spec v0.1
EN

Architecture Pattern · Specification v0.1

Build software for Agents first. Interfaces come after.

The next generation of software will no longer be operated primarily through buttons, forms, and tables. It will be controlled through secure, described, and automatable capabilities.

Read the Manifesto View the Architecture Security Model →

A screen is just one interface. A capability is the product.

The Shift

The web app is no longer the core. It is a client.

Klassisch

  1. Webapp
  2. Mobile App
  3. Admin UI
  4. API
  5. Automation
  6. AI-Integration

MCP-first

  1. Domain Model
  2. Action Layer
  3. Permission Layer
  4. MCP Tools
  5. MCP Resources
  6. MCP Workflows
  7. Audit Layer
  8. Webapp · Mobile · Admin · API · Automation

Why UI-first breaks

An agent should not have to click through interfaces.

For humans, pages, modals, and tables make sense. For agents, automations, and external systems they are the wrong abstraction model.

An agent should not need to know

  • which page a button is on
  • which modal needs to be opened
  • which table to filter first
  • which click sequence is required

An agent needs

  • which actions exist
  • what inputs and outputs they have
  • which permissions are required
  • which action is dangerous or final

What MCP-first means

Every capability becomes a structured building block.

MCP-first is an architecture principle where software is described first through its capabilities, machine-readable, typed, permission-checked.

01 Resources Data and contexts that can be read. 02 Tools Actions the system can execute. 03 Workflows Pre-built flows through complex processes. 04 Policies Rules, permissions, protection levels, approvals. 05 Audit Events Traceability for every action. 06 Confirmation Gates Points where the AI must ask for confirmation. 07 Risk Metadata Safe, sensitive, critical, or irreversible.

If your software can do it, MCP must be able to describe it. If MCP can execute it, Policy must be able to control it.

Security first

Agent-ready does not mean uncontrolled.

Every capability gets a risk level. The AI is not allowed to do everything automatically, but the system must be able to structurally describe everything it can do.

Low Usually allowed to run autonomously.
Medium Autonomous when context is unambiguous.
High Often requires confirmation.
Critical Always confirmation, often step-up auth.
Forbidden for AI Blocked for AI.
To the risk model →

Sales Assistant

emails.send_external
Critical

Send follow-up for project Havelblick to Max Müller.

Recipient
Max Müller · Müller GmbH
Attachment
Download link, valid for 14 days

GrundExternal communication with project-related information.

Architecture

The core is the controllable capability layer.

Business logic does not live in the web app and not in the MCP server. Both are adapters. The actual core is the capability layer, used by all interfaces.

Full architecture model →

Authentication & Authorization

Not every agent is allowed to see every tool.

OAuth 2.1 + PKCE

For MCP clients, with short-lived tokens and rotation.

Delegated Context

Agents act on behalf of a user, not with system privileges.

Agent Identity

Sales, Payroll, Support Agent as distinct identities.

Scopes & Tenants

Tools are filtered by permissions already at discovery.

Authentication model →

By Industry

Same pattern, every domain.

CRM & Sales Follow-ups, exposés, buyer profiles as tools. Real Estate Deals, appointments, reminders through an action layer. DevOps Deployments, rollbacks, secrets, controlled. Support Context instead of raw database access.

The Manifesto

Ten principles.

  1. 01Capabilities instead of Screens
  2. 02Tools instead of Buttons
  3. 03Resources instead of Tables
  4. 04Workflows instead of Navigation
  5. 05Policies instead of Trust
  6. 06Confirmation instead of blind Automation
  7. 07Audit instead of Opacity
  8. 08Context instead of Raw Data
  9. 09Human UI as Client
  10. 10100 % controllable, not 100 % autonomous
Full Manifesto

For machines

A hard-spec manifest your agents can read.

Beyond this page there is a normative, vendor-neutral edition written for AI agents at mcp-first.ai/manifest.ai. Point an LLM at it to audit any existing MCP server against 40 conformance rules.

Open the machine manifest →
example prompt
Audit my MCP server against https://mcp-first.ai/manifest.ai. For each rule return pass / fail with a one-line reason, then an overall conformance score.

The central question of modern software is no longer "which screens do we need?", but: what capabilities does our system have, who is allowed to use them, and how secure are they?

Read the Manifesto MCP-first Checklist