feat(protocol): add authored runtime and team configs

spec/agent-runtime-v1.md

@@ -0,0 +1,105 @@
+# Agent Runtime Config v1
+
+`SETTINGS.yaml` is the human-authored source of truth for portable runtime intent in this repo.
+
+Team inventory metadata is defined separately in `TEAM.yaml` (see `spec/team-protocol-v1.md`). This spec only covers runtime policy.
+
+## Goals
+
+- Keep one editable config for approval, filesystem, network, and model intent.
+- Generate backward-compatible Claude and Codex outputs from that shared intent.
+- Make adapter lossiness explicit where provider config surfaces do not line up.
+
+## Scope
+
+Version 1 standardizes:
+
+- portable model tier and reasoning level
+- filesystem access intent
+- approval intent
+- network access intent
+- portable tool classes
+- protected path rules
+- dangerous shell command prompts
+- target-specific escape hatches only when the target exposes settings with no shared equivalent
+
+Version 1 does not attempt to standardize:
+
+- every provider model name
+- provider-specific tool grammars
+- every future runtime capability for local agents, IDE plugins, or hosted agents
+
+## Shared fields
+
+### `model`
+
+- `class`: `fast | balanced | powerful`
+- `reasoning`: `low | medium | high | max`
+
+### `runtime`
+
+- `filesystem`: `read-only | workspace-write`
+- `approval`: `manual | guarded-auto | full-auto`
+- `network_access`: boolean
+- `tools`: portable tool classes such as `shell`, `read`, `edit`, `write`, `glob`, `grep`, `web_fetch`, `web_search`
+
+### `safety`
+
+- `protected_paths`: glob patterns that should remain blocked from normal reads or writes
+- `dangerous_shell_commands.ask`: shell command patterns that should remain approval-gated
+
+### `targets`
+
+Target blocks are escape hatches, not the main schema. Use them only where a runtime exposes a knob with no shared equivalent.
+
+Current target-specific fields:
+
+- `targets.claude.claude_md_excludes`
+- `targets.codex.approval_policy`
+- `targets.codex.network_access`
+
+## Adapter rules
+
+### Claude Code
+
+`settings.json` is generated as a compatibility artifact.
+
+- `runtime.filesystem = read-only` -> `permissions.defaultMode = "plan"`
+- `runtime.filesystem = workspace-write` -> `permissions.defaultMode = "acceptEdits"`
+- `runtime.tools` -> Claude tool allow-list
+- `safety.protected_paths` -> Claude `deny` entries for `Read`, `Write`, and `Edit`
+- `dangerous_shell_commands.ask` -> Claude `ask` entries wrapped as `Bash(...)`
+
+Lossiness:
+
+- Claude vends `allow` / `deny` / `ask` as tool-pattern rules.
+- Shared `approval` intent does not map 1:1 to Claude beyond `plan` vs `acceptEdits`.
+
+### Codex CLI
+
+`codex/config.toml` is generated directly from shared intent.
+
+- `runtime.filesystem = read-only` -> `sandbox_mode = "read-only"`
+- `runtime.filesystem = workspace-write` -> `sandbox_mode = "workspace-write"`
+- `runtime.approval = manual` -> `approval_policy = "on-request"`
+- `runtime.approval = guarded-auto` -> `approval_policy = "untrusted"`
+- `runtime.approval = full-auto` -> `approval_policy = "never"`
+- `runtime.network_access` -> `[sandbox_workspace_write].network_access`
+
+Lossiness:
+
+- Codex does not expose Claude-style per-tool `allow` / `deny` / `ask` pattern controls in `config.toml`.
+- Protected paths and dangerous command prompts are therefore only partially representable in Codex config today.
+
+## Compatibility contract
+
+The repo preserves these compatibility artifacts:
+
+- `settings.json`
+- `claude/settings.json`
+- `claude/CLAUDE.md`
+- `codex/config.toml`
+- `codex/AGENTS.md`
+- generated agent outputs for both targets
+
+These are build artifacts, not authored source files. `SETTINGS.yaml` is the required runtime input.