Day 2 · Lesson 1 — Agent Tools & MCP
Without them, even the best model is just a pattern predictor.
Day 1 built the system around the model. Day 2 is about how the agent actually touches the world. It starts with the simplest, most consequential component: the tool. A model alone can reason; it cannot know anything new or do anything at all. Tools are what change that.
From Day 1, Lesson 2: an agent's tools are one part of its —
The harness. Tools were component 2 of six, and Day 2 zooms all the way into that component: what a good tool is, and how it goes wrong.
On its own a foundation model is a pattern-prediction engine: it can't fetch new data, reach an external system, or act on its environment. Tools are its eyes and hands.1 Every tool does exactly one of two things:
TO KNOW retrieve data the model lacks (weather, a DB row, a document)
TO DO take an action in the world (send email, run code, create a ticket)
And a tool is fundamentally a contract between the model and the world: a clear name, typed parameters, and a natural-language description of what it's for. That description is instructions the model reads to decide when and how to call it, not documentation for you.1
name: get_stock_price
description: "Get the price for a ticker. If 'date' is given, return that
day's close; otherwise the latest price."
input: { symbol* : string, date : "YYYY-MM-DD" }
output: { price : number, date : string }
Change the description and you change the model's behaviour without touching a line of code. The contract is the interface.
There's also a useful way to classify any tool by what it enables, a taxonomy worth memorising because risk tracks it:1
| Category | What it does | Risk |
|---|---|---|
| Information Retrieval | Fetch data: search, DB, documents | Lower (reads) |
| Action / Execution | Send email, run code, control devices | Higher (writes/acts) |
| System / API Integration | Connect to enterprise systems, third parties | Higher (reach) |
| Human-in-the-Loop | Ask for clarification or approval | A control, not a risk |
Tools are the harness's hands (L2, component 2). But notice a second thread: every tool's name, description, and schema live in the context window. They are context (L4), and tokens you pay for on every call. Hold that; it becomes the "context bloat" problem when MCP lets you connect dozens of servers (D2·4).
The taxonomy is a risk map. Action/Execution and
System/API tools are the "sensitive sinks" that VERDICT's V
Validation must gate and E Evidence must log; Human-in-the-Loop
tools are the built-in V approval control. Even tool naming is
governance: the paper prefers create_critical_bug_in_jira over update_jira
precisely because "if tool calls are logged, clear names make audit logs informative."1
Audit-legible names are an E Evidence decision made at design time.
Ladder read: knowing which tools each agent holds, and that they're all approved, is the L1→L2 step (an inventory). Enforcing an approved-tool catalogue with per-agent identity is L3 Controlled. The whole rest of Day 2 is about what goes wrong when tools arrive ungoverned.
Name every tool for the action it performs, human-readably, and classify it by the taxonomy before you ship it, so you know at a glance whether it merely reads or actually acts.
Keep a shared, reviewed tool catalogue with a naming convention everyone follows. A tool is an interface many agents call, so treat its contract like any versioned API.
Run an Agent Registry: a single catalogue of approved tools + per-agent identity, so no agent can reach a tool nobody vetted. (Your "no unregistered agents" rule, at the tool layer, VERDICT's I Identity.)
Recall, don't re-read.
Every tool does one of two things for the model —
Know (retrieve data it lacks) or do (act on the world). Everything else about a tool is detail around those two jobs.
A sub-agent invoked as a tool by a primary agent is —
An agent tool: the primary agent keeps control and processes the sub-agent's output, rather than handing off the whole conversation. A2A extends this to remote agents.
Naming a tool create_critical_bug_in_jira over update_jira most helps —
Two wins: the model picks the right tool more reliably, and logged calls read clearly in the audit trail, a governance (Evidence) decision baked into the name.
Look at one tool your agents call. Ask two questions: does its description tell the model exactly when to use it? and which taxonomy box is it in: does it merely read, or does it act? If it acts, it needs a gate. That instinct is the whole of Day 2 in miniature.
The MCP introduction and the Google ADK tools docs are the canonical, hands-on references for defining tools well.
Up next → Day 2 · Lesson 2: Designing Tools the Model Can Use. The handful of design rules (describe actions not APIs, publish tasks not endpoints, stay granular, validate, write errors the model can act on) that separate a tool an agent uses correctly from one it fumbles.
Related: Glossary · ← Day 1 L2: The Harness · The Governance Layer · Course home