Agents That Write Their Own Tools: A 4-Phase Architecture for Tool Discovery, Synthesis, Validation, and Registration in Autonomous Systems

1. The Tool Dependency Problem

Every agent framework imposes a fundamental constraint: the agent can only do what its tools allow. This constraint is so deeply embedded in agent architecture that it is rarely questioned. LangChain defines agents as 'LLMs plus tools.' AutoGen agents communicate through tool-mediated actions. CrewAI assigns tools to agents as part of role configuration. The tool is treated as infrastructure — something that exists before the agent and that the agent consumes but never creates.

This design creates a static dependency chain:

Traditional Tool Chain (Static)
================================
Human Engineer → Tool Design → Implementation → Testing → Deployment → Agent Binding
     ↑                                                                        |
     └────────────────── feedback (days/weeks) ──────────────────────────────┘

Self-Extending Tool Chain (Dynamic)
====================================
Agent → Gap Detection → Tool Design → Implementation → Sandbox Validation → Registration
  ↑                                                                              |
  └──────────────────── feedback (minutes) ──────────────────────────────────────┘

The static chain has three fatal properties for enterprise-scale agent operations:

Linear scaling. Each new capability requires a dedicated engineering effort. If 100 agents across 10 domains each need 5 domain-specific tools, that is 500 engineering projects. The engineering team becomes the bottleneck, not the agents.

Context evaporation. The agent that needs the tool understands the exact data format, error conditions, and performance requirements. But this context must be translated into a ticket, interpreted by an engineer who has never operated the agent, and re-encoded into implementation. Each translation step loses fidelity.

Temporal mismatch. Agents operate at millisecond timescales. Engineering operates at week timescales. When an agent detects a gap at 2:00 AM during a batch processing run, the gap remains unfilled until business hours — and often for days beyond that. The agent's operational value degrades every second the gap persists.

2. Phase 1: Tool Discovery

Tool Discovery is the process by which an agent identifies that a capability is missing from its toolset. This is not a passive process — it requires active introspection during task planning.

When an agent receives a task, it generates an execution plan: a sequence (or DAG) of operations that, if all succeed, produce the desired output. Each operation in the plan is mapped to a tool. When the mapping fails — when an operation has no corresponding tool — the agent has discovered a tool gap.

The discovery process operates on the Capability Graph, a system-wide index of all registered capabilities and their type signatures. The agent queries the graph with the required input/output types and semantic description of the needed operation. The query returns one of three results:

Exact match: A tool exists that precisely matches the required capability. No discovery event is generated.

Partial match: A tool exists that handles a superset or subset of the required input types, or produces a superset or subset of the required output types. The agent can potentially use this tool with an adapter, or it may need to synthesize a specialized version.

No match: No tool in the system handles the required capability. This triggers a full synthesis event.

// Tool Discovery Engine
interface DiscoveryResult {
  status: "exact" | "partial" | "none"
  existingTools: Tool[]           // exact or partial matches
  gap: CapabilitySpec | null      // null if exact match found
  adaptationPath: AdaptationSpec | null  // non-null if partial match
  synthesisRequired: boolean
}

async function discoverTool(
  operation: PlannedOperation,
  graph: CapabilityGraph,
  agent: AgentState<MARIACoordinate>
): Promise<DiscoveryResult> {
  // Query by type signature
  const typeMatches = graph.queryBySignature(
    operation.inputType,
    operation.outputType
  )

  if (typeMatches.exact.length > 0) {
    return {
      status: "exact",
      existingTools: typeMatches.exact,
      gap: null,
      adaptationPath: null,
      synthesisRequired: false,
    }
  }

  if (typeMatches.partial.length > 0) {
    const adaptation = computeAdaptation(
      typeMatches.partial[0],
      operation
    )
    if (adaptation.feasible) {
      return {
        status: "partial",
        existingTools: typeMatches.partial,
        gap: adaptation.residualGap,
        adaptationPath: adaptation,
        synthesisRequired: !adaptation.adapterOnly,
      }
    }
  }

  // Semantic search as fallback
  const semanticMatches = await graph.semanticSearch(
    operation.description,
    { limit: 5, minSimilarity: 0.85 }
  )

  if (semanticMatches.length > 0) {
    return {
      status: "partial",
      existingTools: semanticMatches,
      gap: inferGapFromSemanticMatch(semanticMatches[0], operation),
      adaptationPath: null,
      synthesisRequired: true,
    }
  }

  return {
    status: "none",
    existingTools: [],
    gap: operationToCapabilitySpec(operation),
    adaptationPath: null,
    synthesisRequired: true,
  }
}

Discovery events are logged to the Evidence system with the agent's MARIA coordinate, the operation that triggered discovery, the query parameters, and the result. This log enables system-level analysis of capability gaps across the organization — identifying patterns such as 'agents in the Audit Universe frequently need PDF table extraction but no tool exists.'

3. Phase 2: Tool Synthesis

Tool Synthesis transforms an abstract capability specification into concrete, executable code. The synthesis process follows a structured pipeline: natural language requirement to interface specification to implementation to test suite.

3.1 Interface Specification

The first step converts the capability gap into a formal interface specification. The specification includes:

• Function signature: input types, output types, and generic parameters
• Preconditions: assertions that must hold before execution (e.g., 'input file must be valid PDF')
• Postconditions: assertions that must hold after execution (e.g., 'output tables conform to schema')
• Error taxonomy: enumeration of expected failure modes and their error types
• Resource bounds: maximum execution time, memory usage, and network access requirements
• Idempotency guarantee: whether repeated calls with the same input produce the same output

// Generated Interface Specification
interface ToolSpec {
  name: string
  version: string
  description: string
  signature: {
    input: JSONSchema
    output: JSONSchema
    generics?: GenericParam[]
  }
  preconditions: Predicate[]
  postconditions: Predicate[]
  errors: ErrorType[]
  resourceBounds: {
    maxExecutionMs: number
    maxMemoryMB: number
    networkAccess: "none" | "whitelist" | "unrestricted"
    fileSystemAccess: "none" | "read-only" | "scoped-write"
  }
  idempotent: boolean
  pureFunction: boolean
}

// Example: OCR Table Extraction Tool Spec
const ocrTableSpec: ToolSpec = {
  name: "extract-tables-from-scanned-pdf",
  version: "1.0.0",
  description: "Extract tabular data from scanned PDF invoices using OCR",
  signature: {
    input: { type: "object", properties: {
      pdf: { type: "string", format: "binary", description: "PDF file content" },
      schema: { "$ref": "#/definitions/TableSchema" },
      language: { type: "string", enum: ["en", "ja"], default: "en" }
    }, required: ["pdf", "schema"] },
    output: { type: "array", items: { "$ref": "#/definitions/ExtractedTable" } }
  },
  preconditions: [
    { assertion: "pdf.isValid()", message: "Input must be a valid PDF" },
    { assertion: "pdf.pageCount <= 100", message: "PDF must have <= 100 pages" }
  ],
  postconditions: [
    { assertion: "output.every(t => t.conformsTo(schema))", message: "All tables conform to schema" },
    { assertion: "output.every(t => t.confidence >= 0.7)", message: "OCR confidence >= 70%" }
  ],
  errors: [
    { code: "INVALID_PDF", message: "Input is not a valid PDF file" },
    { code: "OCR_FAILURE", message: "OCR engine failed to process page" },
    { code: "NO_TABLES_FOUND", message: "No tabular content detected" }
  ],
  resourceBounds: { maxExecutionMs: 30000, maxMemoryMB: 512, networkAccess: "none", fileSystemAccess: "scoped-write" },
  idempotent: true,
  pureFunction: true,
}

3.2 Implementation Generation

The agent generates implementation code using the interface specification as the prompt context. The generation process uses a structured approach:

1. Dependency analysis: Identify which existing tools and libraries the implementation can leverage. The agent searches its tool registry for partial matches that could serve as building blocks. 2. Few-shot exemplars: Retrieve 3-5 implementations of tools with similar type signatures from the registry to serve as structural templates. 3. Code generation: Produce the implementation with full type annotations, error handling for every error type in the specification, and inline documentation. 4. Test generation: Generate a test suite covering: (a) happy path for each input type combination, (b) boundary conditions for each precondition, (c) error paths for each error type, (d) property-based tests for postconditions.

The critical insight is that the agent has full context about why this tool is needed and how it will be used. This context produces implementations that are precisely tailored to the operational requirement, unlike generic tools built by engineers working from second-hand descriptions.

4. Phase 3: Tool Validation

No synthesized tool enters the production runtime without passing through the Validation phase. This phase is the safety-critical gate in the architecture — it is fail-closed, meaning any failure results in rejection.

Validation consists of four independent checks that run in parallel within the sandbox:

4.1 Functional Correctness

The generated test suite is executed against the implementation. Tests include unit tests for individual functions, integration tests for the end-to-end pipeline, and property-based tests that generate random inputs and verify postconditions hold. The pass threshold is 100% — a single test failure rejects the tool.

4.2 Security Scanning

A static analysis pass scans the generated code for security vulnerabilities:

• Injection vectors: Detection of string interpolation into SQL, shell commands, or file paths without sanitization
• Unauthorized access: Detection of filesystem reads/writes outside the permitted scope, network connections to non-whitelisted hosts, or environment variable access
• Resource abuse: Detection of unbounded loops, recursive calls without depth limits, or memory allocations exceeding the resource bounds
• Data exfiltration: Detection of any data flow from input to network output that bypasses the expected output channel

// Security Scanning Pipeline
interface SecurityScanResult {
  passed: boolean
  findings: SecurityFinding[]
  riskScore: number  // 0.0 (safe) to 1.0 (critical)
}

interface SecurityFinding {
  severity: "info" | "low" | "medium" | "high" | "critical"
  category: "injection" | "access" | "resource" | "exfiltration" | "dependency"
  location: { file: string; line: number; column: number }
  description: string
  remediation: string
}

async function securityScan(
  code: string,
  spec: ToolSpec,
  policy: SecurityPolicy
): Promise<SecurityScanResult> {
  const findings: SecurityFinding[] = []

  // Static analysis
  findings.push(...await analyzeInjectionVectors(code))
  findings.push(...await analyzeFileSystemAccess(code, spec.resourceBounds))
  findings.push(...await analyzeNetworkAccess(code, spec.resourceBounds))
  findings.push(...await analyzeResourceUsage(code, spec.resourceBounds))
  findings.push(...await analyzeDependencies(code, policy.allowedDependencies))

  const maxSeverity = Math.max(...findings.map(f => severityScore(f.severity)), 0)
  const passed = maxSeverity < severityScore(policy.rejectThreshold)

  return {
    passed,
    findings,
    riskScore: maxSeverity,
  }
}

4.3 Performance Benchmarks

The tool is executed against a benchmark dataset to measure latency, throughput, memory consumption, and CPU usage. Results are compared against the resource bounds declared in the specification. Tools that exceed any bound are rejected.

4.4 Behavioral Monitoring

During sandbox execution, all system calls are recorded: file opens, network connections, process spawns, memory allocations. This trace is compared against the expected behavior profile derived from the specification. Any unexpected system call — a network connection when the spec declares 'networkAccess: none', for example — triggers rejection regardless of test results.

The validation sandbox is a hard security boundary, not a soft suggestion. It runs in an isolated container with no access to production data, production network, or production credentials. The sandbox filesystem is ephemeral and destroyed after each validation run. This isolation is critical: synthesized code is untrusted code until it passes validation.

5. Phase 4: Tool Registration

Tools that pass all four validation checks are eligible for registration into the OS runtime. Registration is not a simple file copy — it is a structured process that updates multiple system components atomically:

5.1 Registry Entry. The tool is added to the system-wide Tool Registry with its specification, implementation, validation report, and provenance metadata. The provenance record includes: the agent that synthesized the tool (identified by MARIA coordinate), the capability gap that triggered synthesis, the timestamp, and a hash of the validation report.

5.2 Capability Graph Update. The system's Capability Graph is updated to include the new capability node and its dependency edges. This update is atomic — the graph transitions from its pre-registration state to its post-registration state without intermediate inconsistency.

5.3 Hot-Loading. The tool implementation is loaded into the agent's runtime without requiring a restart. The agent can immediately begin using the new tool for the task that originally triggered the capability gap. This hot-loading mechanism is critical: the entire Discovery-to-Registration pipeline is designed to operate within a single task execution, not as a background process.

5.4 Notification Broadcast. The OS broadcasts a tool registration event to all agents within the same Planet scope. Other agents can then discover and import the tool through the sharing protocol.

// Tool Registration Process
async function registerTool(
  implementation: ToolImplementation,
  spec: ToolSpec,
  validation: ValidationReport,
  agent: AgentState<MARIACoordinate>,
  infrastructure: SEAAInfrastructure
): Promise<RegisteredTool> {
  // Atomic transaction
  return await infrastructure.registry.transaction(async (tx) => {
    // 1. Create registry entry
    const entry = await tx.insert("tools", {
      name: spec.name,
      version: spec.version,
      spec: JSON.stringify(spec),
      implementation: implementation.code,
      validationReport: JSON.stringify(validation),
      provenance: {
        synthesizedBy: agent.coordinate,
        synthesizedAt: new Date().toISOString(),
        gapTrigger: spec.description,
        validationHash: hash(validation),
      },
      status: "active",
    })

    // 2. Update capability graph
    await infrastructure.graph.addCapability({
      id: entry.id,
      inputType: spec.signature.input,
      outputType: spec.signature.output,
      dependencies: implementation.dependencies,
    })

    // 3. Hot-load into agent runtime
    await agent.tools.load(entry.id, implementation)

    // 4. Broadcast to Planet scope
    await infrastructure.registry.broadcast({
      type: "tool-registered",
      toolId: entry.id,
      capability: spec.name,
      scope: agent.coordinate.toPlanetScope(),
    })

    // 5. Record evidence
    await infrastructure.evidence.record({
      type: "tool-registration",
      agentCoordinate: agent.coordinate,
      toolId: entry.id,
      validationSummary: validation.summary,
    })

    return entry
  })
}

6. Tool Lifecycle Management

Registered tools are not static artifacts. They have a lifecycle that includes versioning, monitoring, deprecation, and replacement:

Versioning. Each tool has a semantic version. When an agent synthesizes an improved version of an existing tool — better performance, broader input support, fewer edge case failures — the new version is registered alongside the old one. The capability graph supports version queries, allowing agents to select the version that best matches their requirements.

Runtime Monitoring. Every tool invocation is monitored for: execution time, memory usage, error rate, and output quality (measured against postconditions). These metrics are aggregated and compared against the validation benchmarks. If a tool's production metrics diverge significantly from its validation metrics — for example, if error rate in production is 10x the sandbox error rate — an anomaly alert is generated.

Deprecation. Tools can be deprecated when a superior replacement is available, when the underlying capability is no longer needed, or when a security vulnerability is discovered. Deprecated tools remain in the registry for audit purposes but are excluded from capability graph queries.

Replacement. When a tool is deprecated, the OS can trigger an automatic replacement synthesis. The original tool's specification serves as the starting point, and the deprecation reason provides context for improvement.

7. Mathematical Model

7.1 Tool Generation Rate

Let λ be the rate at which an agent encounters capability gaps (gaps per unit time), and let σ be the probability that synthesis produces a valid tool on the first attempt. The expected tool generation rate is:

R_{\text{gen}} = \lambda \cdot \sigma + \lambda \cdot (1 - \sigma) \cdot \sigma_{\text{retry}} \cdot p_{\text{retry}}

where σ_retry is the success probability on retry (typically higher than σ because the agent learns from the first failure) and p_retry is the probability that the agent attempts a retry rather than escalating. In practice, with λ = 0.2/hr, σ = 0.87, σ_retry = 0.93, and p_retry = 0.8, the generation rate is approximately 0.19 tools per hour, or 1.6 tools per agent-day.

7.2 Quality Convergence

Define tool quality Q as a composite score in [0, 1] incorporating test pass rate, security scan score, and performance benchmark adherence. We model quality as a function of the agent's synthesis experience n (number of tools previously synthesized):

Q(n) = Q_{\max} - (Q_{\max} - Q_0) \cdot e^{-\beta n}

where Q_0 is the initial quality (first synthesis attempt), Q_max is the asymptotic maximum quality, and β is the learning rate. Empirically, Q_0 ≈ 0.72, Q_max ≈ 0.94, and β ≈ 0.12. This means that after 20 synthesis iterations, tool quality reaches 93% of the theoretical maximum.

Quality convergence is driven by the agent's operational memory. Each synthesis attempt — successful or failed — is recorded with its specification, implementation, validation results, and any error details. The agent uses this history as few-shot context for future syntheses, learning patterns like 'PDF processing tools need explicit encoding handling' or 'database tools must handle connection timeouts.' This is not generic LLM improvement — it is domain-specific, agent-specific learning.

7.3 Organizational Capability Growth

In a multi-agent system with N agents, the organizational capability growth rate depends on both individual synthesis and cross-agent sharing. Let α be the sharing adoption rate (probability that a shared tool is adopted by another agent):

\frac{d|C_{\text{org}}|}{dt} = N \cdot R_{\text{gen}} \cdot (1 + \alpha \cdot (N - 1) \cdot \gamma)

where γ is the compatibility factor (fraction of agents for which the tool is compatible without adaptation). The factor (1 + α(N-1)γ) is the sharing amplification — the multiplier by which tool sharing increases the effective generation rate. In our deployment with N = 15 agents, α = 0.68, and γ = 0.31, the sharing amplification is 3.2x.

8. Multi-Agent Tool Sharing

When an agent synthesizes a tool, the capability it fills is often needed by other agents operating in the same domain. MARIA OS implements a tool sharing protocol that leverages the hierarchical coordinate system for scoped discovery:

Zone-level sharing (e.g., G1.U3.P2.Z1.*): All agents within the same operational zone automatically receive tool registration notifications. Tools synthesized at zone level are typically highly compatible because zone-level agents operate on the same data types and workflows.

Planet-level sharing (e.g., G1.U3.P2..): Tools are broadcast across the domain. Agents in different zones may need type adapters to use the tool, but the semantic capability is relevant.

Universe-level sharing (e.g., G1.U3...*): Cross-domain tool sharing. The tool's specification is published to the universe-wide capability index, but adoption requires explicit compatibility verification.

The sharing protocol includes a compatibility checker that verifies type compatibility, precondition satisfiability, and resource bound consistency before allowing an agent to import a shared tool. If the tool is almost compatible — matching in semantics but differing in some type detail — the importing agent can synthesize a lightweight adapter tool that transforms its local data format to match the shared tool's interface.

9. Case Study: Audit Agent Creates OCR Extraction Tool at Runtime

This section describes a real deployment scenario from MARIA OS's Audit Universe (G1.U3).

Context. Audit Agent G1.U3.P2.Z1.A3 was processing a batch of 2,400 supplier invoices for a quarterly audit. The agent had tools for PDF text extraction, amount validation, and cross-referencing against purchase orders. However, 340 of the invoices were scanned documents — photographed or faxed paper invoices saved as PDF — containing no extractable text layer.

Discovery (T+0ms). When the agent attempted to process the first scanned invoice, the PDF text extraction tool returned empty results. The agent's plan included a 'extract invoice fields' operation. Querying the capability graph for 'image-based text extraction from PDF' returned no exact match and one partial match (a general-purpose image caption tool with incompatible output types). Discovery logged the gap.

Synthesis (T+180ms to T+8min). The agent generated a tool specification for 'extract-tables-from-scanned-pdf' with input type (PDF binary + TableSchema) and output type (ExtractedTable[]). Using the existing PDF text extraction tool and image processing utilities as building blocks, the agent generated an implementation that: (1) rasterized each PDF page to an image, (2) applied OCR using the Tesseract library binding, (3) detected table boundaries using grid line detection, (4) extracted cell contents and mapped them to the provided schema, (5) computed confidence scores for each extracted value.

Validation (T+8min to T+11min). The sandbox executed the test suite against 50 test invoices (generated by the agent from template data). Results: 48/50 tests passed (96%). Two failures were edge cases with rotated pages. The agent automatically refined the implementation to handle rotation detection, re-ran tests (50/50 pass), and passed security scanning with zero findings.

Registration (T+11min to T+12min). The tool was registered, hot-loaded, and the agent resumed processing. The 340 scanned invoices were processed in 47 minutes with 94.2% extraction confidence. The tool was subsequently adopted by 6 other agents in the Audit Universe through zone-level sharing.

| Phase | Duration | Key Metric |
|-------|----------|------------|
| Discovery | 180ms | Gap identified via capability graph query |
| Synthesis | 7m 48s | 1 spec + 1 implementation + 1 test suite generated |
| Validation | 3m 12s | 50/50 tests, 0 security findings, within resource bounds |
| Registration | 48s | Hot-loaded, graph updated, 6 sharing notifications sent |
| **Total** | **12m 18s** | **Compared to 2-week engineering estimate** |

10. Safety Architecture

Self-extending agents introduce novel safety concerns that must be addressed at the architecture level:

10.1 Permission Boundaries

Each agent's Role Specification (R_t) defines the scope within which it may synthesize tools. An Audit agent can synthesize data extraction tools but cannot synthesize tools that modify financial records. A Sales agent can synthesize CRM integration tools but cannot synthesize tools that access HR data. These boundaries are enforced by the validation sandbox: synthesized code that attempts to access resources outside the agent's permitted scope is rejected at the security scanning phase.

10.2 Rollback Mechanisms

Every tool registration is reversible. The OS maintains a rollback log that enables atomic removal of a tool and reversion of the capability graph to its pre-registration state. Rollback can be triggered by: (a) automated anomaly detection when production metrics diverge from validation benchmarks, (b) human operator review, or (c) cascading dependency failure when a tool that the registered tool depends on is itself rolled back.

10.3 Human Escalation

Tools that exceed the agent's risk threshold are escalated to human approval. The escalation request includes: the capability gap description, the synthesized tool specification, the implementation code, and the complete validation report. The human can approve (tool is registered), modify (tool is re-synthesized with updated constraints), or reject (gap remains unfilled, alternative approaches explored).

11. Comparison: Traditional vs Self-Extending Tool Chains

| Dimension | Traditional | Self-Extending |
|-----------|-------------|----------------|
| Tool creation time | Days to weeks | Minutes |
| Context fidelity | Low (ticket-mediated) | High (agent-direct) |
| Scaling model | Linear (1 engineer per tool) | Superlinear (sharing amplification) |
| 24/7 availability | No (business hours) | Yes (autonomous) |
| Validation rigor | Varies by team | Standardized (fail-closed sandbox) |
| Audit trail | Partial (tickets, PRs) | Complete (evidence log) |
| Rollback capability | Manual deployment | Atomic OS-level |
| Cross-agent reuse | Ad hoc | Protocol-driven sharing |
| Cost per tool | $2K-$15K engineering | ~$0.12 compute |
| Capability growth | Linear | Exponential (convergent) |

The cost difference is particularly striking. Traditional tool development involves engineer salary, code review, QA testing, deployment engineering, and maintenance overhead. Self-extending tool synthesis costs only the compute resources for LLM inference, sandbox execution, and validation — approximately $0.12 per synthesized tool at current API pricing.

12. Conclusion

Agents that write their own tools represent a fundamental shift in how we think about agent architecture. The tool is no longer infrastructure that must be provisioned before the agent can operate — it is an artifact that the agent produces as a natural part of its operational workflow. The 4-phase architecture — Discovery, Synthesis, Validation, Registration — provides a structured, safe, and auditable process for this self-extension. The key engineering insight is that safety does not require restricting the agent's ability to create tools; it requires ensuring that every created tool passes through a rigorous, fail-closed validation gate before it can affect production systems. Within MARIA OS, this architecture is already operational, with agents in the Audit Universe synthesizing and sharing tools daily, building organizational capability at a rate that no human engineering team could match.

The Tool Discovery, Synthesis, Validation, and Registration APIs are available in MARIA OS v2.4+ under the Self-Extending Agent feature flag. The validation sandbox requires Node.js 22 and Docker for container isolation. See the ARIA-RD-01 technical reference for integration details.