A lightweight, CLI-first protocol that allows AI agents to safely introspect and cryptographically verify local tools via a simple --agent contract, without requiring MCP servers or additional infrastructure.
ATIP defines a simple convention for CLI tools to expose their capabilities to AI agents:
$ gh --agent
{
"atip": {"version": "0.6"},
"name": "gh",
"description": "GitHub CLI",
"commands": {
"pr": {
"list": {...},
"create": {...}
}
},
"effects": {
"network": true,
"destructive": false
}
}No servers. No JSON-RPC. No handshakes. Just a --agent flag that outputs structured JSON.
AI agents need to know:
- What tools are available? (discovery)
- How do I use this tool? (parameters, types)
- What are the side effects? (destructive? network? cost?)
- Is it safe to retry? (idempotent? reversible?)
- Can I trust this binary? (signatures, provenance, supply chain)
Current solutions fall short:
- Parsing
--helpβ Inconsistent, unreliable - Hardcoded knowledge β Doesn't scale to custom tools
- MCP servers β Overkill for simple CLI tools that execute and exit
ATIP separates introspection from executionβwith cryptographic trust:
| Concern | Solution |
|---|---|
| Discovery | tool --agent outputs metadata (ATIP) |
| Trust | Sigstore signatures + SLSA attestations |
| Execution | Direct subprocess invocation |
| Stateful tools | MCP (when genuinely needed) |
For 95% of CLI tools (git, kubectl, terraform, gh), ATIP provides everything agents needβincluding enterprise-grade supply chain securityβwithout infrastructure overhead.
Add ATIP support to your CLI tool in 30 minutes:
import json, sys
ATIP_METADATA = {
"atip": {"version": "0.6"},
"name": "mytool",
"version": "1.0.0",
"description": "Does something useful",
"commands": {
"run": {
"description": "Execute main function",
"options": [
{
"name": "verbose",
"flags": ["-v", "--verbose"],
"type": "boolean",
"description": "Enable verbose output"
}
],
"effects": {
"filesystem": {"write": true},
"network": false,
"idempotent": false
}
}
}
}
if "--agent" in sys.argv:
print(json.dumps(ATIP_METADATA))
sys.exit(0)
# ... rest of your tool logicSee docs/adoption-guide.md for full details.
For tools that don't natively support --agent, you can create shim files:
# ~/.local/share/agent-tools/shims/curl.json
{
"atip": {"version": "0.6"},
"name": "curl",
"version": "8.4.0",
"description": "Transfer data from or to a server",
"commands": {
"": {
"description": "Make HTTP request",
"options": [...],
"effects": {"network": true, "idempotent": false}
}
}
}Or use atip-gen to auto-generate metadata from --help output:
atip-gen curl -o shims/curl.jsonIntegrate ATIP into your AI agent:
from atip_bridge import discover_tools, compile_to_openai, execute_tool
# 1. Discovery
tools = discover_tools() # Scans PATH and shims
# 2. Compile to provider format
openai_tools = [compile_to_openai(t) for t in tools]
# 3. Send to LLM
response = client.chat.completions.create(
model="gpt-4",
messages=messages,
tools=openai_tools
)
# 4. Execute directly
for call in response.choices[0].message.tool_calls:
result = execute_tool(call.function.name, call.function.arguments)See docs/agent-integration.md for integration patterns.
No servers, daemons, or sockets. Works on a fresh system with only the tool binary.
Tools declare effects (destructive, idempotent, reversible, cost) so agents can make informed decisions:
{
"effects": {
"destructive": true,
"reversible": false,
"cost": {"billable": true}
}
}Cryptographically verify tool binaries and control what capabilities agents can useβdown to the parameter level:
{
"trust": {
"source": "native",
"verified": true,
"integrity": {
"checksum": "sha256:e3b0c44298fc1c14...",
"signature": {
"type": "cosign",
"identity": "https://github.com/cli/cli/.github/workflows/release.yml@refs/tags/v2.45.0",
"issuer": "https://token.actions.githubusercontent.com"
}
},
"provenance": {
"url": "https://github.com/cli/cli/attestations/...",
"format": "slsa-provenance-v1",
"slsaLevel": 3
}
}
}Enterprise-grade controls:
- Binary verification β SHA-256 hash + Sigstore/Cosign signatures
- Supply chain attestation β SLSA provenance verification
- Trust levels β COMPROMISED β UNSIGNED β UNVERIFIED β VERIFIED
- Policy enforcement β Allowlist signers, builders, minimum trust levels
- Capability gating β Restrict destructive operations to verified tools only
Large tools (kubectl, aws-cli) support filtered discovery to avoid context bloat:
$ kubectl --agent --commands=pods,deployments --depth=1Metadata includes stdin/TTY requirements so agents know when tools need special handling:
{
"interactive": {
"stdin": "required",
"prompts": true,
"tty": false
}
}ATIP compiles to native function calling formats for OpenAI, Gemini, and Anthropic with safety information preserved.
ATIP complements MCPβuse ATIP for discovery, MCP for stateful execution when needed.
How ATIP tools work together to enable AI agents to safely use CLI tools:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ATIP Toolchain β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββ βββββββββββββββ βββββββ ββββββββββββββββ β
β βatip-discover β β β atip-bridge β β β LLM β β β atip-execute β β
β β β β β β β β β β
β β Find tools β β Compile to β β β β Run safely β β
β β with --agent β β OpenAI/etc β β β β with checks β β
β ββββββββββββββββ βββββββββββββββ βββββββ ββββββββ¬ββββββββ β
β β β β
β β ββββββββββββββββ β β
β β βatip-registry β ββββββββββββββββ β
β ββββββββββββββ β β CLI Tool β β
β β Shim hosting β β β β
β ββββββββββββββββ β gh, kubectl, β β
β β terraform... β β
β Supporting: atip-validate, atip-gen, ββββββββββββββββ β
β atip-lint, atip-diff β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
See reference/README.md for detailed tool documentation.
atip/
βββ spec/rfc.md # Full specification (v0.6.0)
βββ schema/0.6.json # JSON Schema for validation
βββ examples/ # Example ATIP metadata
β βββ gh.json # Full example (GitHub CLI)
β βββ minimal.json # Minimal valid ATIP
β βββ tools/ # Example tools implementing --agent
β βββ hello-atip # Minimal bash example
β βββ atip-echo # Effects metadata example
βββ reference/ # Reference implementations
β βββ atip-bridge/ # TypeScript compiler library
β βββ atip-discover/ # Discovery CLI (TypeScript)
β βββ atip-discover-go/ # Discovery CLI (Go)
β βββ atip-validate/ # Schema validator
β βββ atip-gen/ # Auto-generate from --help
βββ docs/ # Additional documentation
βββ adoption-guide.md
βββ agent-integration.md
βββ why-not-mcp.md
- RFC Specification β Complete protocol specification
- Adoption Guide β For tool authors
- Agent Integration β For agent developers
- Why Not MCP? β Positioning and comparison
- Contributing β How to contribute
- atip-discover β Scan PATH for ATIP-compatible tools
- atip-validate β Validate ATIP metadata against schema
- atip-gen β Generate ATIP metadata from --help output
- atip-bridge β TypeScript library for compiling ATIP to provider formats
{
"atip": {"version": "0.6"},
"name": "hello",
"version": "1.0.0",
"description": "Print a greeting",
"commands": {
"": {
"description": "Say hello",
"arguments": [
{"name": "name", "type": "string", "required": true}
],
"effects": {"filesystem": {}, "network": false}
}
}
}See examples/gh.json for a complete GitHub CLI example with:
- Nested subcommands
- Authentication requirements
- Effect declarations
- Usage patterns
See examples/tools/ for working CLI tools that implement --agent:
hello-atipβ Minimal bash exampleatip-echoβ Demonstrates various effects metadata
| Aspect | ATIP | MCP |
|---|---|---|
| Purpose | Tool introspection | Stateful execution |
| Infrastructure | None | Server process |
| Typical tools | gh, kubectl, terraform | Playwright, databases |
| Use together? | Yes β ATIP for discovery, MCP for execution |
ATIP and MCP solve different problems. See docs/why-not-mcp.md for detailed comparison.
Current Version: 0.6.0 (Draft)
This specification is open for community feedback and contributions.
- v0.1.0 β Core protocol and schema
- v0.2.0 β Partial discovery
- v0.3.0 β Interactive effects
- v0.4.0 β Trust and provenance
- v0.5.0 β Cryptographic verification (SLSA/Sigstore)
- v0.6.0 β Content-addressable registry
- v1.0.0 β Stable release
We welcome contributions! Please see CONTRIBUTING.md for:
- Proposing spec changes
- Contributing shims
- Reporting issues
- Submitting implementations
This specification and reference implementations are released under the MIT License.
- Specification: spec/rfc.md
- JSON Schema: schema/0.6.json
- Issues: GitHub Issues
- Discussions: GitHub Discussions
Built for the agent-native future.