{ "$defs": { "RawAuth": { "additionalProperties": false, "description": "``auth:`` \u2014 credential-capture behavior (OAuth container or API-key prompt).", "properties": { "host_dir": { "description": "Single-segment dir under mounts_dir() (e.g. ``_codex-config``)", "title": "Host Dir", "type": "string" }, "container_mount": { "description": "Mount point inside the container", "title": "Container Mount", "type": "string" }, "command": { "anyOf": [ { "items": { "type": "string" }, "type": "array" }, { "type": "null" } ], "default": null, "description": "Container command for OAuth mode; derived from auth_key when absent", "title": "Command" }, "auth_key": { "anyOf": [ { "$ref": "#/$defs/RawAuthKey" }, { "type": "null" } ], "default": null }, "banner_hint": { "default": "", "title": "Banner Hint", "type": "string" }, "extra_run_args": { "items": { "type": "string" }, "title": "Extra Run Args", "type": "array" }, "modes": { "items": { "enum": [ "oauth", "api_key" ], "type": "string" }, "title": "Modes", "type": "array" }, "api_key_hint": { "default": "", "title": "Api Key Hint", "type": "string" }, "post_capture_state": { "additionalProperties": { "additionalProperties": true, "type": "object" }, "description": "JSON state files to merge into the auth mount post-capture", "title": "Post Capture State", "type": "object" } }, "required": [ "host_dir", "container_mount" ], "title": "RawAuth", "type": "object" }, "RawAuthKey": { "additionalProperties": false, "description": "``auth.auth_key:`` \u2014 printf-template-driven API-key prompt for tools.", "properties": { "label": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Label" }, "key_url": { "title": "Key Url", "type": "string" }, "env_var": { "title": "Env Var", "type": "string" }, "config_path": { "title": "Config Path", "type": "string" }, "printf_template": { "title": "Printf Template", "type": "string" }, "tool_name": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Tool Name" } }, "required": [ "key_url", "env_var", "config_path", "printf_template" ], "title": "RawAuthKey", "type": "object" }, "RawAutoApprove": { "additionalProperties": false, "description": "``auto_approve:`` \u2014 env vars and flags injected when ``TEROK_UNRESTRICTED=1``.", "properties": { "env": { "additionalProperties": { "type": "string" }, "title": "Env", "type": "object" }, "flags": { "items": { "type": "string" }, "title": "Flags", "type": "array" } }, "title": "RawAutoApprove", "type": "object" }, "RawCapabilities": { "additionalProperties": false, "description": "``capabilities:`` \u2014 agent-specific feature toggles.", "properties": { "agents_json": { "default": false, "title": "Agents Json", "type": "boolean" }, "add_dir": { "default": false, "title": "Add Dir", "type": "boolean" }, "log_format": { "default": "plain", "enum": [ "plain", "claude-stream-json" ], "title": "Log Format", "type": "string" } }, "title": "RawCapabilities", "type": "object" }, "RawGitIdentity": { "additionalProperties": false, "description": "``git_identity:`` \u2014 author/committer override per agent.", "properties": { "name": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Git author/committer name", "title": "Name" }, "email": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Git author/committer email", "title": "Email" } }, "title": "RawGitIdentity", "type": "object" }, "RawHeadless": { "additionalProperties": false, "description": "``headless:`` \u2014 flags and subcommand for non-interactive prompt invocation.", "properties": { "subcommand": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Subcommand for headless mode (e.g. ``exec`` for codex)", "title": "Subcommand" }, "prompt_flag": { "default": "-p", "description": "Flag for the prompt; ``\"\"`` for positional", "title": "Prompt Flag", "type": "string" }, "model_flag": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Flag for model override", "title": "Model Flag" }, "max_turns_flag": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Flag for maximum turns", "title": "Max Turns Flag" }, "verbose_flag": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Flag for verbose output", "title": "Verbose Flag" }, "output_format_flags": { "description": "Flags for structured output", "items": { "type": "string" }, "title": "Output Format Flags", "type": "array" } }, "title": "RawHeadless", "type": "object" }, "RawHelp": { "additionalProperties": false, "description": "``help:`` \u2014 one-line entry shown in the in-container help banner.", "properties": { "label": { "default": "", "title": "Label", "type": "string" }, "section": { "default": "agent", "enum": [ "agent", "dev_tool" ], "title": "Section", "type": "string" } }, "title": "RawHelp", "type": "object" }, "RawInstall": { "additionalProperties": false, "description": "``install:`` \u2014 Dockerfile fragments emitted into the L1 image.", "properties": { "depends_on": { "items": { "type": "string" }, "title": "Depends On", "type": "array" }, "run_as_root": { "default": "", "title": "Run As Root", "type": "string" }, "run_as_dev": { "default": "", "title": "Run As Dev", "type": "string" } }, "title": "RawInstall", "type": "object" }, "RawMountSpec": { "additionalProperties": false, "description": "One entry in the ``mounts:`` list \u2014 explicit shared-config mount.", "properties": { "host_dir": { "title": "Host Dir", "type": "string" }, "container_path": { "title": "Container Path", "type": "string" }, "label": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Label" } }, "required": [ "host_dir", "container_path" ], "title": "RawMountSpec", "type": "object" }, "RawOAuthRefresh": { "additionalProperties": false, "description": "``vault.oauth_refresh:`` \u2014 token-refresh endpoint and client config.", "properties": { "token_url": { "title": "Token Url", "type": "string" }, "client_id": { "title": "Client Id", "type": "string" }, "scope": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Scope" } }, "required": [ "token_url", "client_id" ], "title": "RawOAuthRefresh", "type": "object" }, "RawOpenCode": { "additionalProperties": false, "description": "``opencode:`` \u2014 OpenAI-compatible provider config for OpenCode-based agents.", "properties": { "display_name": { "title": "Display Name", "type": "string" }, "base_url": { "title": "Base Url", "type": "string" }, "preferred_model": { "title": "Preferred Model", "type": "string" }, "fallback_model": { "title": "Fallback Model", "type": "string" }, "env_var_prefix": { "title": "Env Var Prefix", "type": "string" }, "config_dir": { "title": "Config Dir", "type": "string" }, "auth_key_url": { "title": "Auth Key Url", "type": "string" }, "api_key_hint": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Override for the auto-derived auth provider's API-key hint", "title": "Api Key Hint" } }, "required": [ "display_name", "base_url", "preferred_model", "fallback_model", "env_var_prefix", "config_dir", "auth_key_url" ], "title": "RawOpenCode", "type": "object" }, "RawSession": { "additionalProperties": false, "description": "``session:`` \u2014 session resume / continue capability flags.", "properties": { "supports_resume": { "default": false, "title": "Supports Resume", "type": "boolean" }, "resume_flag": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Resume Flag" }, "continue_flag": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Continue Flag" }, "session_file": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Session File" }, "supports_hook": { "default": false, "title": "Supports Hook", "type": "boolean" } }, "title": "RawSession", "type": "object" }, "RawSidecar": { "additionalProperties": false, "description": "``sidecar:`` \u2014 separate L1 image + env-mapped credentials for tool runners.", "properties": { "tool_name": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "title": "Tool Name" }, "env_map": { "additionalProperties": { "type": "string" }, "title": "Env Map", "type": "object" } }, "title": "RawSidecar", "type": "object" }, "RawVault": { "additionalProperties": false, "description": "``vault:`` \u2014 proxy route + credential-injection rules.", "properties": { "route_prefix": { "description": "Path prefix in the proxy (e.g. ``claude``)", "title": "Route Prefix", "type": "string" }, "upstream": { "description": "Upstream API base URL", "title": "Upstream", "type": "string" }, "path_upstreams": { "additionalProperties": { "type": "string" }, "title": "Path Upstreams", "type": "object" }, "oauth_extra_headers": { "additionalProperties": { "type": "string" }, "title": "Oauth Extra Headers", "type": "object" }, "auth_header": { "default": "Authorization", "title": "Auth Header", "type": "string" }, "auth_prefix": { "default": "Bearer ", "title": "Auth Prefix", "type": "string" }, "credential_type": { "default": "api_key", "enum": [ "api_key", "oauth", "oauth_token", "pat" ], "title": "Credential Type", "type": "string" }, "credential_file": { "default": "", "title": "Credential File", "type": "string" }, "token_env": { "additionalProperties": { "type": "string" }, "title": "Token Env", "type": "object" }, "base_url_env": { "default": "", "title": "Base Url Env", "type": "string" }, "socket_env": { "default": "", "title": "Socket Env", "type": "string" }, "shared_config_patch": { "anyOf": [ { "additionalProperties": true, "type": "object" }, { "type": "null" } ], "default": null, "title": "Shared Config Patch" }, "oauth_refresh": { "anyOf": [ { "$ref": "#/$defs/RawOAuthRefresh" }, { "type": "null" } ], "default": null }, "shared_domain": { "default": false, "description": "True when ``upstream`` host also serves non-API traffic (docs, dashboards, ``git push``\u2026); terok's auth-protect layer skips host-level denies for these providers.", "title": "Shared Domain", "type": "boolean" } }, "required": [ "route_prefix", "upstream" ], "title": "RawVault", "type": "object" }, "RawWrapper": { "additionalProperties": false, "description": "``wrapper:`` \u2014 in-container shell-wrapper behavior.", "properties": { "refuse_subcommands": { "items": { "type": "string" }, "title": "Refuse Subcommands", "type": "array" } }, "title": "RawWrapper", "type": "object" } }, "additionalProperties": false, "description": "Full schema for one agent YAML file.\n\nThe file's stem (e.g. ``claude.yaml`` \u2192 ``\"claude\"``) supplies the\nroster name; the YAML never repeats it inside. ``roster_version``\nis stripped before validation by the loader's compat check, so it\nis intentionally absent here.", "properties": { "kind": { "default": "native", "enum": [ "native", "opencode", "bridge", "tool", "runtime" ], "title": "Kind", "type": "string" }, "label": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "Human-readable display name", "title": "Label" }, "binary": { "anyOf": [ { "type": "string" }, { "type": "null" } ], "default": null, "description": "CLI binary name (defaults to roster name)", "title": "Binary" }, "git_identity": { "anyOf": [ { "$ref": "#/$defs/RawGitIdentity" }, { "type": "null" } ], "default": null }, "headless": { "anyOf": [ { "$ref": "#/$defs/RawHeadless" }, { "type": "null" } ], "default": null }, "auto_approve": { "anyOf": [ { "$ref": "#/$defs/RawAutoApprove" }, { "type": "null" } ], "default": null }, "session": { "anyOf": [ { "$ref": "#/$defs/RawSession" }, { "type": "null" } ], "default": null }, "capabilities": { "anyOf": [ { "$ref": "#/$defs/RawCapabilities" }, { "type": "null" } ], "default": null }, "wrapper": { "anyOf": [ { "$ref": "#/$defs/RawWrapper" }, { "type": "null" } ], "default": null }, "opencode": { "anyOf": [ { "$ref": "#/$defs/RawOpenCode" }, { "type": "null" } ], "default": null }, "auth": { "anyOf": [ { "$ref": "#/$defs/RawAuth" }, { "type": "null" } ], "default": null }, "vault": { "anyOf": [ { "$ref": "#/$defs/RawVault" }, { "type": "null" } ], "default": null }, "sidecar": { "anyOf": [ { "$ref": "#/$defs/RawSidecar" }, { "type": "null" } ], "default": null }, "install": { "anyOf": [ { "$ref": "#/$defs/RawInstall" }, { "type": "null" } ], "default": null }, "help": { "anyOf": [ { "$ref": "#/$defs/RawHelp" }, { "type": "null" } ], "default": null }, "mounts": { "items": { "$ref": "#/$defs/RawMountSpec" }, "title": "Mounts", "type": "array" }, "web_ingress": { "default": false, "description": "Whether this entry publishes a host HTTP port", "title": "Web Ingress", "type": "boolean" } }, "title": "terok-executor agent YAML", "type": "object", "$schema": "https://json-schema.org/draft/2020-12/schema" }