I think language grammars are the an interesting way to define a ruleset too. Forget REST API's or MCP Servers for a second... Define a domain specific language, and let the language model generate a valid instruction within the confines of that grammar.

Than pass the program, your server or application can parse the instructions and work from the generated AST to do all sorts of interesting things, within the confines of your language features.

It's verifiable, since you are providing within the defined grammar, and with the parser provided.

It is implicitly sandboxed by the powers you give (or rather exclude) to your runtime via an interpreter/compiler

I've tried this before for a grammar I defined for searching documents, and found it to be quite good at creating valid often complex search instructions.