I did something that sounds similar for my home assistant.

The agent never executes anything. It has like four tools… search, request execute, request build, request update.

The tool service runs vector search against the tools catalog.

The build generalizes the requested function and runs authoring with review steps, declaring needed credentials and network access.

The adversarial reviewer can reject back to the authoring three times.

After passing, the tool is registered and embeddings are done for search. It’s live for future use.

Credentials are stored encrypted, and only get injected by the tools catalog service during tool execution. The network resources are declared so tool function execution can be better sandboxed (it’s not, yet).

The agent never has access to credentials and cannot do anything without going through vetted functions in the tool service.

Agent, author process, reviewer, embedding… all can be different models running local or remote.

Event bus, agent, tool service… all separate containers.

I have an url if you want to read a bit about what I did: https://dcd.fyi/agent

It’s really just meant for me, but if you’re interested in more details on anything let me know. There’s nothing super special in it.