Agent Client Protocol Bridge

3 min readFor integratorsUpdated 2026-05-23

What you'll find here

How v0.12.0 evaluates editor or client tool calls before they cross into Craik runtime authority.

Clients route through Craik; they do not become policy.

The bridge adapter rejects calls that lack operator authentication, policy envelope context, capability grants, receipts, or redaction. Client-provided instructions never outrank Craik policy.

First Adapter

v0.12.0 ships LocalAgentClientBridgeAdapter for local protocol smoke tests. It accepts an AgentClientBridgeRequest, runs decide_agent_client_bridge, and returns:

Decision

Result

Meaning

allowed

receipt emitted

The request had operator auth, policy envelope, capability grant, receipt, and redaction controls.

blocked

no receipt

The request was missing a required control or attempted instruction/tool authority elevation.

Required Controls

Every bridge request must include:

• Operator subject from the active auth boundary.
• Policy envelope id.
• Capability grant id.
• Redacted arguments and redacted output.
• Receipt creation for allowed calls.

Write-effect requests also require operator approval. Missing approval blocks the request before adapter output is produced.

Prohibited Requests

The bridge blocks requests that:

• Accept client instructions as authoritative over Craik policy.
• Ask for unbounded tool access.
• Send unredacted input or output.
• Omit policy envelope or capability grant context.

Validation

Run the bridge tests when changing protocol bridge decisions or adapter receipt behavior:

uv run pytest tests/test_protocol_bridge.py

What's Next

ReferenceAdjacent runtime bridgeThe broader bridge decision model.ReferenceEnvironment receiptsHow bridge actions become auditable evidence.GuideMCP ecosystem compatibilityParallel policy rules for MCP tools and clients.