Description
AARM operates as a proxy server implementing the tool protocol (e.g., Model Context Protocol). Agents connect to the AARM gateway instead of directly to tool servers. The gateway intercepts all tool invocations, accumulates session context, evaluates policies including intent alignment, and forwards permitted requests to backend servers.Trust Properties
| Property | Value |
|---|---|
| Enforcement point | Network level — all tool traffic routes through the gateway |
| Schema visibility | Full — structured tool protocols provide parameter schemas |
| Context accumulation | Session context tracked across requests, keyed by session ID |
| Agent modification | Minimal — only the tool endpoint URL changes |
| Failure mode | Fail closed — tool calls fail if gateway is unavailable |
Coverage
| Scope | Coverage |
|---|---|
| Covered | All tools exposed via protocol servers routed through the gateway |
| Not covered | Direct HTTP calls bypassing the protocol, raw database connections, local filesystem access, shell command execution |
| Context limitation | Sees action requests/responses but not internal agent state or reasoning |
Action Classification Support
| Classification | Support | Notes |
|---|---|---|
| Forbidden | ✅ Full | Static policy rules match tool/operation patterns |
| Context-Dependent Deny | ✅ Good | Checks accumulated context after static ALLOW |
| Context-Dependent Allow | ⚠️ Partial | Requires original request passed via session init |
| Context-Dependent Defer | ⚠️ Partial | Can hold execution but may lack signals to resolve autonomously |
When to Use
- You control the network between agent and tools
- Protocol adoption (e.g., MCP) is high in your environment
- Minimal agent modification is required
- Self-hosted or cloud-hosted agents on your infrastructure
When Not to Use
- Agent uses non-protocol tools (raw HTTP, direct database connections)
- Rich reasoning context is essential for policy decisions
- Agent runs on third-party infrastructure you do not control