agent-governance/agents/tier0-agent/config/agent.json

{
  "agent_id": "tier0-agent-001",
  "agent_version": "1.0.0",
  "tier": 0,
  "tier_name": "Observer",

  "description": "Tier 0 Observer Agent - Read-only access, plan generation only",

  "capabilities": {
    "read_inventory": true,
    "read_documentation": true,
    "generate_plans": true,
    "execute_commands": false,
    "modify_files": false,
    "access_secrets": false,
    "ssh_access": false,
    "api_access": false
  },

  "constraints": {
    "allowed_actions": [
      "read_file",
      "list_directory",
      "search_code",
      "generate_plan",
      "request_review"
    ],
    "forbidden_actions": [
      "execute_command",
      "write_file",
      "delete_file",
      "ssh_connect",
      "api_call",
      "terraform_apply",
      "ansible_run"
    ],
    "allowed_paths": [
      "/opt/agent-governance/docs/",
      "/opt/agent-governance/inventory/",
      "/opt/agent-governance/agents/tier0-agent/workspace/",
      "/opt/agent-governance/agents/tier0-agent/plans/"
    ],
    "forbidden_paths": [
      "/opt/vault/",
      "/etc/",
      "/root/",
      "**/.env",
      "**/credentials*",
      "**/secrets*"
    ]
  },

  "vault": {
    "auth_method": "approle",
    "role_name": "tier0-agent",
    "token_ttl": "1h",
    "token_max_ttl": "4h",
    "policies": ["t0-observer", "agent-self-read"]
  },

  "governance": {
    "preflight_required": true,
    "plan_approval_required": true,
    "evidence_required": true,
    "heartbeat_interval": 30,
    "error_budget": {
      "max_total_errors": 5,
      "max_same_error_repeats": 2
    }
  },

  "promotion": {
    "target_tier": 1,
    "requirements": {
      "min_compliant_runs": 5,
      "min_consecutive_compliant": 3,
      "required_actions": ["generate_plan"],
      "max_violations_30d": 0
    }
  }
}