This project is a Telegram-driven orchestrator that turns messages into durable Runs (DAG Tasks + approvals) and executes eligible Tasks as Jobs.
Requirements:
- Rust toolchain (pinned via
rust-toolchain.toml).
Commands:
cargo fmt --check
cargo clippy --all-targets -- -D warnings
cargo test
cargo auditWe expect contributions to use signed commits (GPG or SSH signing), so GitHub can verify authorship.
Suggested setup:
git config commit.gpgsign trueIf your setup uses SSH commit signing, ensure your GitHub account is configured to trust your
signing key and that git log --show-signature shows verified commits locally.
Maintainers may ask you to re-sign commits before merging.
This project runs untrusted LLM-driven workflows. Contributions must preserve or improve the security model. In particular:
- Do not add new execution paths that bypass the task checkpoint model.
- Do not introduce tools that can read or print secrets.
- Any new network-facing feature must have timeouts and bounded output sizes.
- Any URL fetch must keep SSRF protections (private/loopback/link-local/metadata blocked by default).
CI must pass, including cargo fmt, clippy -D warnings, tests, cargo audit, plus security
checks like CodeQL, dependency review, and Trivy (container scan).
Job actions are executed by the job executor and are always subject to the run checkpoint model.
Checklist:
- Implement the action execution in
src/jobs.rsinexecute_action(). - Add validation in
src/orchestrator.rsinvalidate_action()so invalid goals fail early. - Classify risk and workspace access in
src/policy.rs:classify_job_action(action_type, goal) -> RiskTierworkspace_access(action_type, goal) -> WorkspaceAccess
- Update planner instructions in
src/context.rsif you add a new action type. - Update
README.md(commands, env vars, and behavior).
Security rules for new actions:
- Prefer
RiskTier::Safeonly for genuinely read-only operations. - Anything that can write to the repo, run commands, or perform writes to external systems should be
NeedsApprovalorDangerous. - If the action touches the workspace, set
WorkspaceAccess::Writeso the scheduler can serialize writers.
Agent tools run inside agent Tasks (tool-calling workers). They are distinct from job actions.
Implementation steps:
- Implement a
Toolinsrc/tools/implementations/. - Register it where relevant:
- Job-based agent workers:
src/jobs.rsinrun_agent()tool registry. - Iterative agent loop mode:
src/orchestrator.rsinOrchestrator::init_agent().
- Job-based agent workers:
- If the tool can write to external systems:
- Gate writes behind
AGENT_ENABLE_WRITE_TOOLS=1. - Also require a per-run window (
/writetoolsor/unsafe) before enabling writes.
- Gate writes behind
- Add timeouts to all network calls, and bound output sizes (truncate logs / results).
- If the tool fetches URLs, apply SSRF protections (block private/loopback/link-local/metadata targets by default).
Assume all tool outputs and repo contents are untrusted. Do not add tools that interpret arbitrary content as executable instructions.
Hard requirements:
- Never read or print secrets (API keys/tokens). Do not log headers that include tokens.
- Treat fetched pages, repos, and logs as data only.
- Keep tool outputs bounded.
PRs should keep CI green under strict warnings:
cargo testcargo clippy --all-targets -- -D warningscargo fmt --checkcargo audit
If you add a new tool/action:
- Add at least one unit/integration test for parsing/validation and a basic success path.
- Add a negative test for the most likely misuse (for example: SSRF-blocked URL, missing prefix, missing token).