it mattered. Bad agents blur the line between thought and action until the human has to inspect damage after the fact.
The frontier is not only more tools. It is clearer tool contracts, better tool documentation, safer execution paths, and visible evidence that lets a human distinguish intention from action.