Implement explicit capability declarations in workflow YAML specs that restrict what each step can do. This enables safe delegation where child agents receive narrowed permissions.
Background
Currently, agent permissions are implicit - whatever is in the container and environment. This makes it hard to reason about what an agent can do, and impossible to safely delegate with reduced permissions.
The actor model insight: when spawning a child, you can pass capabilities but can only narrow them, never expand. A research step might get read-only file access and web search, while a coding step gets file write but no web access.
Requirements
1. Capability Schema
Define capability types in workflow YAML. Example:
steps:
- name: research
run: research.md
capabilities:
files:
- path: _/gaia/*
mode: read-only
- path: _/gaia/research.txt
mode: read-write
tools: [web_search, read]
cost_limit: 0.50
network: true
2. Capability Types to Support
- files: path globs with read-only, read-write, or none
- tools: whitelist of tool names the agent can use
- cost_limit: maximum spend in dollars for this step
- network: boolean for outbound network access
- env_vars: whitelist of environment variables to pass through
3. Enforcement Points
- Tool filtering: Agent engine filters available tools based on capability
- Cost tracking: Existing cost tracking, but halt step if limit exceeded
- File access: Mount paths read-only or read-write in container
- Network: Container network policy (existing Docker capability)
4. Inheritance and Narrowing
- If no capabilities specified, inherit from parent workflow
- Child capabilities can only be equal or narrower than parent
- Validation at workflow parse time: error if child tries to expand
5. Default Capabilities
Workflow-level defaults that steps inherit:
defaults:
capabilities:
tools: [read, write, edit, bash]
cost_limit: 1.00
network: false
steps:
- name: research
capabilities:
tools: [read, web_search]
network: true
Implementation Notes
Files to modify:
- Omni/Agentd.hs: Parse capabilities from YAML, pass to container
- Omni/Agent/Engine.hs: Filter tools based on capabilities
- Omni/Agent/Events.hs: Add capability info to start event
Testing
- Unit tests for capability parsing and validation
- Test that narrowing works (child cannot exceed parent)
- Test tool filtering respects whitelist
- Test cost limit halts execution
Out of Scope
- Fine-grained API endpoint permissions (future)
- Capability delegation at runtime (future - full actor model)
- Cryptographic capability tokens (future)
References
- Actor model and capabilities: ~/omni/actor-refs/actor-agents.md
- Current workflow parsing: Omni/Agentd.hs parseWorkflow function