agent-team/spec/agent-runtime-v1.md

Agent Runtime Config v1

SETTINGS.yaml is the human-authored source of truth for portable runtime intent in this repo.

Team inventory metadata is defined separately in TEAM.yaml (see spec/team-protocol-v1.md). This spec only covers runtime policy.

Goals

• Keep one editable config for approval, filesystem, network, and model intent.
• Generate backward-compatible Claude and Codex outputs from that shared intent.
• Make adapter lossiness explicit where provider config surfaces do not line up.

Scope

Version 1 standardizes:

• portable model tier and reasoning level
• filesystem access intent
• approval intent
• network access intent
• portable tool classes
• protected path rules
• dangerous shell command prompts
• target-specific escape hatches only when the target exposes settings with no shared equivalent

Version 1 does not attempt to standardize:

• every provider model name
• provider-specific tool grammars
• every future runtime capability for local agents, IDE plugins, or hosted agents

Shared fields

model

• class: fast | balanced | powerful
• reasoning: low | medium | high | max

runtime

• filesystem: read-only | workspace-write
• approval: manual | guarded-auto | full-auto
• network_access: boolean
• tools: portable tool classes such as shell, read, edit, write, glob, grep, web_fetch, web_search

safety

• protected_paths: glob patterns that should remain blocked from normal reads or writes
• dangerous_shell_commands.ask: shell command patterns that should remain approval-gated

targets

Target blocks are escape hatches, not the main schema. Use them only where a runtime exposes a knob with no shared equivalent.

Current target-specific fields:

• targets.claude.claude_md_excludes
• targets.codex.approval_policy
• targets.codex.network_access

Adapter rules

Claude Code

settings.json is generated as a compatibility artifact.

• runtime.filesystem = read-only -> permissions.defaultMode = "plan"
• runtime.filesystem = workspace-write -> permissions.defaultMode = "acceptEdits"
• runtime.tools -> Claude tool allow-list
• safety.protected_paths -> Claude deny entries for Read, Write, and Edit
• dangerous_shell_commands.ask -> Claude ask entries wrapped as Bash(...)

Lossiness:

• Claude vends allow / deny / ask as tool-pattern rules.
• Shared approval intent does not map 1:1 to Claude beyond plan vs acceptEdits.

Codex CLI

codex/config.toml is generated directly from shared intent.

• runtime.filesystem = read-only -> sandbox_mode = "read-only"
• runtime.filesystem = workspace-write -> sandbox_mode = "workspace-write"
• runtime.approval = manual -> approval_policy = "on-request"
• runtime.approval = guarded-auto -> approval_policy = "untrusted"
• runtime.approval = full-auto -> approval_policy = "never"
• runtime.network_access -> [sandbox_workspace_write].network_access

Lossiness:

• Codex does not expose Claude-style per-tool allow / deny / ask pattern controls in config.toml.
• Protected paths and dangerous command prompts are therefore only partially representable in Codex config today.

Compatibility contract

The repo preserves these compatibility artifacts:

• settings.json
• claude/settings.json
• claude/CLAUDE.md
• codex/config.toml
• codex/AGENTS.md
• generated agent outputs for both targets

These are build artifacts, not authored source files. SETTINGS.yaml is the required runtime input.