ARF exposes a Model Context Protocol server with sixty-plus tools. Knowledge, tasks, vault credentials, sub-agent dispatch, agent steering, provenance, and direct human-to-agent message injection. All governed, all auditable, on a single stdio JSON-RPC connection.
Model Context Protocol (Anthropic's open spec for connecting agents to tools and resources) is the lingua franca for agent capability. ARF speaks MCP and exposes its entire governance, orchestration, and memory surface through a single arf mcp-server process. Run any MCP-aware client (Claude Desktop, Cursor, Zed, custom) and get governed access to shared agent memory, project task graphs, audited credentials, and sub-agent dispatch.
Every agent writes into the same memory. Every agent can search it. Facts carry provenance: who added them, when, and with what supporting evidence. They age through a four-stage maturity curve as other agents attest to them.
Backed by a JSONL fact store and an optional PostgreSQL + pgvector instance for semantic search. The same fact is reachable by keyword and by 1536-dim embedding similarity.
A human-readable index sits next to it: TASKS.md, project memory directories, command manifests. People and agents read and write the same store. There is no agent-only memory and no human-only memory. Everything is shared.
Every fact starts as Data. After 3 independent attestations it becomes Information. After 6, Knowledge. After 9, Wisdom.
Queries can require a minimum maturity. knowledge_query(min_dikw="knowledge") ignores anything still in the data layer. Useful for production decisions.
Human-readable markdown is the source of truth. A task's lifecycle (created, updated, checked out by an agent, blocked, decided, checked in) is mirrored to an append-only JSONL event log. With [task_db] configured, every event also flows into a PostgreSQL task_events table for query and replay.
Agents call arf_task_checkout_next to claim the highest-priority unassigned task. The session ID is recorded with the checkout. On finish, arf_task_checkin records the outcome (done / blocked / deferred). People can override, comment, block, or decide via the same MCP calls.
An agent that needs help calls arf_subagent. ARF's routing engine scores every available runner-engine-model triple against the constraints (cost ceiling, latency budget, required capabilities) and dispatches the best match. The session ID and the routing rationale come back in the response.
Routing-aware dispatch. Pass constraints; ARF picks the runner, engine, and model. Per-request overrides persist into the session for follow-on calls.
Direct runner invocation: arf_run_claude, arf_run_codex, arf_run_gemini, arf_run_antigravity. Bypasses routing when you know exactly which runner you want.
Governed child session under the AugmentFoundry executor. Linked in the provenance DAG. Child capability pack must be equal or more restrictive than parent. Privilege never escalates downstream.
Inject a human-authored message into a running agent's turn queue. The agent receives it as a synthetic user prompt on its next turn. No async waiting, no approval card overhead, no special UI.
Useful for redirecting an agent that's drifting, providing missing context the agent didn't ask for, or stopping a tool call mid-execution with new instructions.
CLI-based process control. arf steer pause <agent> sends SIGSTOP. arf steer resume sends SIGCONT. arf steer redirect <agent> <instruction> injects a new task. arf steer priority <agent> <1-5> reorders execution.
Steering directives are recorded in the provenance chain alongside every governance event. The audit trail shows not only what the agent did but every human intervention along the way.
vault_list,
vault_checkout,
vault_return,
vault_ssh_keygen. Checkout requires explicit user approval. ssh-keygen produces ephemeral keypairs that auto-expire.
provenance_show,
provenance_verify,
governance_report. Every tool call records to the chain. Tampering is detected at verify time. Bundles travel; integrity is checked anywhere.
governance_check_action,
governance_report_event,
governance_rules,
governance_get_accord,
governance_conformance_score.
worktree_create,
arf_git_worktree_fanin,
arf_git_commit,
arf_git_pr_create,
arf_build_queue_status,
arf_acquire_file_lock. Force-push and protected-branch writes are refused at the tool layer.
arf_session_start,
arf_plan_create,
arf_plan_approve,
arf_plan_exec,
arf_dag_verify,
arf_generate_report. Plans bind to a hash; approving a plan approves that exact command, args, and environment.
cross_project_message queues messages to another project's agent inbox.
governance_rogues scans for AI CLI processes not routed through ARF.
arf_intercept evaluates proposed sub-agent spawns against policy before they happen.
ARF also exposes three read-only MCP resources. Configuration, governance rules, and the knowledge fact store are all addressable via standard resources/read calls. Any MCP client can inspect them without holding a long-lived tool session.
TASKS.md is a human-readable markdown file in your project root. It's the source of truth for what work is planned. Agents use MCP tools to claim tasks, report progress, and check them in when done. Humans read and edit the same file.
Every task lifecycle event flows to an append-only task-history.jsonl and, when configured, to the PostgreSQL task_events table. The TASKS.md source of truth is always human-readable. The event log is machine-queryable.
ARF's MCP server runs as a stdio subprocess. The client speaks JSON-RPC over stdin/stdout. No HTTP port to open, no network exposure, no auth handshake. The MCP transport is the parent process boundary. Governance and provenance are enforced inside the server before a tool ever returns.