bryan/agent-team
1
0
Fork 0
mirror of https://github.com/itme-brain/agent-team.git synced 2026-05-08 16:00:11 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
agent-team/spec/agent-runtime-v1.md

105 lines
3.5 KiB
Markdown
Raw Blame History

# Agent Runtime Config v1
`SETTINGS.yaml` is the human-authored source of truth for portable runtime intent in this repo.
Team inventory metadata is defined separately in `TEAM.yaml` (see `spec/team-protocol-v1.md`). This spec only covers runtime policy.
## Goals
- Keep one editable config for approval, filesystem, network, and model intent.
- Generate backward-compatible Claude and Codex outputs from that shared intent.
- Make adapter lossiness explicit where provider config surfaces do not line up.
## Scope
Version 1 standardizes:
- portable model tier and reasoning level
- filesystem access intent
- approval intent
- network access intent
- portable tool classes
- protected path rules
- dangerous shell command prompts
- target-specific escape hatches only when the target exposes settings with no shared equivalent
Version 1 does not attempt to standardize:
- every provider model name
- provider-specific tool grammars
- every future runtime capability for local agents, IDE plugins, or hosted agents
## Shared fields
### `model`
- `class`: `fast | balanced | powerful`
- `reasoning`: `low | medium | high | max`
### `runtime`
- `filesystem`: `read-only | workspace-write`
- `approval`: `manual | guarded-auto | full-auto`
- `network_access`: boolean
- `tools`: portable tool classes such as `shell`, `read`, `edit`, `write`, `glob`, `grep`, `web_fetch`, `web_search`
### `safety`
- `protected_paths`: glob patterns that should remain blocked from normal reads or writes
- `dangerous_shell_commands.ask`: shell command patterns that should remain approval-gated
### `targets`
Target blocks are escape hatches, not the main schema. Use them only where a runtime exposes a knob with no shared equivalent.
Current target-specific fields:
- `targets.claude.claude_md_excludes`
- `targets.codex.approval_policy`
- `targets.codex.network_access`
## Adapter rules
### Claude Code
`settings.json` is generated as a compatibility artifact.
- `runtime.filesystem = read-only` -> `permissions.defaultMode = "plan"`
- `runtime.filesystem = workspace-write` -> `permissions.defaultMode = "acceptEdits"`
- `runtime.tools` -> Claude tool allow-list
- `safety.protected_paths` -> Claude `deny` entries for `Read`, `Write`, and `Edit`
- `dangerous_shell_commands.ask` -> Claude `ask` entries wrapped as `Bash(...)`
Lossiness:
- Claude vends `allow` / `deny` / `ask` as tool-pattern rules.
- Shared `approval` intent does not map 1:1 to Claude beyond `plan` vs `acceptEdits`.
### Codex CLI
`codex/config.toml` is generated directly from shared intent.
- `runtime.filesystem = read-only` -> `sandbox_mode = "read-only"`
- `runtime.filesystem = workspace-write` -> `sandbox_mode = "workspace-write"`
- `runtime.approval = manual` -> `approval_policy = "on-request"`
- `runtime.approval = guarded-auto` -> `approval_policy = "untrusted"`
- `runtime.approval = full-auto` -> `approval_policy = "never"`
- `runtime.network_access` -> `[sandbox_workspace_write].network_access`
Lossiness:
- Codex does not expose Claude-style per-tool `allow` / `deny` / `ask` pattern controls in `config.toml`.
- Protected paths and dangerous command prompts are therefore only partially representable in Codex config today.
## Compatibility contract
The repo preserves these compatibility artifacts:
- `settings.json`
- `claude/settings.json`
- `claude/CLAUDE.md`
- `codex/config.toml`
- `codex/AGENTS.md`
- generated agent outputs for both targets
These are build artifacts, not authored source files. `SETTINGS.yaml` is the required runtime input.
Reference in a new issue View git blame Copy permalink