Host Capabilities
Akshi uses a fail-closed capability model. Agents have no access to host resources unless explicitly granted in configuration.
Declaring capabilities
In runtime.toml, each agent entry has a capabilities section:
[[agents]]
name = "researcher"
wasm_path = "researcher.wasm"
[agents.capabilities]
inference = true
journal = true
http_fetch = true
database = true
a2a = true
mcp = true
Capability list
| Capability | Description | Default |
|---|---|---|
inference | Call LLM inference through the router | off |
journal | Read/write journal entries and vector search | off |
database | SQLite database access | off |
http_fetch | Outbound HTTP requests | off |
a2a | Send/receive A2A task messages | off |
mcp | Call MCP tool servers | off |
filesystem | Read files from allowed paths | off |
spend | Use economic spend budget | off |
Endpoint allowlists
When http_fetch is enabled, restrict which domains the agent can reach:
[[agents]]
name = "researcher"
[agents.capabilities]
http_fetch = true
[agents.endpoints]
allowed = ["api.example.com", "cdn.example.com"]
Requests to unlisted domains are blocked and logged.
Approval-gated capabilities
Some actions can require human approval even when the capability is enabled:
[agents.capabilities]
http_fetch = true
[agents.approval]
http_fetch = true # Require approval for each HTTP request
See Approval Workflow for details.
Fail-closed behavior
If an agent calls a host function for a capability it does not have, the call returns an error immediately. The agent is not terminated; it can handle the error and continue.
If a capability is gated on approval and the approval is denied, the call
returns an error with reason "approval_denied".
Runtime enforcement
Capabilities are enforced at the WASM host boundary. The sandbox prevents agents from bypassing capability checks through memory manipulation or other means. Capability violations are recorded in the audit log.