So I've been building **agentrc** — an open spec + small CLI to make that reviewable. You declare an agent in a Dockerfile-shaped **Agentfile**:
I couldn't answer a simple question about any AI agent I came across: what model does it use, what network can it reach, what tools can it call? It's all buried in the code. We review and govern containers through manifests and labels; agents have no equivalent, so security teams can't review them and platforms can't govern them.
So I built agentrc — an open spec (plus a small Go CLI) for packaging one AI agent as a portable, governed OCI artifact. You declare the agent in a Dockerfile-shaped Agentfile with four agent-native keywords over normal Dockerfile syntax: IDENTITY, CAPABILITY, SOP, POLICY.
A POLICY line is a \*typed request\* ("I want model X", "egress to api.stripe.com:443", "tool timeout 30s"), not enforcement. The platform grants, narrows, or rejects each request and enforces it deny-by-default; the spec compiles requests to Cedar. \`arc build\` produces a plain OCI image whose \`ai.agentrc.\*\` labels carry the whole request set, so platforms read the labels — never the prompt — and agents sign/mirror/ship like any container. \`arc run --backend local|bedrock|kubernetes --dry-run\` translates that one artifact into each platform's deploy form.
What's honestly true today: it's a Working Draft (0.1.0-draft.6); the CLI does build/lint/inspect/push and dry-run translation; the backend "runners" are reference translators to prove the labels are enough, not production infrastructure; secrets are intentionally out of scope. It's not a runtime, cloud, model provider, or framework.
Install: \`curl -fsSL https://agentrc.ai/install.sh | sh\` · Spec: https://agentrc.ai · Code: https://github.com/adeelahmad/agentrc
The bet I'd like feedback on: the labels are the standard; the runners are just proof of concept. If platforms read a common \`ai.agentrc.\*\` namespace, any conformant agent becomes a governed workload anywhere. Where does that break down?