Where Aroha fits in your agent's anatomy

The working model of a modern agent: a brain (the LLM) inside a harness — tools, skills, RAG, memory, and the loop that drives them. Aroha is not another harness. It stands at the harness's three narrow waists, the places every framework's agent must cross to touch the world.

An agent's harness (brain, tools, skills, RAG, loop) with Aroha components standing at three boundary chokepoints: the tool plane, the delegation boundary, and money/irreversible actions

Why the boundary, not the inside

Recent research put numbers on something every agent engineer has felt: safety behavior implemented inside a harness ends up scattered. The Harness Handbook (Wang et al., 2026) traced a single permission rule — “confirm before file deletion” — through a production harness and found its logic spread across 2,267 files. Their remedy is better maps of the scatter. Ours is complementary, and architectural: move the behavior to a chokepoint the scatter can't route around. A rule enforced at the boundary is one rule, in one place, with one audit log — however large the harness behind it grows.

Wang et al., “Harness Handbook: Making Evolving Agent Harnesses Readable, Navigable, and Editable,” arXiv:2607.13285 (2026).

Find your behavior, find your component

Organized the way you actually ask the question — by what the agent is doing, not by package name.

When your agent calls a tool…

Every tool call exits the harness through one plane — usually MCP. That plane is where limits belong, because it's the last point where 'the model decided to' can still be overruled.

mcp-guardblock · gate · limit · audit — wraps any MCP server, fails closed

When your agent delegates to another agent…

Authority crosses a trust boundary. The receiving harness is code you don't control — so the authority itself must carry its limits: signed, verifiable by anyone in the chain, and only ever narrower than what was granted.

@aroha-sdk/delegation + credentialsmandate chains · ctx.delegate() · depth limits · receipt trees

When money moves or something irreversible happens…

Spending, sending, deleting, deploying. These get cryptographic ceilings (a vendor cannot charge past a signed limit) and human gates (execution pauses for approval), with a receipt for everything.

Spending & task mandatesspendLimitUsd · humanGates · reversibleOnly · TaskReceipts

When your agent picks which model to think with…

The brain has budgets too. Model routing runs under a budget mandate — token ceilings, task-type routing, per-session tracking — so a runaway loop exhausts an allowance instead of a credit card.

aroha.routingModelBudgetMandate · ModelSession · TaskType routing

When your agent retrieves knowledge…

Task mandates carry data-access scopes ('customer-db': 'read'). Today they're enforced at the capability gate; retrieval-time enforcement inside RAG pipelines is on the roadmap — we're honest about which is which.

TaskConstraints.dataAccessread / read-write / none per resource key

What Aroha deliberately isn't

We don't build the brain (bring any LLM), and we don't compete with harness frameworks — LangGraph, CrewAI, the Agent SDKs all remain the right tools for the loop itself. If you want a harness with the smallest possible surface, serve() exists — but the protocol's job is the waists, whoever built the body. Every claim on this page is backed by a specific enforcement site and test: the guarantee-evidence table.