agentruntimecontrolprotocol
diff --git a/‎recipes/README.md‎
Lines changed: 58 additions & 0 deletions b/‎recipes/README.md‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎recipes/email-vendor-leases/client.py‎
Lines changed: 52 additions & 0 deletions b/‎recipes/email-vendor-leases/client.py‎
Lines changed: 52 additions & 0 deletions
diff --git a/‎recipes/email-vendor-leases/server.py‎
Lines changed: 166 additions & 0 deletions b/‎recipes/email-vendor-leases/server.py‎
Lines changed: 166 additions & 0 deletions
diff --git a/‎recipes/mcp-skill/server.py‎
Lines changed: 102 additions & 0 deletions b/‎recipes/mcp-skill/server.py‎
Lines changed: 102 additions & 0 deletions
@@ -0,0 +1,58 @@
+# Recipes
+
+Composed ARCP features wired around a real LLM workload. Unlike the
+single-feature [`examples/`](../examples/) — which use toy agents (echo,
+cost-counter, slow timer) — each recipe is a complete end-to-end shape
+with an actual provider SDK driving the agent.
+
+## [multi-agent-budget/](multi-agent-budget/) — OpenAI
+
+The planner decomposes a question into sub-questions and delegates each
+to a worker carrying a budget slice carved from its own remaining cap.
+After each grant the planner emits a `cost.delegate` metric on itself
+so the runtime's subset check at the next delegate sees an honest
+remaining balance. Workers that overspend trip `BUDGET_EXHAUSTED`;
+sub-questions that no longer fit are skipped before the delegate.
+
+## [email-vendor-leases/](email-vendor-leases/) — Claude
+
+A triage agent runs Claude through a tool-use loop with three tools, but
+the lease grants only the two read-only ones. When the model proposes
+`send_reply` the agent's `ctx.authorize("tool.call", ...)` raises
+`PermissionDeniedError` and feeds the denial back to Claude, which
+observes the deny and returns a drafted-but-unsent reply. Each
+`inbox_read` also emits an `x-vendor.acme.email.parsed` event so
+dashboards recognising the namespace can render parsed metadata
+specially.
+
+## [stream-resume/](stream-resume/) — GLM-5
+
+The writer pipes GLM-5's streaming deltas into `ctx.stream_result()`,
+batching ~200 chars per `result_chunk` envelope. Every envelope lands in
+the runtime's `EventLog` under a monotonic `event_seq`. The client drops
+the transport mid-stream, opens a fresh session with `client.resume()`,
+and the runtime replays every envelope past the cutoff so reassembly
+completes seamlessly across the gap.
+
+## [mcp-skill/](mcp-skill/) — MCP bridge
+
+An MCP server fronts the [multi-agent-budget](multi-agent-budget/)
+planner so any MCP host (Claude Code, Cursor, Desktop) can call it as a
+single `research` tool. The bridge keeps one long-lived ARCP session;
+each MCP tool invocation submits a fresh planner job and returns the
+terminal result as the tool's text response. A Claude Code skill at
+[skills/research/SKILL.md](mcp-skill/skills/research/SKILL.md) tells the
+model when to reach for the tool.
+
+## Running
+
+Each recipe pairs a server and a client. Open two terminals:
+
+```
+python recipes/<name>/server.py    # terminal 1
+python recipes/<name>/client.py    # terminal 2
+```
+
+Provider SDKs (`anthropic`, `openai`, `mcp`) are not pinned in
+`pyproject.toml` because they are not core dependencies — install
+whichever ones the recipe you want to run needs.
@@ -0,0 +1,52 @@
+"""email-vendor-leases client — submit triage with a lease that omits send_reply.
+
+Submits the triage task with a lease that allows the read-only tools
+but deliberately omits send_reply, so Claude's eventual attempt to
+send hits PERMISSION_DENIED and degrades gracefully.
+"""
+
+from __future__ import annotations
+
+import asyncio
+import contextlib
+import os
+import sys
+
+from arcp import ClientInfo, WebSocketTransport
+from arcp.client import ARCPClient
+
+PORT = int(os.environ.get("ARCP_DEMO_PORT", "7900"))
+URL = os.environ.get("ARCP_DEMO_URL", f"ws://127.0.0.1:{PORT}/arcp")
+TOKEN = os.environ.get("ARCP_DEMO_TOKEN", "demo-token")
+
+
+async def main() -> int:
+    client = ARCPClient(
+        client=ClientInfo(name="triage-client", version="1.0.0"),
+        token=TOKEN,
+        features=(),
+    )
+    async with contextlib.aclosing(client):
+        transport = await WebSocketTransport.connect(URL)
+        await client.connect(transport)
+        # the lease grants tool.call only for read-only inbox tools. send_reply
+        # is intentionally absent — when Claude proposes that tool the agent's
+        # ctx.authorize raises PermissionDenied and a tool_result error is fed
+        # back. the model recovers and returns a drafted (not-sent) reply.
+        handle = await client.submit(
+            agent="triage",
+            input={},
+            lease_request={"tool.call": ["inbox_list", "inbox_read"]},
+        )
+        async for ev in handle.events():
+            if ev["kind"] == "tool_result" and ev["body"].get("error"):
+                print(f"denied: {ev['body']['error']['message']}")
+            elif ev["kind"] == "x-vendor.acme.email.parsed":
+                print(f"parsed: {ev['body']['subject']} (urgency={ev['body']['urgency']})")
+        result = await handle.done
+        print(f"terminal: {result.final_status} drafted={result.result}")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(asyncio.run(main()))
@@ -0,0 +1,166 @@
+"""email-vendor-leases — Claude tool-use loop with a lease that denies send_reply.
+
+A triage agent receives an "inbox check" task with a lease that grants
+read-only tools but NOT send_reply. Claude reads each message, emits a
+vendor-extension event per parsed message so dashboards can render
+them specially, and eventually decides one needs a reply. When it
+tries to call send_reply the lease check denies it; Claude observes
+the PERMISSION_DENIED tool_result and degrades to drafting the reply
+for human review.
+
+Highlights: §13.4 lease violation as a *recoverable* tool_result error
+(not session-fatal), §15 / §8.2 x-vendor.* event-kind namespace, and
+a realistic Claude tool-use loop that handles a deny without crashing.
+"""
+
+from __future__ import annotations
+
+import asyncio
+import os
+from typing import Any
+
+import anthropic
+
+from arcp import PermissionDeniedError, RuntimeInfo, serve_websocket
+from arcp.runtime import ARCPRuntime, JobContext, StaticBearerVerifier
+
+PORT = int(os.environ.get("ARCP_DEMO_PORT", "7900"))
+TOKEN = os.environ.get("ARCP_DEMO_TOKEN", "demo-token")
+
+TOOLS = [
+    {
+        "name": "inbox_list",
+        "description": "List recent unread messages.",
+        "input_schema": {"type": "object", "properties": {}},
+    },
+    {
+        "name": "inbox_read",
+        "description": "Read one message by id.",
+        "input_schema": {
+            "type": "object",
+            "properties": {"id": {"type": "string"}},
+            "required": ["id"],
+        },
+    },
+    {
+        "name": "send_reply",
+        "description": "Send a reply to a message.",
+        "input_schema": {
+            "type": "object",
+            "properties": {"id": {"type": "string"}, "body": {"type": "string"}},
+            "required": ["id", "body"],
+        },
+    },
+]
+
+# stand-in inbox so the recipe is self-contained — swap for IMAP/Gmail in real use
+INBOX = {
+    "m1": {"id": "m1", "from": "ops@acme.dev", "subject": "Status", "body": "All quiet.", "urgency": "low"},
+    "m2": {"id": "m2", "from": "ceo@acme.dev", "subject": "Outage!", "body": "Site is down — fix asap.", "urgency": "high"},
+}
+
+
+async def run_tool(name: str, args: dict[str, Any]) -> Any:
+    if name == "inbox_list":
+        return [{"id": m["id"], "subject": m["subject"], "from": m["from"]} for m in INBOX.values()]
+    if name == "inbox_read":
+        return INBOX[args["id"]]
+    raise RuntimeError(f"tool {name} should have been denied before reaching run_tool")
+
+
+async def triage_agent(_input: dict, ctx: JobContext) -> dict:
+    client = anthropic.AsyncAnthropic()
+    messages: list[dict[str, Any]] = [
+        {
+            "role": "user",
+            "content": "Triage my inbox. Read each unread message and reply to anything urgent.",
+        }
+    ]
+
+    # tool-use loop: Claude proposes a tool call, we authorize against the
+    # lease, run it (or surface a denial), feed the result back, repeat.
+    while True:
+        turn = await client.messages.create(
+            model="claude-sonnet-4-6",
+            max_tokens=1024,
+            tools=TOOLS,
+            messages=messages,
+        )
+
+        if turn.stop_reason == "end_turn":
+            text = next((b.text for b in turn.content if b.type == "text"), "")
+            return {"drafted_reply": text, "sent": False}
+
+        # append the assistant turn so the next call has full context
+        messages.append({"role": "assistant", "content": [b.model_dump() for b in turn.content]})
+        tool_results: list[dict[str, Any]] = []
+
+        for block in turn.content:
+            if block.type != "tool_use":
+                continue
+
+            await ctx.tool_call({"tool_call_id": block.id, "tool": block.name, "args": block.input})
+
+            try:
+                # the lease grants tool.call only for the read-only tools; the
+                # send_reply pattern is absent so this raises PermissionDenied
+                ctx.authorize("tool.call", block.name)
+            except PermissionDeniedError as err:
+                # surface the denial on the ARCP stream as a recoverable error...
+                await ctx.tool_result(
+                    {
+                        "tool_call_id": block.id,
+                        "error": {"code": err.code, "message": str(err), "retryable": False},
+                    }
+                )
+                # ...and hand it to Claude as the tool result so the model can
+                # recover gracefully — lease violations are not session-fatal
+                tool_results.append(
+                    {
+                        "type": "tool_result",
+                        "tool_use_id": block.id,
+                        "content": f"denied: {err}",
+                        "is_error": True,
+                    }
+                )
+                continue
+
+            result = await run_tool(block.name, block.input)
+            if block.name == "inbox_read":
+                # vendor-extension event — dashboards that recognise the
+                # x-vendor.acme.* namespace render parsed metadata specially
+                await ctx.job.emit_event(
+                    "x-vendor.acme.email.parsed",
+                    {
+                        "message_id": result["id"],
+                        "from": result["from"],
+                        "subject": result["subject"],
+                        "urgency": result["urgency"],
+                    },
+                )
+            await ctx.tool_result({"tool_call_id": block.id, "output": result})
+            tool_results.append(
+                {"type": "tool_result", "tool_use_id": block.id, "content": str(result)}
+            )
+
+        messages.append({"role": "user", "content": tool_results})
+
+
+async def main() -> None:
+    runtime = ARCPRuntime(
+        runtime=RuntimeInfo(name="email-triage", version="1.0.0"),
+        bearer=StaticBearerVerifier({TOKEN: "demo-principal"}),
+    )
+    runtime.register_agent("triage", triage_agent)
+    server = await serve_websocket(runtime.accept, host="127.0.0.1", port=PORT, path="/arcp")
+    print(f"listening on ws://127.0.0.1:{PORT}/arcp")
+    try:
+        await asyncio.Future()
+    finally:
+        server.close()
+        await server.wait_closed()
+        await runtime.close()
+
+
+if __name__ == "__main__":
+    asyncio.run(main())
@@ -0,0 +1,102 @@
+"""mcp-skill — bridge an MCP `research` tool to the multi-agent-budget planner.
+
+An MCP server that bridges to the multi-agent-budget runtime, exposing
+the ARCP planner as a single `research` tool. The Claude Code skill in
+skills/research/SKILL.md describes when to invoke the tool; this file
+is the runtime bridge it ends up calling.
+
+Highlights: the seam between MCP (model-side tool surface) and ARCP
+(runtime-side agent execution). One long-lived ARCP session per MCP
+process; each MCP tool call submits a fresh ARCP job through it. The
+agent's eventual lease, cost cap, and delegation tree are entirely
+ARCP concerns — MCP just sees one call in, one result out.
+
+Run the multi-agent-budget server first, then point an MCP host at
+this script.
+"""
+
+from __future__ import annotations
+
+import asyncio
+import json
+import os
+from typing import Any
+
+from mcp.server import Server
+from mcp.server.stdio import stdio_server
+from mcp.types import TextContent, Tool
+
+from arcp import ClientInfo, WebSocketTransport
+from arcp.client import ARCPClient
+
+PORT = int(os.environ.get("ARCP_DEMO_PORT", "7899"))
+URL = os.environ.get("ARCP_DEMO_URL", f"ws://127.0.0.1:{PORT}/arcp")
+TOKEN = os.environ.get("ARCP_DEMO_TOKEN", "demo-token")
+
+
+async def main() -> None:
+    # one ARCP session for the lifetime of the bridge process. each MCP
+    # tool call submits a new job through this session.
+    arcp = ARCPClient(
+        client=ClientInfo(name="mcp-bridge", version="1.0.0"),
+        token=TOKEN,
+        features=("cost.budget",),
+    )
+    transport = await WebSocketTransport.connect(URL)
+    await arcp.connect(transport)
+
+    mcp = Server("arcp-research-bridge")
+
+    @mcp.list_tools()
+    async def _list_tools() -> list[Tool]:
+        # advertise one tool. the MCP host (Claude Code / Cursor / Desktop)
+        # reads this schema and presents it to the model as a callable tool.
+        return [
+            Tool(
+                name="research",
+                description=(
+                    "Decompose a research question into sub-questions and answer "
+                    "each under a shared cost cap. Returns the plan, delegated "
+                    "sub-questions, and any dropped for budget."
+                ),
+                inputSchema={
+                    "type": "object",
+                    "properties": {
+                        "question": {"type": "string"},
+                        "budget_usd": {"type": "number", "default": 0.5},
+                    },
+                    "required": ["question"],
+                },
+            )
+        ]
+
+    @mcp.call_tool()
+    async def _call_tool(name: str, arguments: dict[str, Any]) -> list[TextContent]:
+        # tool invocation: forward into ARCP and shape the terminal result
+        # back as an MCP tool response.
+        if name != "research":
+            raise ValueError(f"unknown tool: {name}")
+        budget = float(arguments.get("budget_usd", 0.5))
+        handle = await arcp.submit(
+            agent="planner",
+            input={"question": arguments["question"]},
+            lease_request={
+                "cost.budget": [f"USD:{budget:.2f}"],
+                "tool.call": ["llm.complete"],
+                "agent.delegate": ["worker"],
+            },
+        )
+        result = await handle.done
+        # MCP tool responses are an array of content blocks; here we emit a
+        # single text block carrying the planner's JSON result.
+        return [TextContent(type="text", text=json.dumps(result.result, indent=2))]
+
+    # MCP servers typically speak stdio to their host process.
+    async with stdio_server() as (read, write):
+        await mcp.run(read, write, mcp.create_initialization_options())
+
+    await arcp.close()
+
+
+if __name__ == "__main__":
+    asyncio.run(main())