readyblockedneeds helpallepicskb

Add capability-based permissions to agentd workflows

t-362·WorkTask·
·
·
·Omni/Agentd.hs
Created3 months ago·Updated1 week ago·pipeline runs →

Description

Edit

Implement explicit capability declarations in workflow YAML specs that restrict what each step can do. This enables safe delegation where child agents receive narrowed permissions.

Background

Currently, agent permissions are implicit - whatever is in the container and environment. This makes it hard to reason about what an agent can do, and impossible to safely delegate with reduced permissions.

The actor model insight: when spawning a child, you can pass capabilities but can only narrow them, never expand. A research step might get read-only file access and web search, while a coding step gets file write but no web access.

Requirements

1. Capability Schema

Define capability types in workflow YAML. Example: 

steps:
  - name: research
    run: research.md
    capabilities:
      files:
        - path: _/gaia/*
          mode: read-only
        - path: _/gaia/research.txt
          mode: read-write
      tools: [web_search, read]
      cost_limit: 0.50
      network: true

2. Capability Types to Support

  • files: path globs with read-only, read-write, or none
  • tools: whitelist of tool names the agent can use
  • cost_limit: maximum spend in dollars for this step
  • network: boolean for outbound network access
  • env_vars: whitelist of environment variables to pass through

3. Enforcement Points

  • Tool filtering: Agent engine filters available tools based on capability
  • Cost tracking: Existing cost tracking, but halt step if limit exceeded
  • File access: Mount paths read-only or read-write in container
  • Network: Container network policy (existing Docker capability)

4. Inheritance and Narrowing

  • If no capabilities specified, inherit from parent workflow
  • Child capabilities can only be equal or narrower than parent
  • Validation at workflow parse time: error if child tries to expand

5. Default Capabilities

Workflow-level defaults that steps inherit: 

defaults:
  capabilities:
    tools: [read, write, edit, bash]
    cost_limit: 1.00
    network: false

steps:
  - name: research
    capabilities:
      tools: [read, web_search]
      network: true

Implementation Notes

Files to modify:

  • Omni/Agentd.hs: Parse capabilities from YAML, pass to container
  • Omni/Agent/Engine.hs: Filter tools based on capabilities
  • Omni/Agent/Events.hs: Add capability info to start event

Testing

  • Unit tests for capability parsing and validation
  • Test that narrowing works (child cannot exceed parent)
  • Test tool filtering respects whitelist
  • Test cost limit halts execution

Out of Scope

  • Fine-grained API endpoint permissions (future)
  • Capability delegation at runtime (future - full actor model)
  • Cryptographic capability tokens (future)

References

  • Actor model and capabilities: ~/omni/actor-refs/actor-agents.md
  • Current workflow parsing: Omni/Agentd.hs parseWorkflow function

Timeline (40)

🔄[system]Open → InProgress1 month ago
💬[system]1 month ago

Pipeline: recovered completed dev run on startup

🔄[system]InProgress → Open1 month ago
💬[system]1 month ago

Pipeline: verification failed: Expected 1 commit on t-362 relative to live, got 0

🔄[system]Open → InProgress1 month ago
🔄[human]InProgress → Open1 month ago
💬[human]1 month ago

Pipeline scheduler: failed to spawn agentd run

🔄[system]Open → InProgress1 month ago
🔄[human]InProgress → Open1 month ago
💬[human]1 month ago

Pipeline scheduler: failed to spawn agentd run

🔄[system]Open → InProgress1 month ago
💬[human]1 month ago

Pipeline scheduler: started run=pipeline-omni-agentd-hs-t-362-1771554727 domain=Omni/Agentd.hs

🔄[human]InProgress → Open1 month ago
💬[human]1 month ago

Pipeline scheduler reset stale run pipeline-omni-agentd-hs-t-362-1771554727 (agentd reported running but no active container). Returning task to Open for requeue.

🔄[system]Open → InProgress1 month ago
💬[human]1 month ago

Pipeline scheduler: started run=pipeline-omni-agentd-hs-t-362-1771559763 domain=Omni/Agentd.hs

🔄[human]InProgress → Review1 month ago
💬[human]1 month ago

Pipeline scheduler: run=pipeline-omni-agentd-hs-t-362-1771559763 domain=Omni/Agentd.hs status=failed cost=0c error=OAuth login failed: OAuth login requires an interactive terminal. Please run this command in a terminal session, not in headless mode. (fund-spend=failed)

🔄[human]Review → Open1 month ago
💬[human]1 month ago

Reopened: prior Review transition came from pipeline auth failure, not successful task execution. Re-queued for normal processing.

🔄[system]Open → InProgress1 month ago
💬[human]1 month ago

Pipeline scheduler: started run=pipeline-omni-agentd-hs-t-362-1771560113 domain=Omni/Agentd.hs

🔄[human]InProgress → Review1 month ago
💬[human]1 month ago

Pipeline scheduler: run=pipeline-omni-agentd-hs-t-362-1771560113 domain=Omni/Agentd.hs status=done cost=18c (fund-spend=failed)

💬[human]1 week ago

Ava triage: pipeline auto-run reached status=done but the agent made NO git commits and reported blockers (missing files, path mismatches, or need clarification). This task is not actually in review — there's nothing to review. Resetting status to Open so it can be re-scoped.

🔄[human]Review → Open1 week ago
💬[human]1 week ago

No commits found in any branch or reflog. Pipeline scheduler bug — see separate task. Agent runs produced nothing recoverable. Needs fresh re-attempt.