profit/agent-governance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
agent-governance/agents/tier1-agent/README.md
profit 8c6e7831e9 Add Phase 10-12 implementation: multi-tenant, marketplace, observability 
Major additions:
- marketplace/: Agent template registry with FTS5 search, ratings, versioning
- observability/: Prometheus metrics, distributed tracing, structured logging
- ledger/migrations/: Database migration scripts for multi-tenant support
- tests/governance/: 15 new test files for phases 6-12 (295 total tests)
- bin/validate-phases: Full 12-phase validation script

New features:
- Multi-tenant support with tenant isolation and quota enforcement
- Agent marketplace with semantic versioning and search
- Observability with metrics, tracing, and log correlation
- Tier-1 agent bootstrap scripts

Updated components:
- ledger/api.py: Extended API for tenants, marketplace, observability
- ledger/schema.sql: Added tenant, project, marketplace tables
- testing/framework.ts: Enhanced test framework
- checkpoint/checkpoint.py: Improved checkpoint management

Archived:
- External integrations (Slack/GitHub/PagerDuty) moved to .archive/
- Old checkpoint files cleaned up

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-24 18:39:47 -05:00

140 lines
3.3 KiB
Markdown
Raw Permalink Blame History

# Tier 1 Agent
> Operator-tier agent with execution capabilities
## Overview
The Tier 1 Operator Agent is a governed agent that can execute approved plans, run infrastructure commands (Terraform, Ansible), and access sandbox environments. It is promoted from Tier 0 after demonstrating compliant behavior.
## Capabilities
| Capability | Tier 0 | Tier 1 |
|------------|--------|--------|
| Read files | Yes | Yes |
| List directories | Yes | Yes |
| Generate plans | Yes | Yes |
| Execute commands | No | **Yes** |
| Write files | No | **Yes** |
| Terraform plan/apply | No | **Yes** |
| Ansible check/run | No | **Yes** |
| Docker run | No | **Yes** |
| SSH access | No | **Yes** (sandbox only) |
| Access secrets | No | No |
## Constraints
### Allowed Targets
- `localhost`
- `sandbox-*`
### Forbidden Targets
- `prod-*`
- `staging-db-*`
### Forbidden Actions
- `delete_production` - Cannot delete production resources
- `access_vault_root` - Cannot access Vault root credentials
- `modify_governance` - Cannot modify governance rules
## Quick Start
```bash
# Bootstrap the agent
./bootstrap.sh
# Check status
./run-agent.sh status
# Execute a command
./run-agent.sh exec ls -la
# Read a file
./run-agent.sh read /opt/agent-governance/docs/README.md
# Write a file
./run-agent.sh write workspace/test.txt --content "Hello World"
# Generate and execute a plan
./run-agent.sh plan \
--title "Test deployment" \
--description "Deploy test service" \
--target "sandbox-01" \
--steps '["echo step1", "echo step2"]'
./run-agent.sh run-plan plan-XXXXXXXX-XXXXXX-XXXXXXXX
```
## Infrastructure Commands
### Terraform
```bash
# Plan
./run-agent.sh tf-plan /opt/agent-governance/sandbox/terraform
# Apply
./run-agent.sh tf-apply /opt/agent-governance/sandbox/terraform
```
### Ansible
```bash
# Check mode (dry-run)
./run-agent.sh ansible-check playbook.yml -i inventory.yml
# Run
./run-agent.sh ansible-run playbook.yml -i inventory.yml --limit sandbox-01
```
### Docker
```bash
./run-agent.sh docker alpine --cmd "echo hello"
./run-agent.sh docker nginx -v /data:/usr/share/nginx/html
```
## Governance Integration
All actions are logged to the governance ledger:
- `/opt/agent-governance/ledger/governance.db`
The agent:
- Checks revocation status before each action
- Updates heartbeat in DragonflyDB
- Logs all actions with decision (EXECUTE/BLOCKED/PLAN)
- Tracks compliant runs for promotion eligibility
## Promotion to Tier 2
Requirements (from config):
- Minimum 10 compliant runs
- Minimum 5 consecutive compliant runs
- Required actions: `ansible_run`, `terraform_apply`
- Maximum 0 violations in 30 days
## Directory Structure
```
tier1-agent/
├── agent.py # Main agent implementation
├── run-agent.sh # Runner script
├── bootstrap.sh # Setup script
├── config/
│ └── agent.json # Agent configuration
├── workspace/ # Working directory
├── plans/ # Generated plans
├── logs/ # Agent logs
└── credentials/ # Agent credentials (from Vault)
```
## Testing
```bash
# Test that forbidden actions are blocked
./run-agent.sh test-forbidden
```
## Architecture Reference
Part of the [Agent Governance System](../../docs/ARCHITECTURE.md).
---
*Last updated: 2026-01-24*
Reference in New Issue View Git Blame Copy Permalink