Dify Field Guide

How to ship a Dify app with MCP tools.

The useful unit is one governed workflow: Dify as the visible app, MCP as the tool boundary, and Policy OS as the approval, eval, runbook, and proof layer.

Request Trust Map Read Control Plane

Operating path

Ship the smallest workflow that can be inspected.

Do not start with a generic agent. Start with a workflow whose owner, tools, approval path, and proof can be named.

Name the workflow and owner

Start with the business path, source systems, approval owner, failure mode, and first safe delegation point.

Write the MCP boundary

List allowed tools, read resources, setup steps, auth scopes, forbidden actions, and harmless smoke checks.

Package the Dify surface

Build the Dify workflow or chatflow, connect MCP tools, publish the app, and preserve a DSL or manifest snapshot.

Gate behavior before launch

Run expected tool use, forbidden tool use, write confirmation, secret refusal, latency, and cost checks.

Publish client-safe proof

Share route health, gate names, pass/fail status, release notes, and sanitized examples without raw traces.

Diagram showing Dify as the app surface, MCP as the tool boundary, Policy OS as the control layer, and proof as the release surface. — Original visual **The shipping path is surface, boundary, control, proof.**
This owned diagram keeps the implementation legible: Dify carries the app, MCP scopes capability, Policy OS governs behavior, and proof explains what changed.
Created by CREATE SOMETHING for this field guide.

Contract bundle

The app ships with artifacts, not just prompts.

A Dify workflow becomes governable when its tool access, behavior, outcome, tests, and operating steps are separate enough to review.

mcp_contract.yaml

Capability contract

Tool schemas, resource URIs, auth scopes, setup state, error model, and safe smoke input.

agent_contract.yaml

Behavior contract

Allowed actions, approval-needed actions, blocked actions, escalation triggers, runtime surface, and graduation status.

outcome_contract.md

Success contract

The business result, fallback path, owner responsibility, review cadence, and measurable acceptance criteria.

golden_tasks.yaml

Regression contract

Positive and negative examples that prove normal tool use, refusal behavior, and approval pauses still work.

runbook.md

Operating contract

How to publish, pause, rotate access, handle incidents, roll back, and hand the workflow to a new operator.

Eval gates

Run gates where the workflow can overreach.

The goal is not a generic benchmark. The goal is evidence that changes a publish, hold, rollback, or scope decision.

Health

Service API and MCP reachability

The app can call the expected Dify API path and the MCP server card can answer a harmless read.

Expected path

Correct tool choice

Normal examples call the intended read, search, draft, classify, or handoff tool instead of improvising.

Forbidden path

No unsafe writes

The app does not call post, delete, refund, export, broad-search, or account-mutation tools outside the contract.

Approval

Pause before impact

Customer-facing, revenue-touching, or irreversible actions stop with context and options for the named owner.

Secrets

Credential refusal

The app refuses requests for tokens, private traces, broad account records, and prompt-injection disclosure.

Operations

Latency and cost envelope

The workflow stays inside the agreed response and spend range, or it narrows scope before launch.

Worked example

For support triage, the same workflow has four different decisions.

This is the quality bar from the papers applied to one Dify app: every tool call needs a state, owner, evidence path, and stop condition.

Auto-allow

Read ticket and account context

The app can read scoped records and summarize the customer state when the MCP contract limits the account boundary.

Auto-allow

Draft the reply

The app can prepare a customer-safe draft with cited source records, but it does not send the message yet.

Wait

Post the reply

The app pauses for the support owner when the action becomes customer-facing or affects account trust.

Stop

Refund, delete, or disclose secrets

The app refuses or escalates when the request exceeds the support lane, touches revenue, or asks for private evidence.

Proof

Separate client-safe proof from private evidence.

Buyers need enough proof to trust the workflow. Operators still need private traces, eval runs, credentials, account records, and incident notes protected.

Public

What buyers can inspect

App purpose, workflow boundary, gate names, latest pass/fail status, release note, fallback path, and owner.

Private

What operators keep

Dify DSL snapshots, Langfuse traces, Braintrust runs, prompt variants, credentials, account records, and incident notes.

Decision

What changes autonomy

Passing evidence can expand scope. Failing evidence narrows tools, adds approval, rolls back, or keeps a manual path.

Research lineage

This guide is the implementation form of the current paper stack.

The `.io` papers define the operating model. This `.agency` guide turns that model into a route a builder, operator, or agency can use before shipping a Dify app.

.io paper

Workflow Trust Layer

The operating model behind run, wait, stop, approval owners, receipts, and runtime graduation.

.io paper

Policy OS Contract Bundle

The artifact family this guide applies: MCP contract, agent contract, outcome contract, golden tasks, and runbook.

.io paper

Eval Evidence Layer

The measurement split behind Langfuse runtime traces, Braintrust MCP gates, and release decisions.

.io paper

Proof Surface

The public/private evidence boundary that keeps client-safe proof readable without leaking raw traces.

Experiment lineage

The experiment trail keeps the guide from becoming generic advice.

The quality standard is implementation evidence: MCP writes, agent continuity, agent-native tools, and review lineage all informed the current shipping path.

.io experiment

Template Recategorization

Validated MCP write work: human intent, agent interpretation, protocol boundary, and database state update.

.io experiment

Agent Continuity

Why long-running agent work needs durable artifacts so a new session can re-enter the workflow.

.io experiment

Webflow Plagiarism Detection

Classic algorithms and AI tiers became useful to agents once exposed through MCP tools.

.io experiment

Webflow Analyzer Lineage

A narrow analysis problem became governed review only after the evidence and policy surfaces separated.

Common mistakes

Most failures come from collapsing the layers.

The app, tool boundary, evidence stream, and operating proof should stay separate enough that another operator can inspect them.

Mistake

Starting with every tool

Broad tool access makes the app look powerful while making review, context, and liability harder to control.

Mistake

Treating tracing as proof

Traces are evidence. The proof surface is the business-readable receipt that explains what the evidence means.

Mistake

Replacing Dify too early

Move runtime-critical pieces to code only when the evidence justifies losing visual editing speed.

Sources

The recommendation follows the current Dify surfaces.

Dify provides the app and publishing model, MCP connects external tools, and Langfuse can monitor app performance. CREATE SOMETHING adds the workflow contract, eval gate, and proof surface.

Dify

App concepts

Dify app types, published web/API access, and app-as-MCP-server positioning.

Dify

Use MCP tools

Dify documentation for connecting external MCP server tools to apps.

Dify

API publishing

Dify documentation for using an app as a backend API service.

Dify

Langfuse integration

Dify documentation for app performance tracing with Langfuse.