Back to KB
Difficulty
Intermediate
Read Time
8 min

A tour of actpkg — components on the protocol

By Codcompass Team··8 min read

Current Situation Analysis

Agent tooling has historically suffered from a fundamental architectural mismatch: developers build monolithic servers to expose discrete capabilities. Traditional MCP implementations bundle transport, authentication, business logic, and state management into a single process. This creates a fragile attack surface, forces language-specific deployments, and makes capability scoping nearly impossible. When an agent needs to interact with five different APIs, teams typically spin up five separate servers, each with its own dependency tree, credential store, and network footprint.

The ACT protocol addresses this by decoupling tool dispatch from state and transport. The core specification is deliberately minimal: a CBOR-based invocation interface with optional packages for sessions, events, and resources. Instead of shipping full servers, developers publish capability-granted WebAssembly components to OCI registries. Each component declares exactly what it can access (filesystem paths, network hosts, cryptographic operations) and nothing more. The operator enforces these boundaries at runtime, eliminating the need for complex proxy layers or network segmentation.

Despite its elegance, the component model remains underutilized. Most engineering teams default to familiar server patterns because the mental shift from "process isolation" to "capability isolation" requires rethinking how tools are composed, versioned, and secured. Additionally, the ecosystem is still maturing, with language SDKs and bridge adapters rolling out incrementally. The result is a gap between what the protocol enables (deterministic, auditable, cross-language tooling) and what most teams actually deploy (replicated, opaque servers). Bridging this gap requires understanding how to structure components around data-plane, bridge, and pure-function patterns, and how to leverage session-based state management to avoid duplication.

WOW Moment: Key Findings

The architectural shift from monolithic servers to capability-granted components isn't just a packaging change—it fundamentally alters how tools scale, secure, and interoperate. When you compare traditional deployment models against ACT's component architecture, the compounding value of session-based bridges and strict capability boundaries becomes immediately apparent.

Deployment ModelSandbox GranularityProtocol Translation CostState Management
Monolithic MCP ServerProcess-level (all-or-nothing)High (custom adapters per API)In-memory or external DB
ACT WASM ComponentCapability-level (filesystem, network, crypto)Low (native bridges via sessions)Operator-granted, ephemeral or persistent

This finding matters because it decouples tool functionality from infrastructure overhead. A single bridge component can front hundreds of upstream services by treating each connection as an isolated session. Credentials, base URLs, and retry policies live in session arguments rather than hardcoded configuration or per-call metadata. Meanwhile, pure-function components run with zero declared capabilities, guaranteeing they cannot leak data or make unintended network calls. The result is a toolchain where security boundaries are explicit, deployment artifacts are cryptographically attested, and cross-protocol translation becomes a configuration problem rather than a codebase problem.

Core

🎉 Mid-Year Sale — Unlock Full Article

Base plan from just $4.99/mo or $49/yr

Sign in to read the full article and unlock all 635+ tutorials.

Sign In / Register — Start Free Trial

7-day free trial · Cancel anytime · 30-day money-back