deploy.release without a declaration, or a resource type you’ve never seen shows up in telemetry.
Apie compares runtime tool calls against your declared capabilities and surfaces drift warnings.
Enable drift warnings
Configure boundary warnings in your SDK config:| Setting | What it detects |
|---|---|
warnOnUndeclaredTools | Tool calls for tools not in your declared capabilities |
warnOnUnknownResourceTypes | Resource types not seen in any capability declaration |
autoInferFromToolNames | Infer action/resource from tool names (helps match undeclared tools to expected patterns) |
What drift looks like
Undeclared tool
Your agent callsvault.read_secret but you only declared search and github.merge_pr:
- Apie emits the tool call event normally
- A boundary warning is attached: tool
vault.read_secretis not in declared capabilities - In the dashboard, the boundary map highlights the gap
Unknown resource type
Your agent touchesshell_command but your capabilities only list code_repository and work_item:
- A warning flags the unknown resource type
- Guardrails may treat it as higher risk if templates match on resource type
What you’ll see
Boundary drift warnings in the dashboard boundary map and in event validation output fromdoctor.
Remediation workflow
- Monitor — run in monitor mode with drift warnings enabled
- Review — check which undeclared tools appear in production telemetry
- Declare — add missing capabilities via config or
capabilities declare - Enforce — enable guardrail templates and switch to Enforce mode
MCP auto-discovery
The MCP proxy defines tools automatically when it receivestools/list from the upstream server. This reduces drift for MCP-hosted agents — but review auto-discovered tools before enabling Enforce mode.
See MCP proxy.
Next steps
Declare capabilities
Add missing tool declarations.
Boundary reports
Generate compliance reports over a time window.
