@botbotgo/agent-harness 0.0.187 → 0.0.189

package/README.md

@@ -217,6 +217,25 @@ Real products need a runtime that can answer harder questions:
 - It lets YAML own assembly and operating policy while code keeps a small, stable surface
 - It goes deep on runtime concerns that upstream libraries do not fully productize
 
+## What To Sell First
+
+The product story should stay scenario-shaped instead of drifting back to a generic "multi-agent runtime" pitch.
+
+- Enterprise internal agent runtime: approvals, restart-safe recovery, operator evidence, and policy-owned MCP access.
+- Code modernization runtime: long-running coding flows, approval checkpoints, resumable runs, and exported evidence packages.
+- Protocol bridge runtime: ACP, A2A, AG-UI, and runtime MCP on one stable control plane instead of bespoke per-surface glue.
+
+Typical runtime governance defaults now look like:
+
+```yaml
+governance:
+  remoteMcp:
+    denyTrustTiers: ["untrusted"]
+    denyTenantScopes: ["cross-tenant"]
+    denyPromptInjectionRisks: ["high"]
+    requireApprovalTransports: ["websocket"]
+```
+
 ## When To Use It
 
 Use `agent-harness` when:
@@ -953,10 +972,12 @@ ACP transport notes:
 
 - `serveAcpStdio(runtime)` exposes newline-delimited JSON-RPC over stdio for local IDE, CLI, or subprocess clients.
 - `serveAcpHttp(runtime)` exposes JSON-RPC over HTTP plus SSE runtime events so remote operator surfaces can connect without importing the runtime in-process.
-- `serveA2aHttp(runtime)` exposes a minimal A2A-compatible HTTP JSON-RPC bridge plus agent card discovery, mapping `message/send`, `tasks/get`, and `tasks/cancel` onto the existing session/request runtime surface.
+- `serveA2aHttp(runtime)` exposes an A2A-compatible HTTP JSON-RPC bridge plus agent card discovery, mapping both existing methods such as `message/send` and newer aliases such as `SendMessage`, `GetTask`, `ListTasks`, `CancelTask`, and `SubscribeToTask` onto the existing session/request runtime surface.
 - `serveAgUiHttp(runtime)` exposes an AG-UI-compatible HTTP SSE bridge that projects runtime lifecycle, text output, upstream thinking, step progress, and tool calls onto `RUN_*`, `TEXT_MESSAGE_*`, `THINKING_TEXT_MESSAGE_*`, `STEP_*`, and `TOOL_CALL_*` events for UI clients.
 - `createRuntimeMcpServer(runtime)` and `serveRuntimeMcpOverStdio(runtime)` expose the persisted runtime control surface itself as MCP tools, including sessions, requests, approvals, artifacts, events, and package export helpers.
 - `listRequestEvents(...)` and `exportRequestPackage(...)` are the request-first inspection helpers.
 - `exportRequestPackage(...)` and `exportSessionPackage(...)` package stable runtime records, transcript, approvals, events, and artifacts for operator tooling without reaching into persistence internals.
-- `runtime/default.governance.remoteMcp` can now deny or allow specific MCP servers, raise approval requirements by transport, and stamp transport-based risk tiers into runtime governance bundles.
+- `runtime/default.governance.remoteMcp` can now deny or allow specific MCP servers, raise approval requirements by transport, and stamp transport-based risk tiers into runtime governance bundles. MCP server catalogs can also declare trust tier, access mode, tenant scope, approval policy, prompt-injection risk, and OAuth scope metadata so governance bundles capture why one remote tool is treated as high-risk.
+- `runtime/default.observability.tracing` can now describe exporter metadata such as OTLP endpoints and propagation mode, so frozen runtime snapshots keep trace-correlation plus operator-visible export context without exposing backend-private span internals.
+- `agent-harness runtime health`, `agent-harness runtime approvals list|watch`, and `agent-harness runtime runs list|tail` provide a thin operator CLI over persisted runtime health, approval queues, and active run state.
 - detailed A2A adapter guidance lives in [`docs/a2a-bridge.md`](docs/a2a-bridge.md)

package/README.zh.md

@@ -214,6 +214,25 @@ AI 让 agent 逻辑、工具调用和工作流代码更容易生成，真正更
 - 复杂装配与运行策略交给 YAML，代码面保持小而稳
 - 在上游库未充分产品化的运行时问题上做深做透
 
+## 先卖哪三类场景
+
+产品叙事应该保持场景化，不要再漂回“通用 multi-agent runtime”。
+
+- 企业内部 agent 运行时：审批、重启恢复、operator 证据链，以及由策略持有的 MCP 访问控制。
+- 代码现代化运行时：长链路 coding flow、审批检查点、可恢复 runs，以及可导出的运行证据包。
+- 协议桥接运行时：ACP、A2A、AG-UI 与 runtime MCP 共用一套稳定控制面，而不是每个对外接面各写一层胶水。
+
+现在推荐的 runtime 治理默认值大致是：
+
+```yaml
+governance:
+  remoteMcp:
+    denyTrustTiers: ["untrusted"]
+    denyTenantScopes: ["cross-tenant"]
+    denyPromptInjectionRisks: ["high"]
+    requireApprovalTransports: ["websocket"]
+```
+
 ## 什么时候该用
 
 下面这些场景适合用 `agent-harness`：
@@ -912,10 +931,12 @@ ACP transport 说明：
 
 - `serveAcpStdio(runtime)` 提供基于 stdio 的 newline-delimited JSON-RPC，适合本地 IDE、CLI 或子进程客户端。
 - `serveAcpHttp(runtime)` 提供基于 HTTP 的 JSON-RPC 与 SSE runtime events，适合远程 operator surface 或独立控制面接入。
-- `serveA2aHttp(runtime)` 提供最小可用的 A2A HTTP JSON-RPC bridge 与 agent card discovery，把 `message/send`、`tasks/get`、`tasks/cancel` 映射到现有 session/request runtime surface。
+- `serveA2aHttp(runtime)` 提供 A2A HTTP JSON-RPC bridge 与 agent card discovery，同时兼容 `message/send` 这类旧方法，以及 `SendMessage`、`GetTask`、`ListTasks`、`CancelTask`、`SubscribeToTask` 这类更新的方法别名，并统一映射到现有 session/request runtime surface。
 - `serveAgUiHttp(runtime)` 提供 AG-UI HTTP SSE bridge，把 runtime 生命周期、文本输出、upstream thinking、step 进度与 tool call 投影成 `RUN_*`、`TEXT_MESSAGE_*`、`THINKING_TEXT_MESSAGE_*`、`STEP_*` 与 `TOOL_CALL_*` 事件，便于 UI 客户端直接接入。
 - `createRuntimeMcpServer(runtime)` 与 `serveRuntimeMcpOverStdio(runtime)` 会把持久化 runtime 控制面本身暴露成 MCP tools，包括 sessions、requests、approvals、artifacts、events 与 package export helpers。
 - `listRequestEvents(...)` 与 `exportRequestPackage(...)` 是 request-first 的检查 helper。
 - `exportRequestPackage(...)` 与 `exportSessionPackage(...)` 可把稳定 runtime 记录、transcript、approvals、events 和 artifacts 打包给 operator tooling，而不必直接访问 persistence 内部实现。
-- `runtime/default.governance.remoteMcp` 现在可以按 MCP server 或 transport 做 allow/deny、审批升级，并把 transport 风险等级写进 runtime governance bundles。
+- `runtime/default.governance.remoteMcp` 现在可以按 MCP server 或 transport 做 allow/deny、审批升级，并把 transport 风险等级写进 runtime governance bundles。MCP server catalog 也可以声明 trust tier、access mode、tenant scope、approval policy、prompt-injection risk 与 OAuth scope 元数据，让治理快照能解释为什么某个远端工具被视为高风险。
+- `runtime/default.observability.tracing` 现在可描述 OTLP endpoint 和 propagation mode 这类 exporter 元数据，使冻结的 runtime snapshot 在保留 trace correlation 的同时，也能保留对 operator 有意义的导出上下文，而不暴露 backend 私有 span 细节。
+- `agent-harness runtime health`、`agent-harness runtime approvals list|watch` 与 `agent-harness runtime runs list|tail` 提供了一层轻量 operator CLI，可直接查看 runtime health、审批队列和运行状态。
 - 更详细的 A2A 适配层开发说明见 [`docs/a2a-bridge.md`](docs/a2a-bridge.md)

package/dist/cli.js

@@ -14,6 +14,11 @@ function renderUsage() {
   agent-harness acp serve [--workspace <path>] [--transport stdio|http] [--host <hostname>] [--port <port>]
   agent-harness a2a serve [--workspace <path>] [--host <hostname>] [--port <port>]
   agent-harness ag-ui serve [--workspace <path>] [--host <hostname>] [--port <port>]
+  agent-harness runtime health [--workspace <path>] [--json]
+  agent-harness runtime approvals list [--workspace <path>] [--status <pending|approved|edited|rejected|expired>] [--json]
+  agent-harness runtime approvals watch [--workspace <path>] [--status <pending|approved|edited|rejected|expired>] [--poll-ms <ms>] [--once] [--json]
+  agent-harness runtime runs list [--workspace <path>] [--agent <agentId>] [--thread <threadId>] [--state <state>] [--json]
+  agent-harness runtime runs tail [--workspace <path>] [--agent <agentId>] [--thread <threadId>] [--state <state>] [--poll-ms <ms>] [--once] [--json]
   agent-harness runtime-mcp serve [--workspace <path>]
 `;
 }
@@ -151,6 +156,152 @@ function parseHttpServeOptions(args, serviceLabel = "HTTP") {
     }
     return { workspaceRoot, hostname, port };
 }
+function parseRuntimeInspectOptions(args) {
+    let workspaceRoot;
+    let json = false;
+    let once = false;
+    let pollMs = 1000;
+    let status;
+    let state;
+    let agentId;
+    let threadId;
+    for (let index = 0; index < args.length; index += 1) {
+        const arg = args[index];
+        if (arg === "--workspace" || arg === "--status" || arg === "--state" || arg === "--agent" || arg === "--thread" || arg === "--poll-ms") {
+            const value = args[index + 1];
+            if (!value) {
+                return { json, once, pollMs, status, state, agentId, threadId, error: `Missing value for ${arg}` };
+            }
+            if (arg === "--workspace") {
+                workspaceRoot = value;
+            }
+            else if (arg === "--status") {
+                status = value;
+            }
+            else if (arg === "--state") {
+                state = value;
+            }
+            else if (arg === "--agent") {
+                agentId = value;
+            }
+            else if (arg === "--thread") {
+                threadId = value;
+            }
+            else {
+                const parsedPoll = Number.parseInt(value, 10);
+                if (!Number.isFinite(parsedPoll) || parsedPoll <= 0) {
+                    return { json, once, pollMs, status, state, agentId, threadId, error: `Invalid poll interval: ${value}` };
+                }
+                pollMs = parsedPoll;
+            }
+            index += 1;
+            continue;
+        }
+        if (arg === "--json") {
+            json = true;
+            continue;
+        }
+        if (arg === "--once") {
+            once = true;
+            continue;
+        }
+        return { workspaceRoot, json, once, pollMs, status, state, agentId, threadId, error: `Unknown option: ${arg}` };
+    }
+    return { workspaceRoot, json, once, pollMs, status, state, agentId, threadId };
+}
+function renderJson(value) {
+    return `${JSON.stringify(value, null, 2)}\n`;
+}
+function isObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function formatTimestamp(value) {
+    return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function renderHealthSnapshot(snapshot, workspacePath) {
+    const lines = [];
+    const status = typeof snapshot.status === "string" ? snapshot.status : "unknown";
+    lines.push(`Runtime health ${workspacePath}: ${status}`);
+    const checks = isObject(snapshot.checks) ? snapshot.checks : {};
+    const checkEntries = Object.entries(checks)
+        .filter(([, value]) => isObject(value))
+        .map(([name, value]) => {
+        const check = value;
+        const reason = typeof check.reason === "string" && check.reason.trim().length > 0 ? ` (${check.reason})` : "";
+        return `  - ${name}: ${typeof check.status === "string" ? check.status : "unknown"}${reason}`;
+    });
+    if (checkEntries.length > 0) {
+        lines.push("Checks:");
+        lines.push(...checkEntries);
+    }
+    const stats = isObject(snapshot.stats) ? snapshot.stats : {};
+    const statEntries = [
+        ["activeRunSlots", stats.activeRunSlots],
+        ["pendingRunSlots", stats.pendingRunSlots],
+        ["pendingApprovals", stats.pendingApprovals],
+        ["stuckRuns", stats.stuckRuns],
+        ["llmSuccessRate1m", stats.llmSuccessRate1m],
+        ["llmP95LatencyMs1m", stats.llmP95LatencyMs1m],
+    ]
+        .filter(([, value]) => typeof value === "number")
+        .map(([name, value]) => `  - ${name}: ${value}`);
+    if (statEntries.length > 0) {
+        lines.push("Stats:");
+        lines.push(...statEntries);
+    }
+    const symptoms = Array.isArray(snapshot.symptoms) ? snapshot.symptoms.filter(isObject) : [];
+    if (symptoms.length > 0) {
+        lines.push("Symptoms:");
+        lines.push(...symptoms.map((symptom) => {
+            const code = typeof symptom.code === "string" ? symptom.code : "unknown";
+            const severity = typeof symptom.severity === "string" ? symptom.severity : "unknown";
+            const message = typeof symptom.message === "string" ? symptom.message : "";
+            return `  - ${code}: ${severity}${message ? ` (${message})` : ""}`;
+        }));
+    }
+    return `${lines.join("\n")}\n`;
+}
+async function sleep(ms) {
+    await new Promise((resolve) => {
+        setTimeout(resolve, ms);
+    });
+}
+function renderApprovalList(approvals) {
+    if (approvals.length === 0) {
+        return "No approvals matched.\n";
+    }
+    return approvals.map((approval) => {
+        const status = typeof approval.status === "string" ? approval.status : "unknown";
+        const toolName = typeof approval.toolName === "string" ? approval.toolName : "unknown_tool";
+        const approvalId = typeof approval.approvalId === "string" ? approval.approvalId : "unknown";
+        const threadId = typeof approval.threadId === "string" ? ` thread=${approval.threadId}` : "";
+        const runId = typeof approval.runId === "string" ? ` run=${approval.runId}` : "";
+        const reason = typeof approval.approvalReason === "string" ? ` reason=${approval.approvalReason}` : "";
+        const requestedAt = formatTimestamp(approval.requestedAt);
+        const resolvedAt = formatTimestamp(approval.resolvedAt);
+        const requested = requestedAt ? ` requested=${requestedAt}` : "";
+        const resolved = resolvedAt ? ` resolved=${resolvedAt}` : "";
+        return `${approvalId} status=${status} tool=${toolName}${threadId}${runId}${reason}${requested}${resolved}`;
+    }).join("\n") + "\n";
+}
+function renderRunList(runs) {
+    if (runs.length === 0) {
+        return "No runs matched.\n";
+    }
+    return runs.map((run) => {
+        const runId = typeof run.runId === "string" ? run.runId : "unknown";
+        const threadId = typeof run.threadId === "string" ? run.threadId : "unknown";
+        const agentId = typeof run.agentId === "string" ? run.agentId : "unknown";
+        const state = typeof run.state === "string" ? run.state : "unknown";
+        const currentAgent = typeof run.currentAgentId === "string" ? ` current=${run.currentAgentId}` : "";
+        const resumable = typeof run.resumable === "boolean" ? ` resumable=${run.resumable}` : "";
+        const updatedAt = formatTimestamp(run.updatedAt);
+        const lastActivityAt = formatTimestamp(run.lastActivityAt);
+        const updated = updatedAt ? ` updated=${updatedAt}` : "";
+        const lastActivity = lastActivityAt ? ` activity=${lastActivityAt}` : "";
+        return `${runId} thread=${threadId} agent=${agentId}${currentAgent} state=${state}${resumable}${updated}${lastActivity}`;
+    }).join("\n") + "\n";
+}
 export async function runCli(argv, io = {}, deps = {}) {
     const cwd = io.cwd ?? process.cwd();
     const stdout = io.stdout ?? ((message) => process.stdout.write(message));
@@ -320,6 +471,75 @@ export async function runCli(argv, io = {}, deps = {}) {
             return 1;
         }
     }
+    if (command === "runtime") {
+        const [subcommand, possibleNestedCommand, ...remainingArgs] = [projectName, ...rest];
+        if (!subcommand) {
+            stderr(renderUsage());
+            return 1;
+        }
+        const nestedCommand = (subcommand === "approvals" || subcommand === "runs") && possibleNestedCommand
+            ? possibleNestedCommand
+            : undefined;
+        const subcommandArgs = nestedCommand ? remainingArgs : [possibleNestedCommand, ...remainingArgs].filter((item) => typeof item === "string");
+        const parsed = parseRuntimeInspectOptions(subcommandArgs);
+        if (parsed.error) {
+            stderr(`${parsed.error}\n`);
+            stderr(renderUsage());
+            return 1;
+        }
+        try {
+            const runtime = await createHarness(path.resolve(cwd, parsed.workspaceRoot ?? "."));
+            const workspacePath = path.resolve(cwd, parsed.workspaceRoot ?? ".");
+            if (subcommand === "health") {
+                const snapshot = await runtime.getHealth();
+                stdout(parsed.json ? renderJson(snapshot) : renderHealthSnapshot(snapshot, workspacePath));
+                await runtime.stop();
+                return 0;
+            }
+            if (subcommand === "approvals" && (nestedCommand === "list" || nestedCommand === "watch")) {
+                const renderApprovals = async () => {
+                    const approvals = await runtime.listApprovals(parsed.status ? { status: parsed.status } : undefined);
+                    stdout(parsed.json ? renderJson(approvals) : renderApprovalList(approvals));
+                };
+                await renderApprovals();
+                if (nestedCommand === "watch" && !parsed.once) {
+                    for (;;) {
+                        await sleep(parsed.pollMs);
+                        await renderApprovals();
+                    }
+                }
+                await runtime.stop();
+                return 0;
+            }
+            if (subcommand === "runs" && (nestedCommand === "list" || nestedCommand === "tail")) {
+                const renderRuns = async () => {
+                    const runs = await runtime.listRuns({
+                        ...(parsed.agentId ? { agentId: parsed.agentId } : {}),
+                        ...(parsed.threadId ? { threadId: parsed.threadId } : {}),
+                        ...(parsed.state ? { state: parsed.state } : {}),
+                    });
+                    stdout(parsed.json ? renderJson(runs) : renderRunList(runs));
+                };
+                await renderRuns();
+                if (nestedCommand === "tail" && !parsed.once) {
+                    for (;;) {
+                        await sleep(parsed.pollMs);
+                        await renderRuns();
+                    }
+                }
+                await runtime.stop();
+                return 0;
+            }
+            await runtime.stop();
+            stderr(renderUsage());
+            return 1;
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            stderr(`${message}\n`);
+            return 1;
+        }
+    }
     stderr(renderUsage());
     return 1;
 }

package/dist/config/runtime/workspace.yaml

@@ -150,3 +150,38 @@ spec:
         - socket hang up
         - econnreset
         - timed out
+
+  # agent-harness feature: runtime-owned governance defaults for remote MCP access and approval escalation.
+  # Keep transport-specific and trust-specific policy here rather than scattering it across app code.
+  governance:
+    remoteMcp:
+      denyTrustTiers:
+        - untrusted
+      denyTenantScopes:
+        - cross-tenant
+      denyPromptInjectionRisks:
+        - high
+      requireApprovalTransports:
+        - websocket
+      riskByTransport:
+        http: medium
+        sse: medium
+        websocket: high
+      inputRiskHintsByTransport:
+        http: ["remote-http"]
+        sse: ["remote-sse"]
+        websocket: ["remote-websocket"]
+
+  # agent-harness feature: runtime observability defaults for health and tracing/export alignment.
+  # These settings are runtime-owned metadata for operator tooling and downstream trace/export integration.
+  observability:
+    health:
+      enabled: true
+      evaluateIntervalSeconds: 30
+      emitEvents: true
+    tracing:
+      enabled: true
+      propagation: w3c-tracecontext
+      exporters:
+        - type: otlp-http
+          endpoint: https://otel.example.com/v1/traces

package/dist/contracts/runtime.d.ts

@@ -106,6 +106,12 @@ export type RuntimeGovernanceToolPolicy = {
     category: "local" | "backend" | "mcp" | "provider-native";
     mcpServerRef?: string;
     mcpTransport?: string;
+    mcpTrustTier?: "trusted" | "reviewed" | "untrusted";
+    mcpAccess?: "read-only" | "read-write";
+    tenantScope?: "workspace" | "project" | "tenant" | "cross-tenant";
+    approvalReason?: string;
+    promptInjectionRisk?: RuntimeGovernanceRiskLevel;
+    oauthScopes?: string[];
     risk: RuntimeGovernanceRiskLevel;
     requiresApproval: boolean;
     approvalPolicy: "explicit-hitl" | "runtime-default" | "none";

package/dist/contracts/workspace.d.ts

@@ -72,6 +72,16 @@ export type ParsedMcpServerObject = {
     cwd?: string;
     token?: string;
     headers?: Record<string, string>;
+    trustTier?: "trusted" | "reviewed" | "untrusted";
+    access?: "read-only" | "read-write";
+    tenantScope?: "workspace" | "project" | "tenant" | "cross-tenant";
+    approvalPolicy?: "always" | "write" | "never";
+    promptInjectionRisk?: "low" | "medium" | "high";
+    oauth?: {
+        provider?: string;
+        scopes?: string[];
+    };
+    labels?: string[];
     sourcePath: string;
 };
 export type ParsedToolObject = {
@@ -239,6 +249,7 @@ export type CompiledAgentBinding = {
         capabilities?: RuntimeCapabilities;
         resilience?: Record<string, unknown>;
         governance?: Record<string, unknown>;
+        observability?: Record<string, unknown>;
         deepagent?: {
             description?: string;
             passthrough?: Record<string, unknown>;

package/dist/package-version.d.ts

@@ -1 +1 @@
-export declare const AGENT_HARNESS_VERSION = "0.0.186";
+export declare const AGENT_HARNESS_VERSION = "0.0.188";

package/dist/package-version.js

@@ -1 +1 @@
-export const AGENT_HARNESS_VERSION = "0.0.186";
+export const AGENT_HARNESS_VERSION = "0.0.188";

package/dist/protocol/a2a/http.d.ts

@@ -17,6 +17,7 @@ export type A2aAgentCard = {
     name: string;
     description: string;
     version: string;
+    protocolVersion?: string;
     url: string;
     preferredTransport: "JSONRPC";
     provider?: {
@@ -24,6 +25,9 @@ export type A2aAgentCard = {
         url?: string;
     };
     documentationUrl?: string;
+    defaultAgentId?: string;
+    supportsAuthenticatedExtendedCard?: boolean;
+    supportedInterfaces?: string[];
     capabilities: {
         streaming: boolean;
         pushNotifications: boolean;
@@ -43,6 +47,7 @@ export type A2aTaskState = "submitted" | "working" | "input-required" | "complet
 type A2aTaskStatus = {
     state: A2aTaskState;
     timestamp: string;
+    messageId?: string;
     message?: {
         role: "agent";
         parts: Array<{

package/dist/protocol/a2a/http.js

@@ -97,6 +97,22 @@ function parseTaskLocatorParams(params) {
     }
     return { taskId };
 }
+function parseTaskListParams(params) {
+    if (!params || typeof params !== "object" || Array.isArray(params)) {
+        return { limit: 20 };
+    }
+    const typed = params;
+    const limitValue = typeof typed.limit === "number" && Number.isFinite(typed.limit)
+        ? Math.max(1, Math.min(100, Math.trunc(typed.limit)))
+        : 20;
+    return {
+        ...(typeof typed.agentId === "string" && typed.agentId.trim().length > 0 ? { agentId: typed.agentId.trim() } : {}),
+        ...(typeof typed.contextId === "string" && typed.contextId.trim().length > 0 ? { contextId: typed.contextId.trim() } : {}),
+        ...(typeof typed.state === "string" && typed.state.trim().length > 0 ? { state: typed.state.trim() } : {}),
+        ...(typeof typed.cursor === "string" && typed.cursor.trim().length > 0 ? { cursor: typed.cursor.trim() } : {}),
+        limit: limitValue,
+    };
+}
 function mapRunState(state) {
     switch (state) {
         case "queued":
@@ -134,6 +150,63 @@ function contentToText(content) {
         .trim();
     return text.length > 0 ? text : undefined;
 }
+function toSessionRecord(session) {
+    if (!session) {
+        return null;
+    }
+    return {
+        sessionId: session.threadId,
+        entryAgentId: session.entryAgentId,
+        currentAgentId: session.currentAgentId,
+        currentState: session.currentState,
+        latestRequestId: session.latestRunId,
+        createdAt: session.createdAt,
+        updatedAt: session.updatedAt,
+        messages: session.messages,
+        requests: session.runs.map((run) => ({
+            requestId: run.runId,
+            sessionId: run.threadId,
+            agentId: run.agentId,
+            executionMode: run.executionMode,
+            adapterKind: run.adapterKind,
+            createdAt: run.createdAt,
+            updatedAt: run.updatedAt,
+            state: run.state,
+            checkpointRef: run.checkpointRef,
+            resumable: run.resumable,
+            startedAt: run.startedAt,
+            endedAt: run.endedAt,
+            lastActivityAt: run.lastActivityAt,
+            currentAgentId: run.currentAgentId,
+            delegationChain: run.delegationChain,
+            runtimeSnapshot: run.runtimeSnapshot,
+        })),
+        pendingDecision: session.pendingDecision,
+    };
+}
+function toRequestRecord(request) {
+    if (!request) {
+        return null;
+    }
+    return {
+        requestId: request.runId,
+        sessionId: request.threadId,
+        agentId: request.agentId,
+        executionMode: request.executionMode,
+        adapterKind: request.adapterKind,
+        createdAt: request.createdAt,
+        updatedAt: request.updatedAt,
+        state: request.state,
+        checkpointRef: request.checkpointRef,
+        resumable: request.resumable,
+        startedAt: request.startedAt,
+        endedAt: request.endedAt,
+        lastActivityAt: request.lastActivityAt,
+        currentAgentId: request.currentAgentId,
+        delegationChain: request.delegationChain,
+        runtimeSnapshot: request.runtimeSnapshot,
+    };
+}
 function buildTaskFromSessionAndRequest(session, request, approvals, output, failureMessage) {
     if (!session || !request) {
         return null;
@@ -193,52 +266,22 @@ async function buildTaskFromRuntime(runtime, requestId) {
     }
     const session = await runtime.getThread(request.threadId);
     const approvals = await runtime.listApprovals({ threadId: request.threadId, runId: request.runId });
-    return buildTaskFromSessionAndRequest(session ? {
-        sessionId: session.threadId,
-        entryAgentId: session.entryAgentId,
-        currentAgentId: session.currentAgentId,
-        currentState: session.currentState,
-        latestRequestId: session.latestRunId,
-        createdAt: session.createdAt,
-        updatedAt: session.updatedAt,
-        messages: session.messages,
-        requests: session.runs.map((run) => ({
-            requestId: run.runId,
-            sessionId: run.threadId,
-            agentId: run.agentId,
-            executionMode: run.executionMode,
-            adapterKind: run.adapterKind,
-            createdAt: run.createdAt,
-            updatedAt: run.updatedAt,
-            state: run.state,
-            checkpointRef: run.checkpointRef,
-            resumable: run.resumable,
-            startedAt: run.startedAt,
-            endedAt: run.endedAt,
-            lastActivityAt: run.lastActivityAt,
-            currentAgentId: run.currentAgentId,
-            delegationChain: run.delegationChain,
-            runtimeSnapshot: run.runtimeSnapshot,
-        })),
-        pendingDecision: session.pendingDecision,
-    } : null, {
-        requestId: request.runId,
-        sessionId: request.threadId,
-        agentId: request.agentId,
-        executionMode: request.executionMode,
-        adapterKind: request.adapterKind,
-        createdAt: request.createdAt,
-        updatedAt: request.updatedAt,
-        state: request.state,
-        checkpointRef: request.checkpointRef,
-        resumable: request.resumable,
-        startedAt: request.startedAt,
-        endedAt: request.endedAt,
-        lastActivityAt: request.lastActivityAt,
-        currentAgentId: request.currentAgentId,
-        delegationChain: request.delegationChain,
-        runtimeSnapshot: request.runtimeSnapshot,
-    }, approvals);
+    return buildTaskFromSessionAndRequest(toSessionRecord(session), toRequestRecord(request), approvals);
+}
+async function listTasksFromRuntime(runtime, params) {
+    const runs = await runtime.listRuns({
+        ...(params.agentId ? { agentId: params.agentId } : {}),
+        ...(params.contextId ? { threadId: params.contextId } : {}),
+        ...(params.state ? { state: params.state } : {}),
+    });
+    const startIndex = params.cursor ? Number.parseInt(Buffer.from(params.cursor, "base64url").toString("utf8"), 10) || 0 : 0;
+    const page = runs.slice(startIndex, startIndex + params.limit);
+    const tasks = (await Promise.all(page.map((run) => buildTaskFromRuntime(runtime, run.runId)))).filter((task) => Boolean(task));
+    const nextIndex = startIndex + page.length;
+    return {
+        tasks,
+        ...(nextIndex < runs.length ? { nextCursor: Buffer.from(String(nextIndex), "utf8").toString("base64url") } : {}),
+    };
 }
 function buildAgentCard(runtime, options) {
     const inventory = runtime.describeWorkspaceInventory();
@@ -253,8 +296,23 @@ function buildAgentCard(runtime, options) {
         name: options.agentName,
         description: options.agentDescription,
         version: "0.1.0",
+        protocolVersion: "1.0",
         url: options.rpcUrl,
         preferredTransport: "JSONRPC",
+        supportsAuthenticatedExtendedCard: false,
+        supportedInterfaces: [
+            "message/send",
+            "tasks/send",
+            "tasks/get",
+            "tasks/list",
+            "tasks/cancel",
+            "tasks/subscribe",
+            "SendMessage",
+            "GetTask",
+            "ListTasks",
+            "CancelTask",
+            "SubscribeToTask",
+        ],
         capabilities: {
             streaming: false,
             pushNotifications: false,
@@ -302,7 +360,7 @@ export async function serveA2aOverHttp(runtime, options = {}) {
                     return;
                 }
                 try {
-                    if (payload.method === "message/send" || payload.method === "tasks/send") {
+                    if (payload.method === "message/send" || payload.method === "tasks/send" || payload.method === "SendMessage") {
                         const parsed = parseMessageSendParams(payload.params);
                         const result = await runtime.run({
                             agentId: parsed.agentId ?? options.defaultAgentId,
@@ -313,56 +371,11 @@ export async function serveA2aOverHttp(runtime, options = {}) {
                         const session = await runtime.getThread(result.threadId);
                         const requestRecord = await runtime.getRun(result.runId);
                         const approvals = await runtime.listApprovals({ threadId: result.threadId, runId: result.runId });
-                        const task = buildTaskFromSessionAndRequest(session ? {
-                            sessionId: session.threadId,
-                            entryAgentId: session.entryAgentId,
-                            currentAgentId: session.currentAgentId,
-                            currentState: session.currentState,
-                            latestRequestId: session.latestRunId,
-                            createdAt: session.createdAt,
-                            updatedAt: session.updatedAt,
-                            messages: session.messages,
-                            requests: session.runs.map((run) => ({
-                                requestId: run.runId,
-                                sessionId: run.threadId,
-                                agentId: run.agentId,
-                                executionMode: run.executionMode,
-                                adapterKind: run.adapterKind,
-                                createdAt: run.createdAt,
-                                updatedAt: run.updatedAt,
-                                state: run.state,
-                                checkpointRef: run.checkpointRef,
-                                resumable: run.resumable,
-                                startedAt: run.startedAt,
-                                endedAt: run.endedAt,
-                                lastActivityAt: run.lastActivityAt,
-                                currentAgentId: run.currentAgentId,
-                                delegationChain: run.delegationChain,
-                                runtimeSnapshot: run.runtimeSnapshot,
-                            })),
-                            pendingDecision: session.pendingDecision,
-                        } : null, requestRecord ? {
-                            requestId: requestRecord.runId,
-                            sessionId: requestRecord.threadId,
-                            agentId: requestRecord.agentId,
-                            executionMode: requestRecord.executionMode,
-                            adapterKind: requestRecord.adapterKind,
-                            createdAt: requestRecord.createdAt,
-                            updatedAt: requestRecord.updatedAt,
-                            state: requestRecord.state,
-                            checkpointRef: requestRecord.checkpointRef,
-                            resumable: requestRecord.resumable,
-                            startedAt: requestRecord.startedAt,
-                            endedAt: requestRecord.endedAt,
-                            lastActivityAt: requestRecord.lastActivityAt,
-                            currentAgentId: requestRecord.currentAgentId,
-                            delegationChain: requestRecord.delegationChain,
-                            runtimeSnapshot: requestRecord.runtimeSnapshot,
-                        } : null, approvals, result.output);
+                        const task = buildTaskFromSessionAndRequest(toSessionRecord(session), toRequestRecord(requestRecord), approvals, result.output);
                         writeJson(response, 200, toSuccess(payload.id ?? null, task));
                         return;
                     }
-                    if (payload.method === "tasks/get") {
+                    if (payload.method === "tasks/get" || payload.method === "GetTask") {
                         const { taskId } = parseTaskLocatorParams(payload.params);
                         const task = await buildTaskFromRuntime(runtime, taskId);
                         if (!task) {
@@ -372,13 +385,35 @@ export async function serveA2aOverHttp(runtime, options = {}) {
                         writeJson(response, 200, toSuccess(payload.id ?? null, task));
                         return;
                     }
-                    if (payload.method === "tasks/cancel") {
+                    if (payload.method === "tasks/list" || payload.method === "ListTasks") {
+                        const taskList = await listTasksFromRuntime(runtime, parseTaskListParams(payload.params));
+                        writeJson(response, 200, toSuccess(payload.id ?? null, taskList));
+                        return;
+                    }
+                    if (payload.method === "tasks/cancel" || payload.method === "CancelTask") {
                         const { taskId } = parseTaskLocatorParams(payload.params);
                         const result = await runtime.cancelRun({ runId: taskId, reason: "Cancelled via A2A bridge." });
                         const task = await buildTaskFromRuntime(runtime, result.runId);
                         writeJson(response, 200, toSuccess(payload.id ?? null, task));
                         return;
                     }
+                    if (payload.method === "tasks/subscribe" || payload.method === "SubscribeToTask") {
+                        const { taskId } = parseTaskLocatorParams(payload.params);
+                        const task = await buildTaskFromRuntime(runtime, taskId);
+                        if (!task) {
+                            writeJson(response, 200, toError(payload.id ?? null, -32004, "Task not found."));
+                            return;
+                        }
+                        writeJson(response, 200, toSuccess(payload.id ?? null, {
+                            task,
+                            streamable: false,
+                            pushNotifications: false,
+                            nextPollAfterMs: task.status.state === "completed" || task.status.state === "failed" || task.status.state === "canceled"
+                                ? 0
+                                : 1_000,
+                        }));
+                        return;
+                    }
                     writeJson(response, 200, toError(payload.id ?? null, -32601, `Unknown A2A method: ${payload.method}`));
                 }
                 catch (error) {

package/dist/resource/mcp-tool-support.d.ts

@@ -9,6 +9,16 @@ export type McpServerConfig = {
     url?: string;
     token?: string;
     headers?: Record<string, string>;
+    trustTier?: "trusted" | "reviewed" | "untrusted";
+    access?: "read-only" | "read-write";
+    tenantScope?: "workspace" | "project" | "tenant" | "cross-tenant";
+    approvalPolicy?: "always" | "write" | "never";
+    promptInjectionRisk?: "low" | "medium" | "high";
+    oauth?: {
+        provider?: string;
+        scopes?: string[];
+    };
+    labels?: string[];
 };
 export type McpToolDescriptor = {
     name: string;

package/dist/resource/mcp-tool-support.js

@@ -14,6 +14,13 @@ function readStringRecord(value) {
     const entries = Object.entries(value).filter((entry) => typeof entry[1] === "string");
     return entries.length > 0 ? Object.fromEntries(entries) : undefined;
 }
+function readStringArray(value) {
+    if (!Array.isArray(value)) {
+        return undefined;
+    }
+    const entries = value.filter((item) => typeof item === "string" && item.trim().length > 0).map((item) => item.trim());
+    return entries.length > 0 ? entries : undefined;
+}
 function normalizeMcpTransport(value) {
     if (value === "stdio" || value === "http" || value === "sse" || value === "websocket") {
         return value;
@@ -40,6 +47,13 @@ export function readMcpServerConfig(workspace, tool) {
             url: server.url,
             token: server.token,
             headers: server.headers,
+            trustTier: server.trustTier,
+            access: server.access,
+            tenantScope: server.tenantScope,
+            approvalPolicy: server.approvalPolicy,
+            promptInjectionRisk: server.promptInjectionRisk,
+            oauth: server.oauth,
+            labels: server.labels,
         };
     }
     const config = typeof tool.config === "object" && tool.config
@@ -60,6 +74,31 @@ export function readMcpServerConfig(workspace, tool) {
         url: typeof mcpServer.url === "string" ? mcpServer.url.trim() : undefined,
         token: typeof mcpServer.token === "string" ? mcpServer.token : undefined,
         headers: readStringRecord(mcpServer.headers),
+        trustTier: mcpServer.trustTier === "trusted" || mcpServer.trustTier === "reviewed" || mcpServer.trustTier === "untrusted"
+            ? mcpServer.trustTier
+            : undefined,
+        access: mcpServer.access === "read-only" || mcpServer.access === "read-write" ? mcpServer.access : undefined,
+        tenantScope: mcpServer.tenantScope === "workspace" ||
+            mcpServer.tenantScope === "project" ||
+            mcpServer.tenantScope === "tenant" ||
+            mcpServer.tenantScope === "cross-tenant"
+            ? mcpServer.tenantScope
+            : undefined,
+        approvalPolicy: mcpServer.approvalPolicy === "always" || mcpServer.approvalPolicy === "write" || mcpServer.approvalPolicy === "never"
+            ? mcpServer.approvalPolicy
+            : undefined,
+        promptInjectionRisk: mcpServer.promptInjectionRisk === "low" || mcpServer.promptInjectionRisk === "medium" || mcpServer.promptInjectionRisk === "high"
+            ? mcpServer.promptInjectionRisk
+            : undefined,
+        oauth: typeof mcpServer.oauth === "object" && mcpServer.oauth
+            ? {
+                provider: typeof mcpServer.oauth.provider === "string"
+                    ? mcpServer.oauth.provider
+                    : undefined,
+                scopes: readStringArray(mcpServer.oauth.scopes),
+            }
+            : undefined,
+        labels: readStringArray(mcpServer.labels),
     };
 }
 function createMcpCacheKey(config) {
@@ -72,6 +111,13 @@ function createMcpCacheKey(config) {
         url: config.url ?? "",
         token: config.token ?? "",
         headers: config.headers ?? {},
+        trustTier: config.trustTier ?? "",
+        access: config.access ?? "",
+        tenantScope: config.tenantScope ?? "",
+        approvalPolicy: config.approvalPolicy ?? "",
+        promptInjectionRisk: config.promptInjectionRisk ?? "",
+        oauth: config.oauth ?? {},
+        labels: config.labels ?? [],
     });
 }
 async function createConnectedMcpClient(config) {

package/dist/runtime/harness/run/governance.js

@@ -23,6 +23,12 @@ function classifyRisk(policy) {
     if (policy.requiresApproval) {
         return "high";
     }
+    if (policy.mcpTrustTier === "untrusted" || policy.tenantScope === "cross-tenant" || policy.promptInjectionRisk === "high") {
+        return "high";
+    }
+    if (policy.mcpAccess === "read-write" || policy.promptInjectionRisk === "medium") {
+        return "medium";
+    }
     const target = `${policy.toolName} ${policy.description}`;
     if (policy.toolType === "mcp" && WRITE_LIKE_PATTERN.test(target)) {
         return "high";
@@ -69,12 +75,27 @@ function readRemoteMcpMetadata(tool) {
     const config = asObject(tool.config);
     const mcpReference = asObject(config?.mcp);
     const inlineServer = asObject(config?.mcpServer);
+    const oauth = asObject(inlineServer?.oauth);
     const transport = typeof inlineServer?.transport === "string" && inlineServer.transport.trim().length > 0
         ? inlineServer.transport.trim()
         : undefined;
+    const readEnum = (value, allowed) => typeof value === "string" && allowed.includes(value) ? value : undefined;
+    const oauthScopes = readStringArray(oauth?.scopes);
     return {
         ...(normalizeServerRef(mcpReference?.serverRef) ? { serverRef: normalizeServerRef(mcpReference?.serverRef) } : {}),
         ...(transport ? { transport } : {}),
+        ...(readEnum(inlineServer?.trustTier, ["trusted", "reviewed", "untrusted"]) ? { trustTier: readEnum(inlineServer?.trustTier, ["trusted", "reviewed", "untrusted"]) } : {}),
+        ...(readEnum(inlineServer?.access, ["read-only", "read-write"]) ? { access: readEnum(inlineServer?.access, ["read-only", "read-write"]) } : {}),
+        ...(readEnum(inlineServer?.tenantScope, ["workspace", "project", "tenant", "cross-tenant"])
+            ? { tenantScope: readEnum(inlineServer?.tenantScope, ["workspace", "project", "tenant", "cross-tenant"]) }
+            : {}),
+        ...(readEnum(inlineServer?.approvalPolicy, ["always", "write", "never"])
+            ? { approvalPolicy: readEnum(inlineServer?.approvalPolicy, ["always", "write", "never"]) }
+            : {}),
+        ...(readEnum(inlineServer?.promptInjectionRisk, ["low", "medium", "high"])
+            ? { promptInjectionRisk: readEnum(inlineServer?.promptInjectionRisk, ["low", "medium", "high"]) }
+            : {}),
+        ...(oauthScopes.length > 0 ? { oauthScopes } : {}),
     };
 }
 function matchesToolPolicy(rule, policy) {
@@ -156,8 +177,34 @@ function applyRemoteMcpGovernance(binding, policies) {
 }
 export function buildRuntimeGovernanceBundles(binding) {
     const toolPolicies = applyGovernanceOverrides(binding, applyRemoteMcpGovernance(binding, getBindingPrimaryTools(binding).map((tool) => {
-        const requiresApproval = toolRequiresRuntimeApproval(tool);
         const remoteMcp = readRemoteMcpMetadata(tool);
+        const writeLikeRemoteMcp = tool.type === "mcp" && (remoteMcp.access === "read-write" || WRITE_LIKE_PATTERN.test(`${tool.name} ${tool.description}`));
+        const requiresApproval = toolRequiresRuntimeApproval(tool) ||
+            remoteMcp.trustTier === "untrusted" ||
+            remoteMcp.approvalPolicy === "always" ||
+            (remoteMcp.approvalPolicy === "write" && writeLikeRemoteMcp) ||
+            remoteMcp.tenantScope === "cross-tenant";
+        const approvalReason = remoteMcp.trustTier === "untrusted"
+            ? "untrusted-mcp-server"
+            : remoteMcp.tenantScope === "cross-tenant"
+                ? "cross-tenant-mcp-access"
+                : remoteMcp.approvalPolicy === "always"
+                    ? "remote-mcp-approval-policy"
+                    : remoteMcp.approvalPolicy === "write" && writeLikeRemoteMcp
+                        ? "high-risk-mcp-write"
+                        : requiresApproval && tool.type === "mcp"
+                            ? "high-risk-mcp-write"
+                            : undefined;
+        const inputRiskHints = inputHints(binding, tool);
+        if (remoteMcp.access === "read-write") {
+            inputRiskHints.push("remote-write-access");
+        }
+        if (remoteMcp.tenantScope === "cross-tenant") {
+            inputRiskHints.push("cross-tenant-scope");
+        }
+        if (remoteMcp.promptInjectionRisk) {
+            inputRiskHints.push(`prompt-injection-${remoteMcp.promptInjectionRisk}`);
+        }
         return {
             toolName: tool.name,
             toolId: tool.id,
@@ -165,17 +212,27 @@ export function buildRuntimeGovernanceBundles(binding) {
             category: toCategory(tool.type),
             ...(remoteMcp.serverRef ? { mcpServerRef: remoteMcp.serverRef } : {}),
             ...(remoteMcp.transport ? { mcpTransport: remoteMcp.transport } : {}),
+            ...(remoteMcp.trustTier ? { mcpTrustTier: remoteMcp.trustTier } : {}),
+            ...(remoteMcp.access ? { mcpAccess: remoteMcp.access } : {}),
+            ...(remoteMcp.tenantScope ? { tenantScope: remoteMcp.tenantScope } : {}),
+            ...(remoteMcp.promptInjectionRisk ? { promptInjectionRisk: remoteMcp.promptInjectionRisk } : {}),
+            ...(remoteMcp.oauthScopes && remoteMcp.oauthScopes.length > 0 ? { oauthScopes: remoteMcp.oauthScopes } : {}),
+            ...(approvalReason ? { approvalReason } : {}),
             risk: classifyRisk({
                 toolType: tool.type,
                 requiresApproval,
                 toolName: tool.name,
                 description: tool.description,
                 config: tool.config,
+                mcpTrustTier: remoteMcp.trustTier,
+                mcpAccess: remoteMcp.access,
+                tenantScope: remoteMcp.tenantScope,
+                promptInjectionRisk: remoteMcp.promptInjectionRisk,
             }),
             requiresApproval,
             approvalPolicy: tool.hitl?.enabled === true ? "explicit-hitl" : requiresApproval ? "runtime-default" : "none",
             hasInputSchema: compiledToolHasInputSchema(tool),
-            inputRiskHints: inputHints(binding, tool),
+            inputRiskHints: Array.from(new Set(inputRiskHints)),
         };
     })));
     if (toolPolicies.length === 0) {

package/dist/runtime/harness/run/inspection.js

@@ -20,8 +20,28 @@ function readTracingConfig(binding) {
 }
 function buildRuntimeSnapshotTracing(binding, runId) {
     const tracing = readTracingConfig(binding);
+    const observability = asObject(binding.harnessRuntime.observability);
+    const runtimeTracing = asObject(observability?.tracing);
+    const exporters = Array.isArray(runtimeTracing?.exporters)
+        ? runtimeTracing.exporters
+            .filter((item) => typeof item === "object" && item !== null && !Array.isArray(item))
+            .map((item) => ({
+            type: typeof item.type === "string" ? item.type : "custom",
+            ...(typeof item.endpoint === "string" ? { endpoint: item.endpoint } : {}),
+        }))
+        : [];
     if (!tracing) {
-        return undefined;
+        if (!runtimeTracing || runId === undefined || runtimeTracing.enabled === false) {
+            return undefined;
+        }
+        return {
+            enabled: true,
+            correlationId: runId,
+            metadata: {
+                ...(typeof runtimeTracing.propagation === "string" ? { propagation: runtimeTracing.propagation } : {}),
+                ...(exporters.length > 0 ? { exporters } : {}),
+            },
+        };
     }
     const enabled = tracing.enabled !== false;
     if (!enabled || !runId) {
@@ -33,7 +53,15 @@ function buildRuntimeSnapshotTracing(binding, runId) {
         enabled: true,
         correlationId: runId,
         ...(tags.length > 0 ? { tags } : {}),
-        ...(metadata && Object.keys(metadata).length > 0 ? { metadata: { ...metadata } } : {}),
+        ...((metadata && Object.keys(metadata).length > 0) || exporters.length > 0 || typeof runtimeTracing?.propagation === "string"
+            ? {
+                metadata: {
+                    ...(metadata ? { ...metadata } : {}),
+                    ...(typeof runtimeTracing?.propagation === "string" ? { propagation: runtimeTracing.propagation } : {}),
+                    ...(exporters.length > 0 ? { exporters } : {}),
+                },
+            }
+            : {}),
     };
 }
 export function buildRunRuntimeSnapshot(binding, options) {

package/dist/runtime/harness/system/policy-engine.js

@@ -49,6 +49,17 @@ export class PolicyEngine {
                 const trimmed = value.trim();
                 return trimmed.startsWith("mcp/") ? trimmed : `mcp/${trimmed}`;
             };
+            const readStringSet = (value) => new Set(Array.isArray(value)
+                ? value.filter((item) => typeof item === "string" && item.trim().length > 0).map((item) => item.trim())
+                : []);
+            const riskRank = {
+                low: 0,
+                medium: 1,
+                high: 2,
+            };
+            const maxPromptInjectionRisk = remoteMcp.maxPromptInjectionRisk === "low" || remoteMcp.maxPromptInjectionRisk === "medium" || remoteMcp.maxPromptInjectionRisk === "high"
+                ? remoteMcp.maxPromptInjectionRisk
+                : undefined;
             const allowServerRefs = new Set(Array.isArray(remoteMcp.allowServerRefs)
                 ? remoteMcp.allowServerRefs
                     .map((item) => normalizeServerRef(item))
@@ -59,9 +70,14 @@ export class PolicyEngine {
                     .map((item) => normalizeServerRef(item))
                     .filter((item) => Boolean(item))
                 : []);
-            const denyTransports = new Set(Array.isArray(remoteMcp.denyTransports)
-                ? remoteMcp.denyTransports.filter((item) => typeof item === "string" && item.trim().length > 0).map((item) => item.trim())
-                : []);
+            const denyTransports = readStringSet(remoteMcp.denyTransports);
+            const allowTrustTiers = readStringSet(remoteMcp.allowTrustTiers);
+            const denyTrustTiers = readStringSet(remoteMcp.denyTrustTiers);
+            const allowTenantScopes = readStringSet(remoteMcp.allowTenantScopes);
+            const denyTenantScopes = readStringSet(remoteMcp.denyTenantScopes);
+            const denyPromptInjectionRisks = readStringSet(remoteMcp.denyPromptInjectionRisks);
+            const allowOauthScopes = readStringSet(remoteMcp.allowOauthScopes);
+            const denyOauthScopes = readStringSet(remoteMcp.denyOauthScopes);
             const tools = binding.execution?.params?.tools ?? binding.langchainAgentParams?.tools ?? binding.deepAgentParams?.tools ?? [];
             const deniedRemoteTools = tools.flatMap((tool) => {
                 if (tool.type !== "mcp") {
@@ -80,13 +96,43 @@ export class PolicyEngine {
                 const transport = typeof inlineMcpServer?.transport === "string" && inlineMcpServer.transport.trim().length > 0
                     ? inlineMcpServer.transport.trim()
                     : undefined;
+                const trustTier = inlineMcpServer?.trustTier === "trusted" || inlineMcpServer?.trustTier === "reviewed" || inlineMcpServer?.trustTier === "untrusted"
+                    ? inlineMcpServer.trustTier
+                    : undefined;
+                const tenantScope = inlineMcpServer?.tenantScope === "workspace" ||
+                    inlineMcpServer?.tenantScope === "project" ||
+                    inlineMcpServer?.tenantScope === "tenant" ||
+                    inlineMcpServer?.tenantScope === "cross-tenant"
+                    ? inlineMcpServer.tenantScope
+                    : undefined;
+                const promptInjectionRisk = inlineMcpServer?.promptInjectionRisk === "low" ||
+                    inlineMcpServer?.promptInjectionRisk === "medium" ||
+                    inlineMcpServer?.promptInjectionRisk === "high"
+                    ? inlineMcpServer.promptInjectionRisk
+                    : undefined;
+                const oauth = typeof inlineMcpServer?.oauth === "object" && inlineMcpServer.oauth && !Array.isArray(inlineMcpServer.oauth)
+                    ? inlineMcpServer.oauth
+                    : undefined;
+                const oauthScopes = Array.isArray(oauth?.scopes)
+                    ? oauth.scopes.filter((item) => typeof item === "string" && item.trim().length > 0).map((item) => item.trim())
+                    : [];
                 const serverDenied = serverRef ? denyServerRefs.has(serverRef) || (allowServerRefs.size > 0 && !allowServerRefs.has(serverRef)) : false;
                 const transportDenied = transport ? denyTransports.has(transport) : false;
-                return serverDenied || transportDenied
+                const trustDenied = trustTier ? denyTrustTiers.has(trustTier) || (allowTrustTiers.size > 0 && !allowTrustTiers.has(trustTier)) : false;
+                const tenantDenied = tenantScope ? denyTenantScopes.has(tenantScope) || (allowTenantScopes.size > 0 && !allowTenantScopes.has(tenantScope)) : false;
+                const promptRiskDenied = (promptInjectionRisk ? denyPromptInjectionRisks.has(promptInjectionRisk) : false)
+                    || (promptInjectionRisk && maxPromptInjectionRisk ? riskRank[promptInjectionRisk] > riskRank[maxPromptInjectionRisk] : false);
+                const oauthDenied = oauthScopes.some((scope) => denyOauthScopes.has(scope))
+                    || (allowOauthScopes.size > 0 && oauthScopes.some((scope) => !allowOauthScopes.has(scope)));
+                return serverDenied || transportDenied || trustDenied || tenantDenied || promptRiskDenied || oauthDenied
                     ? [{
                             toolName: tool.name,
                             ...(serverRef ? { serverRef } : {}),
                             ...(transport ? { transport } : {}),
+                            ...(trustTier ? { trustTier } : {}),
+                            ...(tenantScope ? { tenantScope } : {}),
+                            ...(promptInjectionRisk ? { promptInjectionRisk } : {}),
+                            ...(oauthScopes.length > 0 ? { oauthScopes } : {}),
                         }]
                     : [];
             });
@@ -102,6 +148,9 @@ export class PolicyEngine {
                     if (tool.transport) {
                         return `${tool.toolName} (${tool.transport})`;
                     }
+                    if (tool.trustTier) {
+                        return `${tool.toolName} (${tool.trustTier})`;
+                    }
                     return tool.toolName;
                 });
                 reasons.push(`runtime governance denied remote MCP access: ${details.join(", ")}`);

package/dist/workspace/agent-binding-compiler.js

@@ -341,6 +341,7 @@ export function compileBinding(workspaceRoot, agent, agents, referencedSubagentI
         ? asObject(runtimeDefaults?.filesystem)
         : undefined;
     const runtimeGovernanceDefaults = asObject(runtimeDefaults?.governance);
+    const runtimeObservabilityDefaults = asObject(runtimeDefaults?.observability);
     const compiledFilesystemConfig = agent.executionMode === "langchain-v1"
         ? mergeConfigObjects(runtimeFilesystemDefaults, getAgentExecutionObject(agent, "filesystem", { executionMode: "langchain-v1" }))
         : undefined;
@@ -357,6 +358,7 @@ export function compileBinding(workspaceRoot, agent, agents, referencedSubagentI
             capabilities: inferAgentCapabilities(agent),
             resilience,
             ...(runtimeGovernanceDefaults ? { governance: runtimeGovernanceDefaults } : {}),
+            ...(runtimeObservabilityDefaults ? { observability: runtimeObservabilityDefaults } : {}),
             ...(agent.executionMode === "deepagent"
                 ? {
                     deepagent: {

package/dist/workspace/resource-compilers.js

@@ -117,6 +117,7 @@ export function parseMcpServerObject(object) {
     const value = object.value;
     const env = asObject(value.env);
     const headers = asObject(value.headers);
+    const oauth = asObject(value.oauth);
     const transport = String(value.transport ??
         (typeof value.url === "string" && value.url.trim() ? "http" : undefined) ??
         (typeof value.command === "string" && value.command.trim() ? "stdio" : undefined) ??
@@ -131,6 +132,29 @@ export function parseMcpServerObject(object) {
         cwd: typeof value.cwd === "string" ? value.cwd : undefined,
         token: typeof value.token === "string" ? value.token : undefined,
         headers: headers ? Object.fromEntries(Object.entries(headers).filter((entry) => typeof entry[1] === "string")) : undefined,
+        trustTier: value.trustTier === "trusted" || value.trustTier === "reviewed" || value.trustTier === "untrusted"
+            ? value.trustTier
+            : undefined,
+        access: value.access === "read-only" || value.access === "read-write" ? value.access : undefined,
+        tenantScope: value.tenantScope === "workspace" ||
+            value.tenantScope === "project" ||
+            value.tenantScope === "tenant" ||
+            value.tenantScope === "cross-tenant"
+            ? value.tenantScope
+            : undefined,
+        approvalPolicy: value.approvalPolicy === "always" || value.approvalPolicy === "write" || value.approvalPolicy === "never"
+            ? value.approvalPolicy
+            : undefined,
+        promptInjectionRisk: value.promptInjectionRisk === "low" || value.promptInjectionRisk === "medium" || value.promptInjectionRisk === "high"
+            ? value.promptInjectionRisk
+            : undefined,
+        oauth: oauth
+            ? {
+                provider: typeof oauth.provider === "string" ? oauth.provider : undefined,
+                scopes: asStringArray(oauth.scopes),
+            }
+            : undefined,
+        labels: asStringArray(value.labels),
         sourcePath: object.sourcePath,
     };
 }

package/dist/workspace/tool-hydration.js

@@ -15,6 +15,13 @@ function toMcpServerConfig(server) {
         url: server.url,
         token: server.token,
         headers: server.headers,
+        trustTier: server.trustTier,
+        access: server.access,
+        tenantScope: server.tenantScope,
+        approvalPolicy: server.approvalPolicy,
+        promptInjectionRisk: server.promptInjectionRisk,
+        oauth: server.oauth,
+        labels: server.labels,
     };
 }
 function readStringArray(value) {
@@ -108,6 +115,29 @@ function mergeReferencedMcpServer(referencedServer, item, agentId, name, sourceP
             ...(referencedServer.headers ?? {}),
             ...(readStringRecord(item.headers) ?? {}),
         },
+        trustTier: item.trustTier === "trusted" || item.trustTier === "reviewed" || item.trustTier === "untrusted"
+            ? item.trustTier
+            : referencedServer.trustTier,
+        access: item.access === "read-only" || item.access === "read-write" ? item.access : referencedServer.access,
+        tenantScope: item.tenantScope === "workspace" ||
+            item.tenantScope === "project" ||
+            item.tenantScope === "tenant" ||
+            item.tenantScope === "cross-tenant"
+            ? item.tenantScope
+            : referencedServer.tenantScope,
+        approvalPolicy: item.approvalPolicy === "always" || item.approvalPolicy === "write" || item.approvalPolicy === "never"
+            ? item.approvalPolicy
+            : referencedServer.approvalPolicy,
+        promptInjectionRisk: item.promptInjectionRisk === "low" || item.promptInjectionRisk === "medium" || item.promptInjectionRisk === "high"
+            ? item.promptInjectionRisk
+            : referencedServer.promptInjectionRisk,
+        oauth: asObject(item.oauth)
+            ? {
+                provider: typeof asObject(item.oauth)?.provider === "string" ? asObject(item.oauth)?.provider : referencedServer.oauth?.provider,
+                scopes: readStringArray(asObject(item.oauth)?.scopes) || referencedServer.oauth?.scopes,
+            }
+            : referencedServer.oauth,
+        labels: readStringArray(item.labels).length > 0 ? readStringArray(item.labels) : referencedServer.labels,
         sourcePath,
     };
 }
@@ -220,6 +250,16 @@ export async function hydrateAgentMcpTools(agents, mcpServers, tools) {
                         mcp: {
                             serverRef: `mcp/${serverId}`,
                         },
+                        mcpServer: {
+                            transport: parsedServer.transport,
+                            ...(parsedServer.trustTier ? { trustTier: parsedServer.trustTier } : {}),
+                            ...(parsedServer.access ? { access: parsedServer.access } : {}),
+                            ...(parsedServer.tenantScope ? { tenantScope: parsedServer.tenantScope } : {}),
+                            ...(parsedServer.approvalPolicy ? { approvalPolicy: parsedServer.approvalPolicy } : {}),
+                            ...(parsedServer.promptInjectionRisk ? { promptInjectionRisk: parsedServer.promptInjectionRisk } : {}),
+                            ...(parsedServer.oauth ? { oauth: parsedServer.oauth } : {}),
+                            ...(parsedServer.labels && parsedServer.labels.length > 0 ? { labels: parsedServer.labels } : {}),
+                        },
                     },
                     mcpRef: remoteTool.name,
                     bundleRefs: [],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botbotgo/agent-harness",
-  "version": "0.0.187",
+  "version": "0.0.189",
   "description": "Workspace runtime for multi-agent applications",
   "type": "module",
   "packageManager": "npm@10.9.2",