So I've been building **agentrc** — an open spec + small CLI to make that reviewable. You declare an agent in a Dockerfile-shaped **Agentfile**:

I couldn't answer a simple question about any AI agent I came across: what model does it use, what network can it reach, what tools can it call? It's all buried in the code. We review and govern containers through manifests and labels; agents have no equivalent, so security teams can't review them and platforms can't govern them.

So I built agentrc — an open spec (plus a small Go CLI) for packaging one AI agent as a portable, governed OCI artifact. You declare the agent in a Dockerfile-shaped Agentfile with four agent-native keywords over normal Dockerfile syntax: IDENTITY, CAPABILITY, SOP, POLICY.

A POLICY line is a \*typed request\* ("I want model X", "egress to api.stripe.com:443", "tool timeout 30s"), not enforcement. The platform grants, narrows, or rejects each request and enforces it deny-by-default; the spec compiles requests to Cedar. \`arc build\` produces a plain OCI image whose \`ai.agentrc.\*\` labels carry the whole request set, so platforms read the labels — never the prompt — and agents sign/mirror/ship like any container. \`arc run --backend local|bedrock|kubernetes --dry-run\` translates that one artifact into each platform's deploy form.

What's honestly true today: it's a Working Draft (0.1.0-draft.6); the CLI does build/lint/inspect/push and dry-run translation; the backend "runners" are reference translators to prove the labels are enough, not production infrastructure; secrets are intentionally out of scope. It's not a runtime, cloud, model provider, or framework.

Install: \`curl -fsSL https://agentrc.ai/install.sh | sh\` · Spec: https://agentrc.ai · Code: https://github.com/adeelahmad/agentrc

The bet I'd like feedback on: the labels are the standard; the runners are just proof of concept. If platforms read a common \`ai.agentrc.\*\` namespace, any conformant agent becomes a governed workload anywhere. Where does that break down?

reddit.com
u/adeelahmadch — 2 days ago

I couldn't tell what an AI agent was allowed to do without reading its code, so I built a Dockerfile-shaped way to declare it

Here's the gap that's been bugging me: everyone's shipping AI agents, but I can't answer a basic question about any of them — what model does it use, what network can it reach, what tools can it call? — without reading the implementation. We govern containers with manifests and labels; agents are just… vibes and a Python file. Security can't review them; platforms can't enforce anything.

So I've been building **agentrc** — an open spec + small CLI to make that reviewable. You declare an agent in a Dockerfile-shaped **Agentfile**:

```

# syntax=agentrc.agentfile/v0.1

FROM python:3.11-slim

IDENTITY name=support-bot version=1.0

CAPABILITY text

SOP Answer billing questions. Escalate anything else.

COPY ./tools/lookup /mnt/tools/lookup

POLICY model.nameclaude-sonnet-4

POLICY network dns:api.stripe.com:443

POLICY agent.tool_timeout 30s

```

Four new keywords over normal Dockerfile syntax: `IDENTITY`, `CAPABILITY`, `SOP`, `POLICY`. Everything under `POLICY` is a **typed request** — not enforcement. The agent *asks*; the platform grants, narrows, or rejects it and enforces deny-by-default (the spec compiles requests to Cedar). The only egress that bot can be granted is `api.stripe.com:443`, and I can see that in one line instead of grepping code.

`arc build` compiles it to a normal **OCI image** with `ai.agentrc.*` labels — platforms read the labels, never the Agentfile, so it ships/signs/mirrors like any container. `arc run <ref> --backend local|bedrock|kubernetes --dry-run` translates the same artifact into that platform's deploy config.

**What this is NOT, so nobody's surprised:**

- Working Draft (0.1.0-draft.6) — expect breaking changes.

- Not a runtime, cloud, model provider, or framework. The backend translators are a **proof of concept** that the labels are sufficient — not production infra.

- Secrets are deliberately out of scope for now.

Try it: `curl -fsSL https://agentrc.ai/install.sh | sh` (or `brew` / `go install`). Spec: https://agentrc.ai · Code: https://github.com/adeelahmad/agentrc

Real questions I want critique on: does the four-keyword split hold up? Is "requests, not enforcement" the right boundary? What would make you comfortable running an agent you didn't write?

reddit.com
u/adeelahmadch — 3 days ago

I couldn't tell what an AI agent was allowed to do without reading its code, so I built a Dockerfile-shaped way to declare it

Here's the gap that's been bugging me: everyone's shipping AI agents, but I can't answer a basic question about any of them — what model does it use, what network can it reach, what tools can it call? — without reading the implementation. We govern containers with manifests and labels; agents are just… vibes and a Python file. Security can't review them; platforms can't enforce anything.

So I've been building **agentrc** — an open spec + small CLI to make that reviewable. You declare an agent in a Dockerfile-shaped **Agentfile**:

```

# syntax=agentrc.agentfile/v0.1

FROM python:3.11-slim

IDENTITY name=support-bot version=1.0

CAPABILITY text

SOP Answer billing questions. Escalate anything else.

COPY ./tools/lookup /mnt/tools/lookup

POLICY model.nameclaude-sonnet-4

POLICY network dns:api.stripe.com:443

POLICY agent.tool_timeout 30s

```

Four new keywords over normal Dockerfile syntax: `IDENTITY`, `CAPABILITY`, `SOP`, `POLICY`. Everything under `POLICY` is a **typed request** — not enforcement. The agent *asks*; the platform grants, narrows, or rejects it and enforces deny-by-default (the spec compiles requests to Cedar). The only egress that bot can be granted is `api.stripe.com:443`, and I can see that in one line instead of grepping code.

`arc build` compiles it to a normal **OCI image** with `ai.agentrc.*` labels — platforms read the labels, never the Agentfile, so it ships/signs/mirrors like any container. `arc run <ref> --backend local|bedrock|kubernetes --dry-run` translates the same artifact into that platform's deploy config.

**What this is NOT, so nobody's surprised:**

- Working Draft (0.1.0-draft.6) — expect breaking changes.

- Not a runtime, cloud, model provider, or framework. The backend translators are a **proof of concept** that the labels are sufficient — not production infra.

- Secrets are deliberately out of scope for now.

Try it: `curl -fsSL https://agentrc.ai/install.sh | sh` (or `brew` / `go install`). Spec: https://agentrc.ai · Code: https://github.com/adeelahmad/agentrc

Real questions I want critique on: does the four-keyword split hold up? Is "requests, not enforcement" the right boundary? What would make you comfortable running an agent you didn't write?

reddit.com
u/adeelahmadch — 3 days ago

So I've been building **agentrc** — an open spec + small CLI to make that reviewable. You declare an agent in a Dockerfile-shaped **Agentfile**:

I couldn't answer a simple question about any AI agent I came across: what model does it use, what network can it reach, what tools can it call? It's all buried in the code. We review and govern containers through manifests and labels; agents have no equivalent, so security teams can't review them and platforms can't govern them.

So I built agentrc — an open spec (plus a small Go CLI) for packaging one AI agent as a portable, governed OCI artifact. You declare the agent in a Dockerfile-shaped Agentfile with four agent-native keywords over normal Dockerfile syntax: IDENTITY, CAPABILITY, SOP, POLICY.

A POLICY line is a *typed request* ("I want model X", "egress to api.stripe.com:443", "tool timeout 30s"), not enforcement. The platform grants, narrows, or rejects each request and enforces it deny-by-default; the spec compiles requests to Cedar. `arc build` produces a plain OCI image whose `ai.agentrc.*` labels carry the whole request set, so platforms read the labels — never the prompt — and agents sign/mirror/ship like any container. `arc run --backend local|bedrock|kubernetes --dry-run` translates that one artifact into each platform's deploy form.

What's honestly true today: it's a Working Draft (0.1.0-draft.6); the CLI does build/lint/inspect/push and dry-run translation; the backend "runners" are reference translators to prove the labels are enough, not production infrastructure; secrets are intentionally out of scope. It's not a runtime, cloud, model provider, or framework.

Install: `curl -fsSL https://agentrc.ai/install.sh | sh` · Spec: https://agentrc.ai · Code: https://github.com/adeelahmad/agentrc

The bet I'd like feedback on: the labels are the standard; the runners are just proof of concept. If platforms read a common `ai.agentrc.*` namespace, any conformant agent becomes a governed workload anywhere. Where does that break down?

reddit.com
u/adeelahmadch — 3 days ago

I couldn't tell what an AI agent was allowed to do without reading its code, so I built a Dockerfile-shaped way to declare it

Here's the gap that's been bugging me: everyone's shipping AI agents, but I can't answer a basic question about any of them — what model does it use, what network can it reach, what tools can it call? — without reading the implementation. We govern containers with manifests and labels; agents are just… vibes and a Python file. Security can't review them; platforms can't enforce anything.

So I've been building **agentrc** — an open spec + small CLI to make that reviewable. You declare an agent in a Dockerfile-shaped **Agentfile**:

```

# syntax=agentrc.agentfile/v0.1

FROM python:3.11-slim

IDENTITY name=support-bot version=1.0

CAPABILITY text

SOP Answer billing questions. Escalate anything else.

COPY ./tools/lookup /mnt/tools/lookup

POLICY model.nameclaude-sonnet-4

POLICY network dns:api.stripe.com:443

POLICY agent.tool_timeout 30s

```

Four new keywords over normal Dockerfile syntax: `IDENTITY`, `CAPABILITY`, `SOP`, `POLICY`. Everything under `POLICY` is a **typed request** — not enforcement. The agent *asks*; the platform grants, narrows, or rejects it and enforces deny-by-default (the spec compiles requests to Cedar). The only egress that bot can be granted is `api.stripe.com:443`, and I can see that in one line instead of grepping code.

`arc build` compiles it to a normal **OCI image** with `ai.agentrc.*` labels — platforms read the labels, never the Agentfile, so it ships/signs/mirrors like any container. `arc run <ref> --backend local|bedrock|kubernetes --dry-run` translates the same artifact into that platform's deploy config.

**What this is NOT, so nobody's surprised:**

- Working Draft (0.1.0-draft.6) — expect breaking changes.

- Not a runtime, cloud, model provider, or framework. The backend translators are a **proof of concept** that the labels are sufficient — not production infra.

- Secrets are deliberately out of scope for now.

Try it: `curl -fsSL https://agentrc.ai/install.sh | sh` (or `brew` / `go install`). Spec: https://agentrc.ai · Code: https://github.com/adeelahmad/agentrc

Real questions I want critique on: does the four-keyword split hold up? Is "requests, not enforcement" the right boundary? What would make you comfortable running an agent you didn't write?

reddit.com
u/adeelahmadch — 3 days ago
▲ 0 r/aws

I couldn't tell what an AI agent was allowed to do without reading its code, so I built a Dockerfile-shaped way to declare it

Here's the gap that's been bugging me: everyone's shipping AI agents, but I can't answer a basic question about any of them — what model does it use, what network can it reach, what tools can it call? — without reading the implementation. We govern containers with manifests and labels; agents are just… vibes and a Python file. Security can't review them; platforms can't enforce anything.

So I've been building **agentrc** — an open spec + small CLI to make that reviewable. You declare an agent in a Dockerfile-shaped **Agentfile**:

```

# syntax=agentrc.agentfile/v0.1

FROM python:3.11-slim

IDENTITY name=support-bot version=1.0

CAPABILITY text

SOP Answer billing questions. Escalate anything else.

COPY ./tools/lookup /mnt/tools/lookup

POLICY model.nameclaude-sonnet-4

POLICY network dns:api.stripe.com:443

POLICY agent.tool_timeout 30s

```

Four new keywords over normal Dockerfile syntax: `IDENTITY`, `CAPABILITY`, `SOP`, `POLICY`. Everything under `POLICY` is a **typed request** — not enforcement. The agent *asks*; the platform grants, narrows, or rejects it and enforces deny-by-default (the spec compiles requests to Cedar). The only egress that bot can be granted is `api.stripe.com:443`, and I can see that in one line instead of grepping code.

`arc build` compiles it to a normal **OCI image** with `ai.agentrc.*` labels — platforms read the labels, never the Agentfile, so it ships/signs/mirrors like any container. `arc run <ref> --backend local|bedrock|kubernetes --dry-run` translates the same artifact into that platform's deploy config.

**What this is NOT, so nobody's surprised:**

- Working Draft (0.1.0-draft.6) — expect breaking changes.

- Not a runtime, cloud, model provider, or framework. The backend translators are a **proof of concept** that the labels are sufficient — not production infra.

- Secrets are deliberately out of scope for now.

Try it: `curl -fsSL https://agentrc.ai/install.sh | sh` (or `brew` / `go install`). Spec: https://agentrc.ai · Code: https://github.com/adeelahmad/agentrc

Real questions I want critique on: does the four-keyword split hold up? Is "requests, not enforcement" the right boundary? What would make you comfortable running an agent you didn't write?

reddit.com
u/adeelahmadch — 3 days ago
▲ 1 r/LangChain+1 crossposts

I couldn't tell what an AI agent was allowed to do without reading its code, so I built a Dockerfile-shaped way to declare it

Here's the gap that's been bugging me: everyone's shipping AI agents, but I can't answer a basic question about any of them — what model does it use, what network can it reach, what tools can it call? — without reading the implementation. We govern containers with manifests and labels; agents are just… vibes and a Python file. Security can't review them; platforms can't enforce anything.

So I've been building **agentrc** — an open spec + small CLI to make that reviewable. You declare an agent in a Dockerfile-shaped **Agentfile**:

```

# syntax=agentrc.agentfile/v0.1

FROM python:3.11-slim

IDENTITY name=support-bot version=1.0

CAPABILITY text

SOP Answer billing questions. Escalate anything else.

COPY ./tools/lookup /mnt/tools/lookup

POLICY model.nameclaude-sonnet-4

POLICY network dns:api.stripe.com:443

POLICY agent.tool_timeout 30s

```

Four new keywords over normal Dockerfile syntax: `IDENTITY`, `CAPABILITY`, `SOP`, `POLICY`. Everything under `POLICY` is a **typed request** — not enforcement. The agent *asks*; the platform grants, narrows, or rejects it and enforces deny-by-default (the spec compiles requests to Cedar). The only egress that bot can be granted is `api.stripe.com:443`, and I can see that in one line instead of grepping code.

`arc build` compiles it to a normal **OCI image** with `ai.agentrc.*` labels — platforms read the labels, never the Agentfile, so it ships/signs/mirrors like any container. `arc run <ref> --backend local|bedrock|kubernetes --dry-run` translates the same artifact into that platform's deploy config.

**What this is NOT, so nobody's surprised:**

- Working Draft (0.1.0-draft.6) — expect breaking changes.

- Not a runtime, cloud, model provider, or framework. The backend translators are a **proof of concept** that the labels are sufficient — not production infra.

- Secrets are deliberately out of scope for now.

Try it: `curl -fsSL https://agentrc.ai/install.sh | sh` (or `brew` / `go install`). Spec: https://agentrc.ai · Code: https://github.com/adeelahmad/agentrc

Real questions I want critique on: does the four-keyword split hold up? Is "requests, not enforcement" the right boundary? What would make you comfortable running an agent you didn't write?

reddit.com
u/adeelahmadch — 3 days ago