# ATI Documentation > Source-grounded reference for the Agent Tools Interface: the `ati` CLI, optional `ati proxy` server, provider manifests, JWT scopes, skills registry, and Python orchestrator SDK used to give sandboxed agents secure tool access without exposing API keys. This is a Grok-Wiki source-grounded repository documentation set. Use the complete Markdown link when an agent needs the full repo context. ## Context Links - [Complete Markdown docs](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/llms-full.txt) - [Complete Markdown alias](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa.md) - [Human interactive docs](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa) - [GitHub repository](https://github.com/Parcha-ai/ati) ## Repository - Repository: Parcha-ai/ati - Generated: 2026-06-02T03:49:49.721Z - Updated: 2026-06-02T04:09:10.260Z - Runtime: Grok CLI - Format: Documentation - Pages: 24 ## Pages - [Overview](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/01-overview.md): What ATI exposes (`ati run`, provider catalog, proxy mode), runtime assumptions (`~/.ati/`, `ATI_PROXY_URL`), and the shortest path from `ati init` to a scoped tool call. - [Installation](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/02-installation.md): Pre-built release binaries (musl/static), `cargo install agent-tools-interface`, Docker image, and platform prerequisites for local vs proxy deployments. - [Quickstart](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/03-quickstart.md): Initialize `~/.ati/`, import a no-auth OpenAPI provider, store a key, run `ati tool list` and `ati run`, and verify success with `ati tool info`. - [Execution modes](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/04-execution-modes.md): Dev (plaintext credentials), local (AES-256-GCM keyring + one-shot session key), and proxy (`ATI_PROXY_URL`) modes: credential placement, auto-detection in `ati run`, and threat-model trade-offs. - [Providers and handlers](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/05-providers-and-handlers.md): Handler types (`http`, `openapi`, `mcp`, `cli`, `file_manager`, `passthrough`), tool naming (`provider:tool`), auth injection, and how manifests map to dispatch in `core/http`, `mcp_client`, and `cli_executor`. - [Scopes and tool discovery](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/06-scopes-and-tool-discovery.md): JWT `scope` claims, wildcard patterns (`tool:github:*`), scope-filtered listing, and the three discovery tiers: `ati tool search`, `ati tool info`, and `ati assist`. - [Skills and SkillATI](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/07-skills-and-skillati.md): Skills as methodology docs vs tools as data access, progressive disclosure (metadata → SKILL.md → resources), scope-driven resolution cascade, and remote GCS registry via `/skillati/*`. - [Import OpenAPI providers](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/08-import-openapi-providers.md): `ati provider import-openapi` and `inspect-openapi`: spec download, operation caps, tag filters, `x-ati-param-location` routing, and keyring key hints. - [Add MCP providers](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/09-add-mcp-providers.md): `ati provider add-mcp` for stdio and HTTP transports, `${key}` env injection, MCP `tools/list` discovery, and namespaced tool calls (`provider:tool`). - [CLI and HTTP manifests](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/10-cli-and-http-manifests.md): `ati provider add-cli`, hand-written `[[tools]]` HTTP manifests, `${key}` vs `@{key}` credential files, `cli_output_args` binary capture, and curated subprocess environments. - [Deploy proxy server](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/11-deploy-proxy-server.md): Run `ati proxy`, bind/port/`--env-keys`, optional `--features db` persistence, passthrough and HMAC sig-verify flags, VM/systemd examples, and health/JWKS probes. - [Configure JWT and keys](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/12-configure-jwt-and-keys.md): `ati key set/list/remove`, `ati token keygen|issue|inspect|validate`, `ati init --proxy`, per-provider session token env overrides, and orchestrator token issuance patterns. - [File manager operations](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/13-file-manager-operations.md): `file_manager:download` and `file_manager:upload`, SSRF protection, download allowlists, upload destination kinds (`gcs`, `fal_storage`), and proxy-side base64 transfer. - [Skills registry and fetch](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/14-skills-registry-and-fetch.md): `ati skill install|resolve`, manifest generation from SKILL.md, GCS bucket layout, `ati skill fetch` / `skillati` commands, and proxy `/skillati/*` endpoints. - [CLI reference](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/15-cli-reference.md): Top-level `ati` subcommands (`run`, `tool`, `provider`, `skill`, `assist`, `plan`, `key`, `token`, `auth`, `proxy`, `audit`, `edge`), global flags (`--output`, `--verbose`), and output formats. - [Environment variables](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/16-environment-variables.md): Runtime env contract: `ATI_PROXY_URL`, `ATI_SESSION_TOKEN`, `ATI_DIR`, JWT keys, SSRF/download allowlists, skill registry, OTel export, and optional `ATI_DB_URL` / `ATI_ADMIN_TOKEN`. - [Proxy API reference](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/17-proxy-api-reference.md): HTTP routes on `ati proxy`: `/call`, `/mcp`, `/help`, `/tools`, `/skills`, `/skillati/*`, `/health`, JWKS, optional `/admin/keys/*`, auth requirements, and request/response shapes. - [Manifest reference](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/18-manifest-reference.md): TOML schema for `[provider]` and `[[tools]]`: `handler`, auth types, MCP/OpenAPI/CLI/passthrough fields, response `extract`/`format`, overrides, and validation errors at load time. - [JWT and scopes reference](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/19-jwt-and-scopes-reference.md): Claims (`sub`, `aud`, `scope`, `exp`, `jti`), ES256 vs HS256, scope grammar (`tool:`, `skill:`, `help`, `*`), discovery filtering, and validation failure modes. - [Assist and plan reference](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/20-assist-and-plan-reference.md): `ati assist` flags (`--plan`, `--save`, `--local`), internal `_llm` provider, structured plan output, and `ati plan` execution of saved tool-call plans. - [OpenAPI stock research workflow](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/21-openapi-stock-research-workflow.md): End-to-end Finnhub recipe: `import-openapi`, `ati key set`, `ati assist`, and chained `ati run` calls for quotes, insiders, and sentiment with expected JSON fields. - [Agent harness sandbox](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/22-agent-harness-sandbox.md): Shell-first integration pattern across SDK examples, `AtiOrchestrator.provision_sandbox`, scoped env injection, and proxy-mode agent loops without custom tool wrappers. - [Security and production](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/23-security-and-production.md): Threat model, proxy hardening (JWT enforce, download allowlist, SSRF), sig-verify modes, optional Postgres audit/virtual keys, OTel observability, and edge keyring rotation. - [Build, test, and troubleshooting](https://grok-wiki.com/public/docs/parcha-ai-ati-a9d4398f11fa/pages/24-build-test-and-troubleshooting.md): `cargo build/test` targets, musl release builds, feature flags (`db`, `otel`, `sentry`), E2E shell scripts, live MCP tests, and common failure signals from integration tests. ## Source Files - `AGENTS.md` - `ati-client/python/README.md` - `ati-client/python/src/ati/__init__.py` - `ati-client/python/src/ati/scope.py` - `ati-client/python/src/ati/token.py` - `ati-client/python/tests/test_orchestrator.py` - `Cargo.toml` - `deny.toml` - `deploy/Dockerfile` - `deploy/examples/vm/README.md` - `deploy/examples/vm/systemd/ati.service` - `docs/assist-examples.md` - `docs/JWT_STANDARDS_2026.md` - `docs/OTEL.md` - `docs/PERSISTENCE.md` - `docs/SECURITY.md` - `examples/claude-agent-sdk/openapi_agent.py` - `examples/openai-agents-sdk/openapi_agent.py` - `examples/README.md` - `manifests/_llm.toml` - `manifests/clinicaltrials.toml` - `manifests/deepwiki-mcp.toml` - `manifests/finnhub.toml` - `manifests/github-mcp.toml` - `manifests/google-workspace.toml` - `manifests/hackernews.toml` - `manifests/README.md` - `migrations/20260501000001_init_persistence.sql` - `README.md` - `scripts/e2e/README.md` - `scripts/test_proxy_e2e.sh` - `scripts/test_proxy_server_e2e.sh` - `scripts/test_skill_fetch_e2e.sh` - `scripts/test_skills_e2e.sh` - `skills/google-workspace/SKILL.md` - `skills/google-workspace/skill.toml` - `specs/clinicaltrials.json` - `specs/crossref.json` - `specs/finnhub.json` - `src/cli/audit.rs` - `src/cli/call.rs` - `src/cli/cli_capture.rs` - `src/cli/edge.rs` - `src/cli/file_manager.rs` - `src/cli/help.rs` - `src/cli/init.rs` - `src/cli/keys.rs` - `src/cli/mod.rs` - `src/cli/plan.rs` - `src/cli/provider.rs` - `src/cli/skillati.rs` - `src/cli/skills.rs` - `src/cli/token.rs` - `src/cli/tools.rs` - `src/core/cli_executor.rs` - `src/core/error.rs` - `src/core/file_manager.rs` - `src/core/gcs.rs` - `src/core/http.rs` - `src/core/jwt.rs` - `src/core/keyring.rs` - `src/core/manifest.rs` - `src/core/mcp_client.rs` - `src/core/openapi.rs` - `src/core/otel.rs` - `src/core/passthrough.rs` - `src/core/response.rs` - `src/core/scope.rs` - `src/core/sig_verify.rs` - `src/core/skill.rs` - `src/core/skillati.rs` - `src/core/token.rs` - `src/lib.rs` - `src/main.rs` - `src/output/mod.rs` - `src/proxy/client.rs` - `src/proxy/server.rs` - `src/security/memory.rs` - `src/security/sealed_file.rs` - `tests/file_manager_proxy_test.rs` - `tests/manifest_test.rs` - `tests/mcp_live_test.rs` - `tests/plan_test.rs` - `tests/proxy_skills_test.rs` - `tests/proxy_test.rs`