When you register a tool, oakallow asks you to declare four MCP annotations: read-only, destructive, idempotent, and open-world. These are the same annotations Anthropic's Connector Directory and OpenAI's Apps SDK both require on every tool an AI agent can call. They tell the agent whether the tool mutates data, whether repeat calls are safe, and whether the effects can be undone.
- Read-only: true if the tool only reads or queries (no writes, no side effects).
- Destructive: true if effects cannot be trivially undone (sends email, charges money, deletes records).
- Idempotent: true if repeat calls with the same arguments leave the world in the same state.
- Open-world: true if the tool reaches beyond oakallow to an external system (your backend, Slack, email, etc.).
Oakallow does not vouch for the accuracy of these annotations. We relay what you declared, unchanged, to every MCP client that connects. That is why we ask you to explicitly acknowledge at registration time that the annotations describe the tool accurately. Incorrect annotations can cause an AI agent to misjudge risk: for example, ChatGPT skips confirmation prompts for tools marked read-only, so flagging a write action as read-only would bypass a safety gate. Anthropic's review requires accurate annotations before a connector can be listed in the Directory.