spec v0.1
EN

Manifesto

The MCP-first Manifesto

Ten principles for software that is built for agents first, secure, described, and fully controllable.

MCP-first is not hype around a new protocol. It is an architectural shift. Modern software is no longer conceived first as a web app, but as a fully controllable, machine-readable, secure capability system. Web app, mobile app, CLI, and admin interfaces are then only secondary interfaces on top of the same core.

A screen is just one interface. The actual software is its capability.

The central claim

1 · Capabilities instead of Screens

A feature is not a page. A feature is a capability. Whoever describes the capability first can offer it everywhere, in the UI, in the agent, in the worker.

2 · Tools instead of Buttons

A button is only the human representation of a tool. The tool, typed, permission-checked, audited, is the real thing.

3 · Resources instead of Tables

A table is only a visual representation of a resource. Agents need the resource with context, not the rendered table.

4 · Workflows instead of Navigation

Agents do not need navigation. They need clear workflows that guide them through complex processes.

5 · Policies instead of Trust

6 · Confirmation instead of Blind Automation

Risky actions require human approval. MCP-first means fully controllable, not fully automatic.

7 · Audit instead of Opacity

Every agent action must be traceable: who, what, when, with which approval.

8 · Context instead of Raw Data

Agents need relevant, prepared context, not complete databases. Redaction and context filtering are mandatory.

9 · Human UI as Client

Web app and mobile app are clients, not the core. They call the same actions as the agent.

10 · 100 % controllable, not 100 % autonomous

Everything must be controllable. Not everything is allowed to happen autonomously.

If your software can do it, MCP must be able to describe it. If an agent can call it, Policy must be able to control it.

Example Skills

The principles are not an end in themselves. They are best illustrated where agents operate the MCP server themselves, creating, controlling, and auditing it. Such skills are packaged workflows that follow exactly the same rules they enforce: every risky step carries a risk level, critical steps sit behind an approval gate, and every action is audited.

mcp.scaffold_server
High

Bootstraps a capability-first MCP server: domain actions first, typed schemas, policy engine, risk metadata, and audit, before any interface is created.

trigger "Create an MCP server for …" Create

Ablauf

  1. Model domain actions, business logic stays in the domain. Low
  2. Generate typed input, output, and error schemas. Low
  3. Assign risk level and confirmation policy to each tool. Medium
  4. Generate server as adapter: discovery, policy checks, audit. High
  5. Register critical tools only after explicit approval. Critical ⏸ Freigabe

Hält sich an

  • Capabilities instead of Screens.
  • Typed inputs and outputs.
  • Policies instead of Trust.
  • Audit instead of Opacity.
mcp.audit_trail
Low

Read-only review: reads the audit trail and risk coverage, runs through the checklist, and reports gaps. Changes nothing.

trigger "Check the MCP server against MCP-first" Audit

Ablauf

  1. Read capability inventory and risk levels. Low
  2. Check audit events for completeness and redaction. Low
  3. Flag tools without risk classification. Low
  4. Output findings as a structured report, no write action. Low

Hält sich an

  • Audit instead of Opacity.
  • 100 % controllable, not 100 % autonomous.
  • Context instead of Raw Data.

More examples, adding capabilities, controlling tool visibility, connecting clients, hardening security, on the Example Skills page.

The future belongs to software that is not just usable, but securely controllable.