How to Safely Give AI Agents New Tools at Runtime
Most systems treat "let an agent gain new tools at runtime" and "stop an agent from doing damage" as two separate problems, solved by two separate systems — a tool registry plus an approval workflow, a plugin marketplace plus a permission system bolted on afterward. In Stof, they're the same mechanism. A document can only touch what it's explicitly been handed, so a tool arriving at runtime is automatically constrained the same way everything else in the document already is — not because a permission check ran, but because there's nothing else there to reach.
