Where should this permission layer live?

After running the Trust Graduation demo, send one sharp critique: should action-class permission live in each agent app, in MCP/tool metadata, in evals and observability, or as a separate receipt layer?

Name Email Role or company Critique or question Company site Send critique