|
| 1 | +--- |
| 2 | +title: "Architecture" |
| 3 | +description: "Overview of the Agent Client Protocol architecture" |
| 4 | +--- |
| 5 | + |
| 6 | +The Agent Client Protocol defines a standard interface for communication between AI agents and client applications. The architecture is designed to be flexible, extensible, and platform-agnostic. |
| 7 | + |
| 8 | + |
| 9 | + |
| 10 | +## Design Philosophy |
| 11 | + |
| 12 | +The protocol architecture follows several key principles: |
| 13 | + |
| 14 | +### 1. **Session-Based Isolation** |
| 15 | +Each interaction operates within a session context, providing: |
| 16 | +- State isolation between different conversations |
| 17 | +- Clean lifecycle management |
| 18 | +- Resource scoping and cleanup |
| 19 | + |
| 20 | +### 2. **Tool-Centric Design** |
| 21 | +The protocol treats all operations as tools, creating a uniform interface for: |
| 22 | +- MCP server integrations (`McpToolId`) |
| 23 | +- Client-provided capabilities (`ClientTools`) |
| 24 | +- Permission-gated operations |
| 25 | + |
| 26 | +### 3. **Streaming-First Communication** |
| 27 | +Built for real-time interaction through: |
| 28 | +- Chunked message delivery (`agentMessageChunk`, `agentThoughtChunk`) |
| 29 | +- Progressive tool execution updates (`toolCallUpdate`) |
| 30 | +- Incremental plan revelations |
| 31 | + |
| 32 | +## Component Architecture |
| 33 | + |
| 34 | +### Component Boundaries |
| 35 | + |
| 36 | +1. **Client Application Layer** |
| 37 | + - Manages UI/UX concerns |
| 38 | + - Handles permission dialogs |
| 39 | + - Provides file system access through controlled tools |
| 40 | + |
| 41 | +2. **ACP Protocol Layer** |
| 42 | + - Session lifecycle management |
| 43 | + - Message routing and transformation |
| 44 | + - Tool orchestration |
| 45 | + - Permission enforcement |
| 46 | + |
| 47 | +3. **Agent Layer** |
| 48 | + - LLM integration |
| 49 | + - Reasoning and planning |
| 50 | + - Tool selection and execution |
| 51 | + - Response generation |
| 52 | + |
| 53 | +## Key Architectural Patterns |
| 54 | + |
| 55 | +### 1. Tool Abstraction Pattern |
| 56 | + |
| 57 | +All capabilities are exposed as tools with a consistent interface: |
| 58 | + |
| 59 | +```rust |
| 60 | +pub struct McpToolId { |
| 61 | + pub mcp_server: String, |
| 62 | + pub tool_name: String, |
| 63 | +} |
| 64 | +``` |
| 65 | + |
| 66 | +This abstraction enables: |
| 67 | +- Uniform permission handling |
| 68 | +- Consistent execution tracking |
| 69 | +- Flexible capability composition |
| 70 | + |
| 71 | +### 2. Content Polymorphism |
| 72 | + |
| 73 | +The protocol uses discriminated unions for content flexibility: |
| 74 | + |
| 75 | +```rust |
| 76 | +pub enum ContentBlock { |
| 77 | + Text(TextContent), |
| 78 | + Image(ImageContent), |
| 79 | + Audio(AudioContent), |
| 80 | + ResourceLink(ResourceLink), |
| 81 | + // ... extensible |
| 82 | +} |
| 83 | +``` |
| 84 | + |
| 85 | +Benefits: |
| 86 | +- Type-safe content handling |
| 87 | +- Forward compatibility |
| 88 | +- Rich media support |
| 89 | + |
| 90 | +### 3. Update Streaming Pattern |
| 91 | + |
| 92 | +Session updates follow a streaming pattern for responsive interaction: |
| 93 | + |
| 94 | +```rust |
| 95 | +pub enum SessionUpdate { |
| 96 | + Started, |
| 97 | + UserMessage(ContentBlock), |
| 98 | + AgentMessageChunk(ContentBlock), |
| 99 | + AgentThoughtChunk(ContentBlock), |
| 100 | + ToolCall(ToolCall), |
| 101 | + ToolCallUpdate(ToolCallUpdate), |
| 102 | + Plan(Plan), |
| 103 | +} |
| 104 | +``` |
| 105 | + |
| 106 | +This enables: |
| 107 | +- Real-time feedback |
| 108 | +- Progressive rendering |
| 109 | +- Interruptible operations |
| 110 | + |
| 111 | +## Implementation Considerations |
| 112 | + |
| 113 | +### State Management |
| 114 | + |
| 115 | +The protocol maintains minimal shared state: |
| 116 | +- **Session State**: Managed by session ID, includes configuration and context |
| 117 | +- **Tool State**: Tracked through tool call IDs for update correlation |
| 118 | +- **Permission State**: Cached permission decisions (allow/reject always) |
| 119 | + |
| 120 | +### Error Boundaries |
| 121 | + |
| 122 | +Error handling is localized to maintain system stability: |
| 123 | +- Tool failures don't crash sessions |
| 124 | +- MCP server errors are isolated |
| 125 | +- Network failures are recoverable |
| 126 | + |
| 127 | +### Performance Optimization |
| 128 | + |
| 129 | +Key areas for optimization: |
| 130 | +1. **Streaming Buffers**: Chunk size tuning for message streams |
| 131 | +2. **Tool Parallelization**: Concurrent tool execution where safe |
| 132 | +3. **Session Caching**: Reuse of MCP server connections |
| 133 | +4. **Content Deduplication**: Efficient handling of repeated resources |
| 134 | + |
| 135 | +## Integration Patterns |
| 136 | + |
| 137 | +### 1. MCP Server Integration |
| 138 | + |
| 139 | +```rust |
| 140 | +pub struct McpServerConfig { |
| 141 | + pub command: PathBuf, |
| 142 | + pub args: Vec<String>, |
| 143 | + pub env: Option<HashMap<String, String>>, |
| 144 | + pub enabled_tools: Option<Vec<String>>, |
| 145 | +} |
| 146 | +``` |
| 147 | + |
| 148 | +Supports: |
| 149 | +- Dynamic server spawning |
| 150 | +- Tool whitelisting |
| 151 | +- Environment isolation |
| 152 | + |
| 153 | +### 2. Client Tool Mapping |
| 154 | + |
| 155 | +```rust |
| 156 | +pub struct ClientTools { |
| 157 | + pub request_permission: Option<McpToolId>, |
| 158 | + pub write_text_file: Option<McpToolId>, |
| 159 | + pub read_text_file: Option<McpToolId>, |
| 160 | +} |
| 161 | +``` |
| 162 | + |
| 163 | +Enables: |
| 164 | +- Flexible tool implementation |
| 165 | +- Platform-specific capabilities |
| 166 | +- Security boundaries |
| 167 | + |
| 168 | +### 3. Permission Flow |
| 169 | + |
| 170 | +The architecture enforces a clear permission flow: |
| 171 | +1. Agent requests operation |
| 172 | +2. Protocol checks permission cache |
| 173 | +3. If needed, client prompts user |
| 174 | +4. Decision cached based on kind (`allowAlways`, etc.) |
| 175 | +5. Operation proceeds or fails |
| 176 | + |
| 177 | +## Extensibility Points |
| 178 | + |
| 179 | +The architecture provides several extension mechanisms: |
| 180 | + |
| 181 | +### 1. Custom Content Types |
| 182 | +New `ContentBlock` variants can be added without breaking existing clients |
| 183 | + |
| 184 | +### 2. Tool Categories |
| 185 | +The `ToolKind` enum can be extended for new operation types |
| 186 | + |
| 187 | +### 3. Session Updates |
| 188 | +New `SessionUpdate` variants enable protocol evolution |
| 189 | + |
| 190 | +### 4. Annotations |
| 191 | +The `Annotations` type allows metadata extension without schema changes |
| 192 | + |
| 193 | +## Security Architecture |
| 194 | + |
| 195 | +### Principle of Least Privilege |
| 196 | +- Tools are explicitly granted through `enabled_tools` |
| 197 | +- File operations require specific client tool mappings |
| 198 | +- Permissions are granular and auditable |
| 199 | + |
| 200 | +### Isolation Boundaries |
| 201 | +- Sessions cannot interact with each other |
| 202 | +- MCP servers run in separate processes |
| 203 | +- File access is mediated through client tools |
| 204 | + |
| 205 | +### Trust Model |
| 206 | +``` |
| 207 | +Client (Trusted) ← ACP Protocol → Agent (Sandboxed) |
| 208 | + ↓ |
| 209 | + MCP Servers (Isolated) |
| 210 | +``` |
| 211 | + |
| 212 | +## Future Considerations |
| 213 | + |
| 214 | +The architecture is designed to accommodate: |
| 215 | +- **Multiplexed Sessions**: Multiple agents in one session |
| 216 | +- **Bidirectional Tools**: Client-initiated tool calls |
| 217 | +- **Resource Streaming**: Large file handling without full loading |
| 218 | +- **Federated Permissions**: Cross-session permission sharing |
0 commit comments