Atoms

Read + write files in the workspace; exec commands and spawn sub-agents only with explicit user approval. Destructive ops blocked.

SELECT only against a named DSN. No mutations.

All DML against a named DSN. INSERT / UPDATE / DELETE.

Execute shell commands with per-command user approval. Read + write filesystem; no unscoped network.

Read + write within a configured path prefix only. No exec, no delete, no network.

Any HTTP method against any host on the configured allowlist. Pair with isolation/container-with-allowlist.

Outbound HTTP GET only. No POST/PUT/PATCH/DELETE.

Read files in the workspace; cannot write, exec, or hit the network. Used by reviewer / analyst agents.

Container-isolated execution with an allowlist for network egress (e.g., package registries, AI endpoints only). Scoped tmpfs filesystem.

Single-use VM destroyed on task completion. Strongest practical isolation for untrusted execution.

Own network namespace with explicit allowlist. Filesystem and process boundaries delegated to the host.

Subprocess with read-only filesystem mount, no network, scoped to the workspace root. Used by reviewer / analyst agents.

Subprocess with seccomp filter — only whitelisted syscalls allowed. No network; scoped filesystem.

Adversarial code-review agent. Reads diffs, finds issues, files comments. Read-only filesystem; no exec; no network.

ETL / batch processing agent. Idempotency-disciplined: every step is restartable, every write is checkpointed.

Five-phase systematic debugger. Reproduce → isolate → root cause → fix with regression test → verify.

Singleton orchestrator persona for the /spawn pipeline. Partitions issues into domain batches, never writes feature code.

Documentation-drafting agent. Names the audience, defines jargon, keeps examples runnable.

Decomposition-first agent. Builds Alternatives Tables, sequences work, surfaces risk before any execution.

Behavior-preserving refactor agent. If it finds a bug, it files it separately — never bundles a fix into a refactor.

Multi-step research agent. Decomposes queries, hits sources, synthesizes with provenance discipline.

TDD-discipline agent. Writes the failing test first, watches it fail, writes the minimal impl, watches it pass.

Bug-triage agent. Searches for duplicates before filing; creates well-structured tickets with reproduction + context.

Refuses to execute any command. Reviewers and analysts use this — they describe what would happen but never run it.

Refuses read or write outside the declared project root. Prevents cross-tenant or cross-workspace leakage.

Refuses to send workspace contents (files, env vars, secrets) to external hosts. For agents with network access on sensitive data.

Refuses destructive or hard-to-reverse operations without an explicit user confirmation. Mirrors Common.md §2.2.

Refuses any tool call that hits the network. For air-gapped reviewers, untrusted-input handlers, supply-chain auditors.

Execute a shell command. Gated by capability/exec-with-approval and isolation/container-with-allowlist or stricter.

Remove a file. Destructive. Requires explicit user approval.

Targeted string replacement in a file. Requires a prior read of the same file.

Create or overwrite a file. Side-effecting.

Per-line authorship for a file.

Show changes between commits, branches, or working tree. Read-only.

Commit history for a ref / path.

Detail for a single commit — message, files, diff.

Working tree status — staged, modified, untracked.

Enumerate paths matching a glob pattern.

Pattern search across files. Returns matching lines with file:line locations.

HTTP GET. Returns body and status.

HTTP POST / PUT / PATCH / DELETE. Side-effecting.

List entries in a directory. Read-only.

Read a file from the workspace. Read-only; no side effects beyond opening the file.

Register a cron / timer task. Side-effecting (creates persistent schedule).

Send a message to an external channel (Slack, email, etc.). External, side-effecting.

INSERT / UPDATE / DELETE against a named DSN. Side-effecting.

Read-only SELECT against a named DSN.

File metadata: size, mtime, mode, type.