-
Notifications
You must be signed in to change notification settings - Fork 557
feat(agent): capability config for sandbox, Claude, tool permissions #4811
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
31 changes: 31 additions & 0 deletions
31
docs/design/agent-workflows/projects/capability-config/README.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| # Capability and permission configuration | ||
|
|
||
| How an author configures what an Agenta agent may do (files, network, tools, tool approvals), | ||
| and how those controls enforce end to end: from the playground form, through the SDK and agent | ||
| service, to the runner and the harness. Graduated from the scratch notes in | ||
| `../../scratch/capability-architecture.md` on 2026-06-23. | ||
|
|
||
| ## The shape in one paragraph | ||
|
|
||
| Three configuration layers, each with one job and one enforcement point. **Layer 1, harness | ||
| configuration:** the runner translates author kwargs into the harness's own config (a | ||
| `.claude/settings.json` for Claude, `builtin_names` for Pi). **Layer 2, sandbox permission:** an | ||
| optional `sandbox_permission` field draws the network and filesystem boundary, enforced by the | ||
| backend when it provisions the sandbox. **Layer 3, tool permission:** a per-tool permission | ||
| (always-allow / ask / deny), enforced at the runner relay for resolved tools and at the harness | ||
| permission plane for builtins. The work spans the playground frontend, the schema, the SDK, the | ||
| service, and the runner. | ||
|
|
||
| ## Files | ||
|
|
||
| - `context.md` — why this exists, goals, non-goals, background, how it relates to the sibling | ||
| projects. | ||
| - `proposal.md` — the three-layer design. The canonical spec. | ||
| - `plan.md` — phased execution plan, end to end including the playground frontend. | ||
| - `research.md` — current-state codebase findings and exact insertion points (backend, runner, | ||
| frontend), plus the library facts the design rests on. | ||
| - `status.md` — progress, decisions, and open questions. The source of truth for state. | ||
|
|
||
| ## Status | ||
|
|
||
| Code-complete and reviewed; backend + runner + FE built and green, live-QA'd on the running stack. Live Daytona egress + Claude behavioral cells pending credentials. See `status.md`. |
73 changes: 73 additions & 0 deletions
73
docs/design/agent-workflows/projects/capability-config/context.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| # Context | ||
|
|
||
| ## Why this work exists | ||
|
|
||
| Every agent run has to be governed. The author needs to say what the agent may touch, and the | ||
| system has to enforce that across two harnesses (`pi` and `claude`) and three backends | ||
| (sandbox-agent local, sandbox-agent on Daytona, and a future in-process local SDK). | ||
|
|
||
| Today almost none of this is wired: | ||
|
|
||
| - The runner drops Pi's `builtin_names`, so even Pi's own tool selection has no effect on the | ||
| sandbox-agent path. | ||
| - The runner never restricts Claude. It creates the session with only `cwd` and `mcpServers`, | ||
| so "Claude without web" or "Claude read-only" is not expressible. | ||
| - The runner never sets a network boundary, so a Daytona run has full egress by default. | ||
| - `permission_policy` is the only live control, and it is coarse (auto or deny, all tools at | ||
| once) and effective on Claude only. | ||
| - The playground renders every config field unconditionally, with no per-harness gating and no | ||
| way to set capability or per-tool approval. | ||
|
|
||
| So a request as simple as "give this agent web access but not write access" cannot be | ||
| expressed, on either harness, from the playground or the SDK. This project makes capability and | ||
| permission a real, configurable, end-to-end feature. | ||
|
|
||
| ## Goals | ||
|
|
||
| 1. A three-layer configuration model the author can set: harness configuration, sandbox | ||
| permission, and per-tool permission. Each layer has one job and one enforcement point. | ||
| 2. End to end. The playground frontend is in scope: the config form gains the new sections, and | ||
| the agent chat gains a tool-approval surface for the "ask" permission. | ||
| 3. Honest enforcement. The sandbox layer is authoritative for the network and the filesystem. A | ||
| run fails loud when a backend cannot deliver a requested guarantee, rather than pretending. | ||
| 4. Sensible defaults. Read-only tools default to always-allow and mutating tools to ask, using | ||
| Composio's read/write metadata, so the author does not label every tool by hand. | ||
|
|
||
| ## Non-goals (for now) | ||
|
|
||
| - **Pi MCP.** Deferred. When built it follows the same permission pattern as Claude | ||
| (settings-style `mcp__<server>` rules). Tracked in `../harness-capabilities/`. | ||
| - **A real filesystem jail.** No backend confines the filesystem today; the local cwd is a temp | ||
| dir, not a jail. Layer 2 ships network first; filesystem stays tool-plane only until a backend | ||
| can enforce it. | ||
| - **Durable / unattended HITL approval.** The "ask" permission this project ships asks the user | ||
| in the open chat. The global, durable approval channel that survives a closed tab or a | ||
| scheduled run is Flow 7 in `../../scratch/flows-and-capabilities.md`, a later milestone. | ||
| - **A sandbox boundary for the local backend.** The local sidecar is the host; it cannot enforce | ||
| Layer 2. That is by design, and the fail-loud rule covers it. | ||
|
|
||
| ## Background | ||
|
|
||
| The runtime splits work across a Python agent service (`services/oss/src/agent/`, decides what | ||
| to run) and a TypeScript runner (`services/agent/`, runs it). The runner drives the harness over | ||
| an ACP bridge, `sandbox-agent`, on a chosen backend. The SDK (`sdks/python/agenta/sdk/agents/`) | ||
| owns the neutral config, the ports, and the per-harness adapters. | ||
|
|
||
| Three earlier scratch documents set up this project, and their facts are folded into | ||
| `research.md`: | ||
|
|
||
| - `../../scratch/capability-map.md` — the current-state web/exec/read/write cut: what each | ||
| harness can do, what is on by default, what the backend changes. | ||
| - `../../scratch/capability-architecture.md` — the design exploration this project's | ||
| `proposal.md` cleans up. | ||
| - `../../scratch/flows-and-capabilities.md` — the user-facing flows, including Flow 7 (HITL). | ||
|
|
||
| ## Relation to sibling projects | ||
|
|
||
| - `../harness-capabilities/` declares which capabilities each harness supports (the static | ||
| capability table) and owns the deferred Pi-MCP work. This project sets the capability *values* | ||
| the author chooses; that project declares which choices a harness can honor. They meet at the | ||
| schema and the fail-loud check. | ||
| - `../model-config/` is the same static-then-dynamic pattern for the model axis. Layer 1's | ||
| Claude `model` setting overlaps it. | ||
| - `../skills-config/` configures forced skills, a different axis on the same agent config. |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how is this an mcp behavior hint, its composio and composio is not mcp