agentd 0.1.2

Agent daemon for secure capability execution with pluggable isolation backends
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441

syntax = "proto3";

package agentd.v1;

// Agentd service provides secure command execution capabilities
service Agentd {
    // Execute a command and return the result
    rpc Execute(ExecuteRequest) returns (ExecuteResponse);

    // Execute a command with streaming output
    rpc ExecuteStream(ExecuteRequest) returns (stream ExecuteOutput);

    // List available capabilities
    rpc ListCapabilities(ListCapabilitiesRequest) returns (ListCapabilitiesResponse);

    // Health check
    rpc Health(HealthRequest) returns (HealthResponse);

    // Sandbox management
    rpc ListSandboxes(ListSandboxesRequest) returns (ListSandboxesResponse);
    rpc CreateSandbox(CreateSandboxRequest) returns (CreateSandboxResponse);
    rpc AttachSandbox(AttachSandboxRequest) returns (AttachSandboxResponse);
    rpc TerminateSandbox(TerminateSandboxRequest) returns (TerminateSandboxResponse);

    // Introspection
    rpc GetSandboxCapabilities(GetSandboxCapabilitiesRequest) returns (SandboxCapabilities);

    // File operations (sandboxed)
    rpc ReadFile(ReadFileRequest) returns (ReadFileResponse);
    rpc WriteFile(WriteFileRequest) returns (WriteFileResponse);
    rpc EditFile(EditFileRequest) returns (EditFileResponse);
}

// Execute request
message ExecuteRequest {
    // Unique request identifier
    string request_id = 1;

    // Capability to invoke (e.g., "shell.exec.v1", "fs.read.v1")
    string capability = 2;

    // Capability version
    uint32 version = 3;

    // Capability-specific parameters (JSON)
    string params_json = 4;

    // Execution constraints
    ExecutionConstraints constraints = 5;

    // Sandbox preferences
    SandboxPreferences sandbox_prefs = 6;

    // Request metadata
    RequestMetadata metadata = 7;
}

// Execution constraints
message ExecutionConstraints {
    // Maximum execution time in milliseconds
    uint64 max_duration_ms = 1;

    // Maximum output size in bytes
    uint64 max_output_bytes = 2;

    // Maximum memory usage in bytes
    uint64 max_memory_bytes = 3;

    // Allow network access
    bool allow_network = 4;

    // Allow filesystem writes
    bool allow_writes = 5;
}

// Sandbox preferences
message SandboxPreferences {
    // Prefer a specific sandbox by ID
    string sandbox_id = 1;

    // Require a fresh sandbox
    bool require_fresh = 2;

    // Requested isolation profile
    string profile = 3;

    // Keep sandbox after execution
    bool persist = 4;

    // Preferred isolation backend
    string backend = 5;
}

// Request metadata
message RequestMetadata {
    // Trace ID for distributed tracing
    string trace_id = 1;

    // Span ID
    string span_id = 2;

    // Idempotency key
    string idempotency_key = 3;

    // Priority (0-10)
    uint32 priority = 4;

    // Custom metadata
    map<string, string> custom = 5;
}

// Execute response
message ExecuteResponse {
    // Request ID this responds to
    string request_id = 1;

    // Execution status
    ExecutionStatus status = 2;

    // Status code string
    string code = 3;

    // Human-readable message
    string message = 4;

    // Execution result (if successful)
    ExecutionResult result = 5;

    // Error details (if failed)
    ErrorDetails error = 6;

    // Timing information
    ResponseTiming timing = 7;

    // Sandbox information
    SandboxInfo sandbox_info = 8;
}

// Execution status
enum ExecutionStatus {
    EXECUTION_STATUS_UNSPECIFIED = 0;
    EXECUTION_STATUS_OK = 1;
    EXECUTION_STATUS_DENIED = 2;
    EXECUTION_STATUS_ERROR = 3;
    EXECUTION_STATUS_EXPIRED = 4;
    EXECUTION_STATUS_CANCELLED = 5;
    EXECUTION_STATUS_PENDING = 6;
}

// Execution result
message ExecutionResult {
    // Exit code
    int32 exit_code = 1;

    // Standard output (text)
    string stdout = 2;

    // Standard output (bytes, for binary data)
    bytes stdout_bytes = 3;

    // Standard error
    string stderr = 4;

    // Structured output (JSON)
    string output_json = 5;

    // Generated artifacts
    repeated Artifact artifacts = 6;

    // Resource usage
    ResourceUsage resource_usage = 7;
}

// Artifact
message Artifact {
    string name = 1;
    string content_type = 2;
    uint64 size = 3;
    string sha256 = 4;
    string uri = 5;
    bytes content = 6;
}

// Resource usage
message ResourceUsage {
    uint64 peak_memory_bytes = 1;
    uint64 cpu_time_ms = 2;
    uint64 wall_time_ms = 3;
    uint64 disk_write_bytes = 4;
    uint64 disk_read_bytes = 5;
    uint64 network_tx_bytes = 6;
    uint64 network_rx_bytes = 7;
}

// Error details
message ErrorDetails {
    string code = 1;
    string message = 2;
    string details_json = 3;
    bool retryable = 4;
    uint64 retry_after_ms = 5;
}

// Response timing
message ResponseTiming {
    uint64 received_at_ms = 1;
    uint64 started_at_ms = 2;
    uint64 completed_at_ms = 3;
    uint64 queue_time_ms = 4;
    uint64 setup_time_ms = 5;
    uint64 exec_time_ms = 6;
    uint64 total_time_ms = 7;
}

// Sandbox info
message SandboxInfo {
    string sandbox_id = 1;
    string backend = 2;
    string profile = 3;
    bool newly_created = 4;
    SandboxCapabilities capabilities = 5;
}

// Streaming output
message ExecuteOutput {
    oneof output {
        bytes stdout_chunk = 1;
        bytes stderr_chunk = 2;
        Progress progress = 3;
        LogMessage log = 4;
        ExecuteResponse complete = 5;
    }
}

// Progress update
message Progress {
    float percent = 1;
    string message = 2;
}

// Log message
message LogMessage {
    string level = 1;
    string message = 2;
    uint64 timestamp_ms = 3;
}

// List capabilities request
message ListCapabilitiesRequest {}

// List capabilities response
message ListCapabilitiesResponse {
    repeated CapabilityInfo capabilities = 1;
}

// Capability info
message CapabilityInfo {
    string name = 1;
    string description = 2;
    uint32 version = 3;
    string param_schema_json = 4;
    bool requires_elevated = 5;
    bool supports_streaming = 6;
    repeated string tags = 7;
}

// Health request
message HealthRequest {}

// Health response
message HealthResponse {
    bool healthy = 1;
    string status = 2;
    map<string, string> details = 3;
}

// List sandboxes request
message ListSandboxesRequest {
    // Optional filter by state
    string state_filter = 1;
}

// List sandboxes response
message ListSandboxesResponse {
    repeated SandboxSummary sandboxes = 1;
}

// Sandbox summary
message SandboxSummary {
    string sandbox_id = 1;
    string backend = 2;
    string profile = 3;
    string state = 4;
    uint64 created_at_ms = 5;
    uint64 last_active_at_ms = 6;
}

// Create sandbox request
message CreateSandboxRequest {
    // Isolation profile
    string profile = 1;

    // Working directory
    string workdir = 2;

    // Allowed read paths
    repeated string allowed_paths_ro = 3;

    // Allowed write paths
    repeated string allowed_paths_rw = 4;

    // Network enabled
    bool network_enabled = 5;

    // Resource limits
    ResourceLimits limits = 6;

    // Labels
    map<string, string> labels = 7;
}

// Resource limits
message ResourceLimits {
    uint64 max_memory_bytes = 1;
    uint64 max_cpu_time_ms = 2;
    uint64 max_wall_time_ms = 3;
    uint32 max_processes = 4;
    uint32 max_open_files = 5;
    uint64 max_output_bytes = 6;
    uint64 max_write_bytes = 7;
}

// Create sandbox response
message CreateSandboxResponse {
    string sandbox_id = 1;
    SandboxCapabilities capabilities = 2;
}

// Attach sandbox request
message AttachSandboxRequest {
    string sandbox_id = 1;
    bool create_if_missing = 2;
    CreateSandboxRequest create_spec = 3;
}

// Attach sandbox response
message AttachSandboxResponse {
    string session_id = 1;
    string sandbox_id = 2;
    bool newly_created = 3;
    SandboxCapabilities capabilities = 4;
}

// Terminate sandbox request
message TerminateSandboxRequest {
    string sandbox_id = 1;
    bool force = 2;
}

// Terminate sandbox response
message TerminateSandboxResponse {
    bool success = 1;
    string message = 2;
}

// Get sandbox capabilities request
message GetSandboxCapabilitiesRequest {
    string sandbox_id = 1;
}

// Sandbox capabilities
message SandboxCapabilities {
    string sandbox_id = 1;
    string backend = 2;
    string profile = 3;
    bool can_write_filesystem = 4;
    repeated string readable_paths = 5;
    repeated string writable_paths = 6;
    bool has_network = 7;
    repeated string allowed_destinations = 8;
    ResourceLimits limits = 9;
    bool syscall_filter_active = 10;
    repeated string blocked_syscall_categories = 11;
    bool is_persistent = 12;
    uint64 created_at_ms = 13;
    uint64 time_remaining_ms = 14;
}

// ============================================================================
// File Operations (sandboxed)
// ============================================================================

// Read file request
message ReadFileRequest {
    string sandbox_id = 1;
    string path = 2;
    // Optional: read only a portion of the file
    uint64 offset = 3;
    uint64 limit = 4;  // 0 = no limit
}

// Read file response
message ReadFileResponse {
    bool success = 1;
    string content = 2;
    string error = 3;
    uint64 size_bytes = 4;
    bool truncated = 5;
}

// Write file request
message WriteFileRequest {
    string sandbox_id = 1;
    string path = 2;
    string content = 3;
    bool create_dirs = 4;  // Create parent directories if needed
    bool append = 5;       // Append instead of overwrite
}

// Write file response
message WriteFileResponse {
    bool success = 1;
    string error = 2;
    uint64 bytes_written = 3;
}

// Edit file request (search and replace)
message EditFileRequest {
    string sandbox_id = 1;
    string path = 2;
    string old_string = 3;
    string new_string = 4;
    bool replace_all = 5;  // Replace all occurrences
}

// Edit file response
message EditFileResponse {
    bool success = 1;
    string error = 2;
    uint32 replacements_made = 3;
}