Agent manifest
Each Covenant agent is registered through an agent.toml file placed under $COVENANT_HOME/agents/. The manifest declares the agent's identity, runtime, executable path, required capabilities, resource budget, sandbox requirement, and optional settlement configuration.
Example
[agent]
id = "research@local"
name = "research"
version = "0.1.0"
runtime = "rust-bin"
entry = "target/release/research"
[capabilities]
required = ["tool.web_search"]
optional = ["memory.write"]
[resources]
cpu_ms_per_task = 30000
memory_mb = 512
disk_mb = 100
network = "outbound-https-only"
[sandbox]
required = true
backend = "linux-gvisor"
filesystem = "read-only-package"
[settlement]
budget_credits_per_hour = 1000
priority = "normal"Schema
[agent]
| Field | Type | Required | Notes |
|---|---|---|---|
id | string | yes | Stable identifier in the form name@host. Used as the routing key, the audit-log subject, and the memory-record owner. |
name | string | yes | Display name; appears in CLI listings. |
version | string | yes | SemVer recommended. |
runtime | enum | yes | rust-bin, python3, or node. The runtime determines how the daemon executes entry. |
entry | string | yes | Path to the binary (for rust-bin) or the entry script (for python3 / node). Resolved relative to the manifest's parent directory unless absolute. |
[capabilities]
| Field | Type | Default | Notes |
|---|---|---|---|
required | list of action strings | [] | Every action in this list must be present in the issuer's active capability set or the dispatch is rejected. |
optional | list of action strings | [] | Recorded for visibility but not enforced. |
Action strings live in reserved namespaces: intent., memory., identity., tool., agent.. The daemon validates that required and optional actions sit in one of these namespaces.
[resources]
| Field | Type | Default | Notes |
|---|---|---|---|
cpu_ms_per_task | u64 milliseconds | 30000 | Wall-clock budget. The runtime kills the process when the budget elapses. |
memory_mb | u64 MiB | 512 | Advisory today; enforced by sandboxed runtimes. |
disk_mb | u64 MiB | 100 | Advisory today. |
network | enum | outbound-https-only | off, outbound-https-only, or full. |
[sandbox]
| Field | Type | Default | Notes |
|---|---|---|---|
required | bool | false | When true, the manifest must name a sandbox-grade backend. Trusted-local subprocess execution is rejected. |
backend | enum | trusted-local | trusted-local or linux-gvisor. The runtime crate has an initial gVisor runner; daemon backend selection and live Linux coverage remain planned. |
filesystem | enum | read-only-package | read-only-package, ephemeral, or host. The field is parsed now and enforced by sandboxed runtimes. |
[settlement]
| Field | Type | Default | Notes |
|---|---|---|---|
budget_credits_per_hour | u64 | 0 | Soft cap; tolerated as 0 until budget and settlement enforcement are configured for the agent. |
priority | enum | normal | low, normal, high. |
Runtime contract
At dispatch, the runtime spawns the agent according to runtime and entry:
runtime = "rust-bin" → exec entry directly
runtime = "python3" → exec python3 entry
runtime = "node" → exec node entryThe agent reads exactly one JSON line from stdin:
{
"id": "uuid",
"text": "the user's intent",
"issuer": { "display": "user@local", "pubkey": "…" },
"issued_at": 1714938000000,
"priority": "normal",
"parent": null
}And writes exactly one JSON line to stdout:
{
"text": "…",
"sources": ["…"]
}Stderr output is captured by the daemon's tracing subsystem and surfaces in operator logs. The agent process must terminate within resources.cpu_ms_per_task; processes that exceed the budget are killed and the dispatch returns an error. Successful processes with malformed stdout are rejected as runtime failures, not accepted as successful dispatches. The current subprocess runner is trusted-local. If sandbox.required is true, it fails closed instead of silently running the agent without sandbox-grade isolation.
Validation rules
The manifest parser rejects manifests that:
- omit any of
agent.id,agent.name,agent.version,agent.entry, or have any of those fields empty; - declare a
requiredoroptionalcapability action outside the reserved namespaces; - set
sandbox.required = truewhile keepingbackend = "trusted-local"; - fail to parse as TOML.
Unknown top-level sections are tolerated for forward compatibility; subsequent releases may attach meaning to them.
Manifest discovery
The daemon scans $COVENANT_HOME/agents/*.toml on startup. Online registration is not supported; the daemon must be restarted after a new manifest is added. Existing manifests may be edited in place and are re-read on the next daemon start.
Related
- Concepts — agents in context.
- Capability tokens — what the
requiredlist refers to. - Security model — what the resource budget protects.