Aegis Orchestrator
Reference

Agent Manifest Reference

Complete specification for the AgentManifest YAML format (v1.0) — schema, field definitions, examples, and validation configuration.

Agent Manifest Reference

API Version: 100monkeys.ai/v1 | Kind: AgentManifest | Status: Canonical

The Agent Manifest is the source of truth for an Agent's identity, capabilities, security constraints, and execution requirements. It allows the Aegis Host to run agents safely and deterministically within the Membrane.

The manifest uses Kubernetes-style declarative format (apiVersion/kind/metadata/spec) for consistency across all AEGIS resources.


Annotated Full Example

apiVersion: 100monkeys.ai/v1      # required; must be exactly this value
kind: AgentManifest               # required; must be exactly "AgentManifest"

metadata:
  name: python-coder              # required; unique DNS-label name (lowercase, alphanumeric, hyphens)
  version: "1.0.0"               # required; semantic version of this manifest
  description: "Writes Python solutions to programming tasks."  # optional
  labels:                         # optional; key-value pairs for filtering and discovery
    role: worker
    team: platform
  annotations:                    # optional; non-identifying metadata
    maintainer: "platform@example.com"

spec:
  # Runtime configuration
  runtime:
    language: python              # required; python | javascript | typescript | rust | go
    version: "3.11"              # required; language version string
    isolation: docker             # optional; inherit | firecracker | docker | process

  # Task definition (instructions for the agent)
  task:
    agentskills:                  # optional; pre-built skill packages
      - "code-review:python"
    instruction: |               # optional; high-level task guidance
      Write a Python solution to the given problem.
      Save the solution to /workspace/solution.py.
      Run it to verify correctness and write a JSON summary to /workspace/result.json.
    prompt_template: |           # optional; Handlebars template for LLM prompts
      {{instruction}}

      User: {{input}}
      {{#if previous_error}}
      Previous attempt failed: {{previous_error}}
      {{/if}}
      Assistant:

  # Security policy (deny-by-default; declare only what is needed)
  security:
    network:
      mode: allow                 # allow | deny | none
      allowlist:
        - pypi.org
        - api.github.com
    filesystem:
      read:
        - /workspace
        - /agent
      write:
        - /workspace
    resources:
      cpu: 1000                  # millicores (1000 = 1 CPU core)
      memory: "1Gi"             # human-readable: "512Mi", "1Gi", "2Gi"
      disk: "5Gi"               # human-readable disk quota
      timeout: "300s"           # human-readable: "300s", "5m", "1h"

  # Volume mounts (ephemeral and persistent storage)
  volumes:
    - name: workspace
      storage_class: ephemeral   # ephemeral | persistent
      mount_point: /workspace    # absolute path inside container
      access_mode: read-write    # read-write | read-only
      ttl_hours: 1              # required for ephemeral; hours until auto-deletion
      size_limit_mb: 5000       # maximum volume size in MiB

    - name: shared-data
      storage_class: persistent
      mount_point: /data
      access_mode: read-only
      source:
        volume_id: "vol-a1b2c3d4-..."  # pin to existing volume

  # Execution strategy and validation
  execution:
    mode: iterative              # one-shot | iterative
    max_iterations: 10           # range: 1–20; default: 10
    memory: false                # enable Cortex memory system
    validation:
      system:
        must_succeed: true       # require exit code 0
        allow_stderr: false      # fail on stderr output
        timeout_seconds: 90      # per-iteration execution timeout
      output:
        format: json             # json | yaml | text | csv | pdf
        schema:                  # optional JSON Schema for structural validation
          type: object
          required: ["solution_path", "output"]
          properties:
            solution_path:
              type: string
            output:
              type: string
      semantic:
        enabled: true            # auto-enabled when task.instruction is set
        model: default           # model alias from aegis-config.yaml
        threshold: 0.80          # confidence threshold (0.0–1.0)
        timeout_seconds: 30
        fallback_on_unavailable: skip  # skip | fail

  # MCP tools the agent may invoke
  tools:
    - name: filesystem
      server: "mcp:filesystem"
      config:
        allowed_paths:
          - /workspace
        access_mode: read-write
    - name: web-search
      server: "mcp:web-search"
      config:
        allowed_domains:
          - pypi.org
          - docs.python.org
        max_results_per_query: 10

  # Environment variables (static, secret references, config references)
  env:
    PYTHONUNBUFFERED: "1"
    LOG_LEVEL: "debug"
    OPENAI_API_KEY: "secret:openai-key"   # injected from secure vault

Field Reference

Top-Level Fields

FieldTypeRequiredDescription
apiVersionstringMust be 100monkeys.ai/v1.
kindstringMust be AgentManifest.
metadataobjectManifest metadata.
specobjectAgent specification.

metadata

FieldTypeRequiredDescription
namestringUnique agent name. Pattern: ^[a-z0-9][a-z0-9-]{0,62}$.
versionstringManifest schema version. Semantic versioning (e.g., "1.0.0").
descriptionstringHuman-readable description of the agent's purpose.
labelsmap[string]stringKey-value labels for categorization and discovery. Common keys: role, category, team, environment.
annotationsmap[string]stringArbitrary non-identifying metadata (e.g., maintainer, docs).

spec

FieldTypeRequiredDescription
runtimeobjectRuntime configuration.
taskobjectTask definition (instructions for the agent).
securityobjectSecurity policy (deny-by-default).
volumesobject[]Volume mount declarations.
executionobjectExecution strategy and acceptance criteria.
contextobject[]Additional resources attached to the execution.
scheduleobjectAutomatic execution scheduling.
deliveryobjectOutput delivery destinations.
toolsobject[] or string[]MCP tools the agent may invoke.
envmap[string]stringEnvironment variables injected into the container.

spec.runtime

FieldTypeRequiredDefaultDescription
languagestringpython | javascript | typescript | rust | go
versionstringLanguage version (e.g., "3.11", "20").
isolationstringinheritinherit | firecracker | docker | process
modelstringdefaultLLM model alias from aegis-config.yaml.

spec.task

FieldTypeRequiredDescription
agentskillsstring[]Pre-built skill packages. Format: "namespace:skill-name".
instructionstringHigh-level guidance for the agent (multi-line YAML |). Auto-enables semantic validation.
prompt_templatestringHandlebars template for constructing LLM prompts. Default: "{{instruction}}\n\nUser: {{input}}\nAssistant:".
input_dataobjectStructured input parameters available at execution time.

Prompt template variables: {{instruction}}, {{input}}, {{iteration_number}}, {{previous_error}}, {{agentskills}}, {{context}}.

spec.security

FieldTypeRequiredDescription
network.modeallow | deny | nonePolicy mode. allow = use allowlist; none = no network interface.
network.allowliststring[]Domain names and CIDR blocks permitted for outbound connections.
network.denyliststring[]Domain names explicitly blocked (applied after allowlist).
filesystem.readstring[]Paths inside container where reads are permitted. Glob patterns supported.
filesystem.writestring[]Paths inside container where writes are permitted. Glob patterns supported.
filesystem.read_onlybooleanSet true to make all mounts read-only.
resources.cpuintegerCPU limit in millicores (1000 = 1 core). Default: 1000.
resources.memorystringMemory limit. Human-readable: "512Mi", "1Gi". Default: "512Mi".
resources.diskstringDisk quota. Human-readable: "1Gi", "10Gi". Default: "1Gi".
resources.timeoutstringTotal execution timeout. Human-readable: "300s", "5m", "1h". Max "1h".

spec.volumes[]

FieldTypeRequiredDefaultDescription
namestringLocal identifier. Must be unique within this manifest.
storage_classephemeral | persistentLifetime of the volume.
mount_pointstringAbsolute path inside the container (e.g., /workspace).
access_moderead-write | read-onlyAccess mode enforced by AegisFSAL.
ttl_hoursintegerRequired for ephemeralHours until auto-deletion (e.g., 1, 24).
size_limit_mbintegerno limitMaximum volume size in mebibytes. Writes beyond this return ENOSPC.
source.volume_idstringRequired for persistentUUID of an existing persistent volume. Supports Handlebars: {{input.dataset_volume_id}}.

spec.execution

FieldTypeRequiredDefaultDescription
modeiterative | one-shotone-shotExecution strategy.
max_iterationsinteger10Maximum refinement loops. Range: 1–20.
memorybooleanfalseEnable Cortex learning memory.
validationobjectAcceptance criteria (see below).

spec.execution.validation

validation.system

FieldTypeDefaultDescription
must_succeedbooleantrueRequire exit code 0.
allow_stderrbooleanfalseFail if agent writes to stderr.
timeout_secondsinteger90Per-iteration execution timeout in seconds. Must be ≤ resources.timeout.

validation.output

FieldTypeRequiredDescription
formatjson | yaml | text | csv | pdfExpected output format.
schemaJSON Schema objectJSON Schema for structural validation (if format: json).
regexstringRegex pattern the output must match (if format: text).

validation.script

FieldTypeRequiredDescription
pathstringPath to validation script inside container.
descriptionstringWhat the script validates.
timeout_secondsintegerScript timeout. Default: 30. Must be ≤ resources.timeout.

validation.semantic

FieldTypeDefaultDescription
enabledbooleantrue when task.instruction setEnable LLM-as-judge validation.
modelstringdefaultModel alias from aegis-config.yaml.
promptstringbuilt-in templatePrompt template. Placeholders: {criteria}, {output}, {exit_code}, {stderr}.
thresholdfloat0.8Minimum confidence score (0.0–1.0) to accept output.
timeout_secondsinteger30LLM call timeout. Must be ≤ resources.timeout.
fallback_on_unavailableskip | failfailBehavior when LLM is unavailable.

spec.tools[]

Tools can be declared in simple (string) or detailed (object) format.

Simple format:

tools:
  - "mcp:filesystem"
  - "mcp:web-search"
  - "mcp:gmail"

Detailed format:

FieldTypeRequiredDescription
namestringLocal name for this tool binding.
serverstringMCP server identifier (e.g., "mcp:filesystem").
configobjectTool-specific configuration.

Filesystem tool config (mcp:filesystem):

FieldTypeDefaultDescription
allowed_pathsstring[]["/workspace"]Permitted directory prefixes.
access_moderead-only | read-writeread-onlyWrite access mode.
max_file_size_bytesinteger10485760Maximum file size per operation.

Web search tool config (mcp:web-search):

FieldTypeDefaultDescription
allowed_domainsstring[][] (all)Restrict search results to these domains.
max_results_per_queryinteger10Maximum results returned per search.
max_calls_per_executioninteger50Rate limit for search invocations.

Gmail tool config (mcp:gmail):

FieldTypeDefaultDescription
allowed_operationsstring[]["read","search"]Permitted operations: read, search, send.
max_messages_per_queryinteger50Maximum messages returned per query.
max_calls_per_executioninteger30Rate limit for Gmail API calls.
allowed_labelsstring[][] (all)Restrict access to these Gmail labels.

spec.env

Environment variable values support three formats:

FormatExampleDescription
Static string"production"Literal value.
Secret reference"secret:openai-key"Injected from secure vault (OpenBao). Never logged.
Config reference"config:log_level"From configuration store.

Field Definitions

spec.runtime

Defines the execution environment for the agent. isolation inherits from node configuration when set to inherit, allowing ops teams to override isolation mode at the host level without changing individual manifests.

spec.task

task.agentskills

Pre-built instruction packages from agentskills.io. Each skill is a SKILL.md file containing step-by-step guidance the agent reads as context. Format: "namespace:skill-name" (e.g., "email:imap-reader").

Skills provide the HOW (instructions); MCP tools provide the WHAT (execution capability).

AspectAgentSkillsMCP Tools
PurposeProvide instructions (HOW)Provide capabilities (WHAT)
FormatSKILL.md packageMCP server function
Loaded asContext (read by agent)Callable function
Example"email:imap-reader""mcp:gmail"

task.instruction

High-level steering instructions for the agent. When present, automatically enables semantic validation using the instruction as the judge's criteria — no explicit execution.validation.semantic block is needed unless customizing the threshold or model.

task.prompt_template

Handlebars template that controls how the LLM prompt is assembled.

Available variables:

VariableDescription
{{instruction}}The task.instruction text.
{{input}}JSON input supplied at execution time.
{{iteration_number}}Current iteration (1-based).
{{previous_error}}Validator failure output from the previous iteration; empty on iteration 1.
{{agentskills}}Concatenated content from loaded skill packages.
{{context}}Concatenated context attachments.

spec.security

All permissions are deny-by-default. When spec.security is omitted entirely, the agent runs with no network or filesystem access and default resource limits.

Network Policy

mode: none attaches no network interface to the container — the strongest isolation. mode: allow with an allowlist permits only the listed domains. mode: deny with a denylist blocks specific domains and allows all others.

Filesystem Policy

Paths support glob patterns (e.g., "/config/*.yaml"). filesystem.read_only: true overrides all other settings and makes every mount read-only regardless of access_mode.

Resource Limits — Timeout Hierarchy

The timeout field is the outer bound for the entire execution. All validation sub-timeouts must fit within this budget:

security.resources.timeout                                    (e.g., 600s)
  └─ execution.validation.system.timeout_seconds    (e.g., 90s)  — agent code per iteration
  └─ execution.validation.script.timeout_seconds    (e.g., 30s)  — validation script
  └─ execution.validation.semantic.timeout_seconds  (e.g., 30s)  — LLM judge call

spec.volumes[]

Storage volumes are mounted into the agent container via the NFS Server Gateway — the orchestrator intercepts all file operations, enforcing policy and maintaining a full audit trail.

ClassTTLUse Case
ephemeralRequired; auto-cleanupScratch space, build artifacts
persistentNone; explicit deleteShared datasets, long-lived output

access_mode: read-write is exclusive — only one execution may hold write access to a persistent volume at a time. read-only volumes may be read by multiple agents simultaneously.

spec.execution

Controls the 100monkeys iterative execution strategy. When mode: iterative, if any validation check fails the orchestrator sends the failure output back to the agent as {{previous_error}} and starts a new iteration (up to max_iterations). When mode: one-shot, the first run is final.

Setting memory: true enables the Cortex learning system to index refinements from this execution, improving suggestions for future runs.

validation.semantic

LLM-as-judge evaluation. When task.instruction is defined, this is automatically enabled — no explicit configuration is needed unless customizing behavior.

How the judge decides iteration outcome:

  • Judge returns "success": falseIterationStatus::Refining
  • Judge returns "success": true but confidence < thresholdIterationStatus::Refining
  • Judge returns "success": true and confidence >= thresholdIterationStatus::Success

Available prompt template placeholders: {criteria} (from task.instruction), {output}, {exit_code}, {stderr}.

spec.tools[]

The orchestrator mediates all tool calls — agents never access MCP servers or credentials directly.

Security model:

LayerWhat is enforced
AuthenticationOrchestrator validates execution_id before forwarding any call.
AuthorizationTool name must appear in spec.tools. Absent = rejected.
Policy validationArguments validated against tool-specific config (paths, domains, operations).
Rate limitingCall count tracked per execution; calls beyond limit return 429.
Credential isolationOAuth tokens and API keys held by orchestrator; never exposed to agent.
Audit trailEvery invocation published as MCPToolEvent domain event.

spec.context[]

Additional resources attached to the agent at execution time.

FieldTypeRequiredDescription
typetext | file | directory | urlResource type.
contentstringRequired for textInline text content.
pathstringRequired for file, directoryFile or directory path.
urlstringRequired for urlURL to fetch.
descriptionstringHuman-readable description.

spec.schedule

FieldTypeDescription
typecron | interval | manualSchedule type.
cronstringStandard cron expression (e.g., "0 * * * *" = hourly).
timezonestringIANA timezone (e.g., "America/New_York").
enabledbooleanWhether the schedule is active.

spec.delivery

Output delivery destinations evaluated after execution completes. Each destination:

FieldTypeRequiredDescription
namestringUnique identifier for this destination.
conditionon_success | on_failure | alwaysWhen to deliver.
transformobjectETL script applied to output before delivery.
typeemail | webhook | rest | smsDelivery mechanism.

Transform fields:

FieldTypeDescription
scriptstringPath to transformation script. Receives agent output on stdin.
argsstring[]Additional CLI arguments for the script.
timeout_secondsintegerScript timeout. Default: 30.

Email delivery fields: email.to, email.subject (supports {{date}}, {{agent.name}}), email.body_template, email.attachments.

Webhook delivery fields: webhook.url, webhook.method (default POST), webhook.headers (supports {{secret:token-name}}).


Examples

Minimal Agent

apiVersion: 100monkeys.ai/v1
kind: AgentManifest

metadata:
  name: pr-reviewer
  version: "1.0.0"
  description: "Reviews pull request diffs and returns structured feedback."

spec:
  runtime:
    language: python
    version: "3.11"

  task:
    instruction: |
      Review the provided code diff and return structured feedback covering:
      - Security vulnerabilities or concerns
      - Performance issues or opportunities
      - Code quality and maintainability
      Provide specific line references where relevant.

  security:
    network:
      mode: allow
      allowlist:
        - api.github.com
    resources:
      cpu: 1000
      memory: "1Gi"
      timeout: "300s"

  execution:
    mode: iterative
    max_iterations: 5

Agent with JSON Output Validation

apiVersion: 100monkeys.ai/v1
kind: AgentManifest

metadata:
  name: data-extractor
  version: "1.0.0"

spec:
  runtime:
    language: python
    version: "3.11"

  task:
    instruction: |
      Extract structured data from the provided document and output valid JSON
      matching the required schema.

  security:
    filesystem:
      read:
        - /workspace
      write:
        - /workspace/output
    resources:
      cpu: 500
      memory: "512Mi"
      timeout: "120s"

  volumes:
    - name: workspace
      storage_class: ephemeral
      mount_point: /workspace
      access_mode: read-write
      ttl_hours: 1
      size_limit_mb: 500

  execution:
    mode: iterative
    max_iterations: 8
    validation:
      system:
        must_succeed: true
        allow_stderr: false
        timeout_seconds: 60
      output:
        format: json
        schema:
          type: object
          required: ["entities", "relationships", "confidence"]
          properties:
            entities:
              type: array
            relationships:
              type: array
            confidence:
              type: number
              minimum: 0
              maximum: 1
      semantic:
        threshold: 0.85
        fallback_on_unavailable: skip

  tools:
    - name: filesystem
      server: "mcp:filesystem"
      config:
        allowed_paths: ["/workspace"]
        access_mode: read-write

Code Reviewer (Judge Agent)

Judge agents evaluate the output of other agents and must return structured JSON with gradient scoring:

{
  "score": 0.85,
  "confidence": 0.92,
  "reasoning": "The code correctly implements the requirements with minor style issues.",
  "suggestions": ["Add type hints", "Improve error handling"],
  "verdict": "pass"
}

Required judge output fields:

FieldTypeDescription
scorefloat (0.0–1.0)Quality/correctness score on a continuous gradient.
confidencefloat (0.0–1.0)Judge's certainty in its assessment.
reasoningstringExplanation for the score.

Optional fields: signals, suggestions, verdict, and any custom metadata.

apiVersion: 100monkeys.ai/v1
kind: AgentManifest

metadata:
  name: code-quality-judge
  version: "1.0.0"
  labels:
    role: judge
    domain: code-review

spec:
  runtime:
    language: python
    version: "3.11"

  task:
    instruction: |
      You are a code quality judge. Evaluate the provided code output on:
      1. Correctness: Does it solve the stated problem?
      2. Code quality: Is it idiomatic and well-structured?
      3. Error handling: Does it handle edge cases?

      Always respond with valid JSON:
      {
        "score": <0.0-1.0>,
        "confidence": <0.0-1.0>,
        "reasoning": "<explanation>",
        "suggestions": ["<improvement>"],
        "verdict": "pass|fail|warning"
      }

  security:
    network:
      mode: none
    resources:
      cpu: 500
      memory: "512Mi"
      timeout: "60s"

  execution:
    mode: one-shot
    validation:
      system:
        must_succeed: true
      output:
        format: json
        schema:
          type: object
          required: ["score", "confidence", "reasoning"]
          properties:
            score:
              type: number
              minimum: 0
              maximum: 1
            confidence:
              type: number
              minimum: 0
              maximum: 1
            reasoning:
              type: string

Multi-Judge Consensus

For validation requiring multiple independent judges with consensus aggregation, use workflow ParallelAgents states rather than agent-level validation. See:

Featureexecution.validation.semanticWorkflow ParallelAgents
Number of judgesSingleMultiple in parallel
Consensus algorithmN/Amean, min, max, majority
Configuration locationAgent manifestWorkflow manifest
Use casePer-iteration quality gateFinal output multi-panel review

Version History

VersionDateNotes
v1.02026-02-16Kubernetes-style format with apiVersion/kind/metadata/spec. Canonical format for all new agents.

On this page