Skip to main content
Author(s): nikomatsakis

Elevator pitch

What are you proposing to change?
Add proxy chain capabilities to ACP that allow components to intercept and transform messages between clients and agents, enabling composable agent architectures where techniques like context injection, tool coordination, and response filtering can be extracted into reusable components.

Status quo

How do things work today and what problems does this cause? Why would we change things?
The AI agent ecosystem has developed a wide variety of extension mechanisms: AGENTS.md files, Claude Code plugins and skills, rules and steering files, hooks, MCP servers, etc. Of these, only MCP servers and AGENTS.md files have achieved any standardization across the ecosystem. The popularity of MCP servers demonstrates a clear desire for portable extensions that work across different clients and agents. Many MCP servers come with instructions like “add this text to your context to help the agent use the MCP server correctly,” showing that developers want their tools to work seamlessly without manual configuration. However, MCP servers are fundamentally limited because they sit “behind” the agent. They can provide tools and respond to function calls, but they cannot:
  • Inject or modify prompts before they reach the agent
  • Add global context that persists across conversations
  • Transform responses before they reach the user
  • Respond to async events outside the request-response cycle
  • Coordinate between multiple agents or manage conversation flow
This creates a gap in the ecosystem. Developers want portable, composable extensions, but the only standardized mechanism (MCP) can’t handle many common use cases. As a result, valuable techniques like context management, conversation orchestration, and response processing remain locked within individual agent implementations. Users end up choosing agents not just based on model quality, but on which specific extensions and capabilities are built in. There’s no way to take the context injection from one system, the tool coordination from another, and the response filtering from a third, and combine them with your preferred base model.

What we propose to do about it

What are you proposing to improve the situation?
We propose extending ACP to enable creating proxies, ACP components that sit between the client and the agent. Because proxies can do anything a client could do, they serve as a kind of “universal extension mechanism” that can subsume AGENTS.md, hooks, MCP servers, etc. Part of the proxy protocol includes the ability to send and receive MCP messages, enabling a single component to (1) add an MCP server to a session and then (2) handle those MCP tool requests. This effectively creates a way for agents to “callback” to a proxy, enabling rich bidirectional interactions beyond simple message transformation. Proxies are limited to the customizations exposed by ACP itself, so they would benefit from future ACP extensions like mechanisms to customize system prompts. However, they can already handle the majority of common extension use cases through message interception and transformation.

Proxying in theory

Conceptually, proxies work like a chain where messages flow through each component: (As described in the “Proxying in Practice” section, proxies in our design do not actually communicate directly with their successor, but instead use a central conductor. For the purposes of explaining the protocol, however, this section will continue to show diagrams “as if” proxies were in direct communication with each other.)

Proxying MCP requests through ACP

When proxing a session/new request, proxies can add MCP servers using a new transport type, "acp". When agents invoke an MCP server that uses "acp" transport, the MCP requests are sent through the ACP channel. (To accommodate existing agents, our conductor will automatically bridge MCP servers using "acp" transport to use "stdio" transport.) Leveraging "acp" transport allows a single ACP proxy to do all of the following:
  1. Add context by analyzing the project and injecting relevant documentation
  2. Provide tools via MCP server that understand the injected context
  3. Handle callbacks when the agent uses those tools, with full awareness of the conversation state
Example Flow (Idealized): Context Proxy (with MCP server) → Filter Proxy → Agent This demonstrates how proxy chains enable rich, context-aware tooling that would be difficult to achieve with traditional MCP servers alone.

Proxing in practice: the role of the conductor

To allow for proxy isolation, our design does not have proxies communicate directly with their successor in the chain. Instead, there is a central conductor component that handles routing messages between components. We add one ACP method for proxy communication:
  • proxy/successor: Used bidirectionally - proxies send it to forward messages to their successor, and the conductor sends it to deliver messages from the successor back to the proxy
Here’s how a single message flows through the system:

Shiny future

How will things will play out once this feature exists?

User Experience and Editor Integration

We expect editors to expose the ability to install proxies in the same way they currently support adding MCP servers - in fact, the distinction probably doesn’t matter to users. Both are “extensions” that add capabilities to their AI workflow. When proxies are installed, editors would not start the agent directly, but instead invoke the conductor with the configured proxy chain. From the user’s perspective, they’re just getting enhanced agent capabilities - the proxy chain architecture remains transparent.

Language-Specific Proxy Ecosystems

The monolithic nature of agent development has meant that most of the “action” happens within agents. We wish to invert this, with agents trending towards simple agentic loops, and the creativity being pushed outwards into the broader ecosystem. The Symposium project is one example exploring this concept, with a focus on Rust. The idea is to give Rust users an automatic set of extensions based on the dependencies they are using. These extensions would be packaged up as SACP proxies using WebAssembly for portability and sandboxing. Symposium aims to become the standard “Rust ACP experience” by providing both core Rust tooling and a framework for Rust libraries to contribute their own proxy components.

Standardized IDE Capabilities

Proxy infrastructure could also enable editors to expose standardized IDE capabilities (diagnostics, file system access, terminal APIs) to agents via MCP servers provided by proxies. This keeps the core ACP protocol focused on agent communication while allowing rich IDE integration through the proxy layer.

Implementation details and plan

Tell me more about your implementation. What is your detailed implementation plan?

Component Roles

ACP defines client and agent as superroles, each with two specializations: Terminal roles: Standard ACP behavior - direct client-to-agent communication. Non-terminal roles: Extended ACP behavior - clients manage proxy chains, agents forward to successors. Example Architecture:

Capability Reference

MCP-over-ACP Transport ("mcp_acp_transport": true)
  • Indicates a component can handle MCP messages with "transport": "acp"
  • Must handle mcp/connect, mcp/message, and mcp/disconnect messages
  • Enables seamless MCP server provision and tool callbacks

Proxy Initialization Protocol

Components discover their role from the initialization method they receive:
  • Proxies receive proxy/initialize - they have a successor and should forward messages
  • Agents receive initialize - they are terminal and process messages directly
The proxy/initialize request has the same parameters as initialize and expects a standard InitializeResponse. The only difference is the method name, which signals to the component that it should operate as a proxy. Conductor behavior:
  • The conductor MUST send proxy/initialize to all proxy components
  • The conductor MUST send initialize to the final agent component
  • When a proxy forwards an initialize via proxy/successor, the conductor determines whether the successor is another proxy or the agent, and sends the appropriate method
Proxy behavior:
  • A proxy that receives proxy/initialize knows it has a successor
  • The proxy SHOULD forward requests it does not understand
  • The proxy SHOULD preserve metadata fields when forwarding messages
Note: A conductor can be configured to run in either terminal mode (expecting initialize) or proxy mode (expecting proxy/initialize), enabling nested proxy chains.

MCP Transport Capability Initialization

MCP transport capability negotiation follows different rules depending on the relationship:
  • Conductor ↔ proxy initialization: The conductor MUST offer "mcp_acp_transport": true in the proxy/initialize request. The proxy MUST respond with "mcp_acp_transport": true - all proxies are required to support MCP servers that use ACP transport.
  • Terminal client ↔ terminal agent initialization: The client MAY offer "mcp_acp_transport": true in the initialize request. The agent MAY respond with "mcp_acp_transport": true if it supports native MCP-over-ACP transport.
Note: Because a conductor MUST offer "mcp_acp_transport" to each proxy but terminal agents are not obligated to support it, the conductor MUST bridge MCP servers using ACP transport to alternative transport methods (such as stdio) when the agent lacks native support.

Message Reference

Initialization: 
// Conductor initializes a proxy (proxy knows it has a successor)
{"method": "proxy/initialize", "params": <INITIALIZE_REQUEST_PARAMS>}

// Conductor initializes the agent (standard ACP)
{"method": "initialize", "params": <INITIALIZE_REQUEST_PARAMS>}
Both methods use the same parameters as the standard ACP InitializeRequest and expect a standard InitializeResponse. Proxy Messages: 
// Proxy sends message to successor, or conductor delivers message from successor
// (same method, direction determined by sender)
{
  "method": "proxy/successor",
  "params": {
    "method": "<INNER_METHOD>",
    "params": <INNER_PARAMS>,
    "meta": { ... }            // optional metadata
  }
}
The inner message fields (method, params) are flattened into the params object. Whether the wrapped message is a request or notification is determined by the presence of an id field in the outer JSON-RPC envelope, following JSON-RPC conventions. MCP Messages: 
// Establish MCP connection
{"method": "mcp/connect", "params": {"acpUrl": "acp:<UUID>", "meta": {...}}}
// Response: {"connectionId": "<CONNECTION_ID>", "meta": {...}}

// Send MCP message (bidirectional - agent↔proxy)
{
  "method": "mcp/message",
  "params": {
    "connectionId": "<CONNECTION_ID>",
    "method": "<MCP_METHOD>",
    "params": <MCP_PARAMS>,
    "meta": { ... }
  }
}

// Close MCP connection
{"method": "mcp/disconnect", "params": {"connectionId": "<CONNECTION_ID>", "meta": {...}}}
The connectionId is obtained from the mcp/connect response. The inner MCP message fields are flattened into the params object, similar to proxy/successor. The acpUrl in the connect request identifies which proxy component owns the MCP server.

MCP Transport Extension

We extend the MCP JSON schema to support ACP as a new transport type alongside existing stdio and HTTP transports. Extended MCP Server Schema: 
{
  "type": "object",
  "properties": {
    "transport": {
      "type": "string",
      "enum": ["stdio", "http", "acp"]
    }
  },
  "allOf": [
    {
      "if": {
        "properties": { "transport": { "const": "stdio" } }
      },
      "then": {
        "properties": {
          "command": { "type": "string" },
          "args": { "type": "array", "items": { "type": "string" } }
        },
        "required": ["command"]
      }
    },
    {
      "if": {
        "properties": { "transport": { "const": "http" } }
      },
      "then": {
        "properties": {
          "url": { "type": "string" },
          "headers": { "type": "object" }
        },
        "required": ["url"]
      }
    },
    {
      "if": {
        "properties": { "transport": { "const": "acp" } }
      },
      "then": {
        "properties": {
          "uuid": {
            "type": "string",
            "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
          }
        },
        "required": ["uuid"]
      }
    }
  ]
}
Example ACP Transport Declaration: 
{
  "tools": {
    "mcpServers": {
      "filesystem": {
        "transport": "acp",
        "uuid": "550e8400-e29b-41d4-a716-446655440000"
      }
    }
  }
}

Examples (Non-normative)

The following sequence diagrams illustrate common proxy chain scenarios for implementers.

Initialization of a 4-Component Proxy Chain

This shows the initialization flow for: Terminal Client → Conductor → Context Proxy → Tool Filter Proxy → Terminal Agent

Context-Providing MCP Server with Session Notifications

This example shows how a proxy can handle initialization and forward session notifications. Sparkle (a collaborative AI framework) runs an embodiment sequence during session creation. This demonstrates how proxies can run initialization sequences during session creation while transparently forwarding all session notifications back to the client.

Frequently asked questions

What questions have arisen over the course of authoring this document or during subsequent discussions?

Why use a separate proxy/initialize method instead of a capability?

Earlier designs used a "proxy": true capability in the InitializeRequest and required proxies to echo it back in the response. This felt awkward because it wasn’t really a capability negotiation - it was more of a “you must operate as a proxy” directive. Using a distinct method makes the contract clearer: if you receive proxy/initialize, you’re a proxy with a successor; if you receive initialize, you’re the terminal agent. There’s no capability dance, no risk of misconfiguration, and components know their role immediately from the method name.

How do proxies correlate MCP requests with sessions?

When a proxy adds an MCP server to a session/new request, it uses a fresh ACP-ID (the uuid field) that the proxy controls. When MCP-over-ACP messages arrive with that ACP-ID, the proxy can correlate them back to the originating session. This approach avoids a potential deadlock: some agents don’t return the session-id until after MCP servers have been initialized. If proxies needed the session-id to handle MCP requests during initialization, they would be stuck waiting for a value that depends on their response. By using a fresh ACP-ID per session instead, proxies maintain full correlation capability without circular dependencies. The proxy knows which session spawned which ACP-ID, so it can always map MCP requests back to their originating session context.

How do proxies subsume existing agent extension mechanisms?

Because proxies sit between the client and agent, they can replicate the functionality of existing extension mechanisms:
  • AGENTS.md files: Proxies can inject context and instructions into prompts before they reach the agent
  • Claude Code plugins/skills: Proxies can add contextual data for available skills and provide MCP resources with detailed skill instructions that are provided on-demand when requested by the agent
  • MCP servers: Proxies can provide tools via the MCP-over-ACP protocol and handle tool callbacks
  • Subagents: Proxies can create “subagents” by initiating new sessions and coordinating between multiple agent instances
  • Hooks and steering files: Proxies can modify conversation flow by intercepting requests and responses
  • System prompt customization: Proxies can switch between predefined session modes or prepend system messages to prompts
The key advantage is that proxy-based extensions work with any ACP-compatible agent without requiring agent-specific integration or modification.

Are there any limitations to what proxies can do?

Yes, proxies are limited to what is available through the ACP protocol itself. They can intercept and transform any ACP message, but they cannot access capabilities that ACP doesn’t expose. For example, proxies cannot directly modify an agent’s system prompt or context window - they can only switch between predefined session modes (which may affect system prompts) or prepend additional messages to prompts. Similarly, proxies cannot access internal agent state, model parameters, or other implementation details that aren’t exposed through ACP messages. This is actually a feature - it ensures that proxy-based extensions remain portable across different agent implementations and don’t rely on agent-specific internals.

How does the standard conductor implementation work?

The sacp-conductor reference implementation can form trees of proxy chains. It can be configured to run in proxy mode (expecting proxy/initialize) or terminal mode (expecting initialize). When the last proxy in its managed chain sends a message to its successor, the conductor forwards that message to its own parent conductor (if in proxy mode) or to the final agent (if in terminal mode). This enables hierarchical structures like: 
client → conductor1 → final-agent
             ↓ manages
         proxy-a → conductor2 → proxy-d
                      ↓ manages
                  proxy-b → proxy-c
The conductor handles process management, capability negotiation, and message routing, but these are implementation details - the protocol only specifies the message formats and capability requirements.

What’s the current implementation status?

A prototype version of this proposal has been implemented and is available on crates.io as the crates
  • sacp — base ACP protocol SDK
    • sacp-tokio — adds specific utilities for use with the tokio runtime
  • sacp-proxy — extensions for implementing a proxy
    • sacp-rmcp — adds specific proxy extension traits for bridging to the rmcp crate
  • sacp-conductor — reference conductor implementation
The canonical sources for those crates is currently the [symposium-dev/symposium-acp] repository. However, copies have been upstreamed to the agentclientprotocol/rust-sdk repository and, if and when this RFD is accepted, that will become the canonical home.

Why not just cascade ACP commands without protocol changes?

One alternative is to make proxies be ordinary agents that internally create and manage their successors. This works (HTTP proxies operate this way) but requires each proxy to understand the full chain and know how to start its successors. This couples proxies to transport mechanisms, process management, and chain configuration. Changing transports, reordering the chain, or inserting a new proxy requires modifying predecessor configurations. The conductor design decouples proxies from their successors. Proxies send messages “to successor” and receive messages “from successor” without knowing who that successor is, how it’s started, or what transport it uses. This enables:
  • Changing transport protocols or process management without recompiling proxies
  • Shipping proxies as low-capability WASM containers that need only a single communication channel
  • Reordering, adding, or removing proxies through configuration rather than code changes
The tradeoff is protocol complexity, but this complexity lives in the conductor (implemented once) rather than being duplicated across proxy implementations.

Why do all messages go through the conductor instead of direct proxy-to-proxy communication?

Even with a conductor, proxies could communicate directly with their successors after the conductor sets up connections. Routing all messages through the conductor further minimizes proxy responsibilities to a single communication channel. This supports running proxies as isolated WebAssembly components with minimal capabilities. It also removes redundant logic: without the conductor routing messages, each proxy would need to manage connections to its successor. The conductor handles process management, capability negotiation, and message routing, allowing proxies to focus on transformation logic.

What about security concerns with proxy chains?

Proxy components can intercept and modify all communication, so trust is essential - similar to installing any software. Users are responsible for the components they choose to run. We plan to explore WebAssembly-based proxies which will offer some measure of sandboxing but such components could still modify prompts in unknown or malicious ways.

What about performance implications of the proxy chain?

Our architecture does introduce additional message passing - each proxy in the chain adds extra hops as messages flow through the conductor. However, these messages are typically small and inexpensive, particularly when compared to the latency of actual LLM inference. For messages that contain significant quantities of data (large file contents, extensive context), we may wish to have the conductor store that data centrally and introduce a “reference” mechanism so that most proxies don’t have to inspect or copy large payloads unless they specifically need to transform them. The benefits of composability typically outweigh the minimal latency costs for human-paced development interactions.

What happens when proxy components crash or misbehave?

The conductor manages component lifecycles:
  • Failed components are restarted automatically where possible
  • Component crashes don’t affect the rest of the chain
  • Graceful degradation by bypassing failed components
  • Clear error reporting to help users debug configuration issues

Can proxy chains be nested or form trees?

Yes! The conductor can itself run in proxy mode, enabling hierarchical structures: 
client → proxy1 → conductor (proxy mode) → final-agent
                      ↓ manages
                  p1 → p2 → p3
This enables complex compositions while maintaining clean interfaces.

How could proxy chains support multi-agent scenarios in the future?

The current design assumes a linear chain where each proxy has a single successor. To support M:N topologies where a proxy communicates with multiple peers (e.g., a research coordinator dispatching to multiple specialized agents), we could extend proxy/successor with an optional peer field: 
{
  "method": "proxy/successor",
  "params": {
    "method": "prompt",
    "params": { ... },
    "peer": "research-agent"
  }
}
When peer is omitted, the message goes to the default successor (backwards compatible with the current linear chain model). When present, it specifies which peer the message is intended for. The proxy/initialize response could be extended to enumerate available peers, enabling proxies to discover and coordinate between multiple downstream components.

Why are MCP and proxy messages separate instead of unified as “peers”?

The mcp/* messages and proxy/successor are structurally similar - both wrap an inner message and route it to a destination. A unified design might use peer/connect, peer/message, and peer/disconnect for everything, where the successor is just another peer (with peer: "successor"). We kept them separate because successors and MCP servers have different lifecycle semantics:
  • Successors are implicit and permanent. When a proxy receives proxy/initialize, its successor already exists and will exist for the proxy’s entire lifetime. The proxy doesn’t need to think about connecting or disconnecting - it just forwards messages. This simplicity is intentional: proxies shouldn’t need to manage successor lifecycle, and the conductor doesn’t need to handle dynamic successor creation.
  • MCP servers require explicit connection management. When the conductor bridges an MCP server via stdio, it spawns a new process. Multiple connections to the same MCP server are possible (different connection IDs). The mcp/connect and mcp/disconnect lifecycle is necessary because these connections are dynamic and multiplexed.
A unified peer/* approach would require proxies to explicitly connect to their successor on startup, implying more generality than the current design intends. It would also require the conductor to support starting successors multiple times, which adds complexity for a capability we don’t currently need. That said, if M:N topologies become common, revisiting this unification might make sense, and the MCP server protocol could be a model for more general “peers”.

Revision history

Initial draft based on working implementation in symposium-acp repository.