README
¶
Agentfile
Dockerfile for AI agents — define, build, and distribute autonomous agents as OCI artifacts.
Why not just a Dockerfile?
Dockerfiles build containers — generic process sandboxes. Agentfiles build agents — autonomous AI processes with specific lifecycle requirements. The Agentfile is purpose-built for what agents actually need:
| Dockerfile | Agentfile | |
|---|---|---|
| Unit of work | Container (generic process) | Agent (LLM + tools + context) |
| Model declaration | None — bake it into env vars or entrypoint args | First-class: MODEL anthropic/claude-sonnet-4-20250514 |
| Tool management | COPY binaries, manage PATH, hope they work |
BIN wget ghcr.io/openotters/tools/wget:latest — pulled at deploy, isolated, self-describing |
| System prompt | Doesn't exist | CONTEXT SOUL <<EOF ... EOF — versioned, inheritable, composable |
| Typed config | ENV KEY=value (strings only) |
CONFIG max-tokens=1024 — int, float, bool, string with validation |
| Inheritance | FROM copies layers (build-time) |
FROM parent-agent merges contexts, tools, configs (semantic) |
| Runtime contract | Any process, any protocol | gRPC API (agent/api/v1/agent.proto) — Chat, Stream, Health, Ready |
| Secrets | Leaked into layers, need multi-stage builds | Never in artifact — MODEL names the model, keys are injected at runtime |
| Capabilities | Full Linux, must drop manually |
Zero by default — each BIN grants exactly one tool |
| Distribution | OCI image (layers, filesystem) | OCI artifact (structured: config blob + typed layers) |
| Composition | docker-compose.yml |
agent-compose.yml (planned) — topology-aware agent networks |
The key insight
A Dockerfile answers: "How do I package a process?"
An Agentfile answers: "What does this agent know, what can it do, and how does it think?"
# This is not a container. This is an agent.
FROM scratch
RUNTIME ghcr.io/openotters/runtime:latest
MODEL ollama/qwen3:8b
NAME meteo
CONTEXT SOUL <<EOF
You are a weather assistant.
Always report temperature in °C.
EOF
BIN wget ghcr.io/openotters/tools/wget:latest "Fetch URL content"
BIN jq ghcr.io/openotters/tools/jq:latest "Extract fields from JSON"
ADD cities.json /data/cities.json "Known cities"
EXEC ["serve"]
The model, personality, tools, and data are declarative, versionable, and inheritable — not hidden in scripts, environment variables, or Docker layers.
Quick start
# Build an agent from an Agentfile
go run ./examples/build/ demo/meteo/Agentfile
# Run it locally (needs a runtime binary + model endpoint)
go run ./examples/run/ \
--runtime ./runtime \
--model ollama/qwen3:8b \
--api-base http://localhost:11434/v1 \
demo/meteo/Agentfile
Format
FROM scratch
RUNTIME ghcr.io/openotters/runtime:latest
MODEL anthropic/claude-haiku-4-5-20251001
NAME meteo
CONTEXT SOUL "Agent personality" <<EOF
You are a weather assistant.
EOF
CONFIG max-tokens=1024
CONFIG temperature=0.7
BIN wget ghcr.io/openotters/tools/wget:latest "Fetch URL content"
BIN jq ghcr.io/openotters/tools/jq:latest "Extract fields from JSON"
ADD cities.json /data/cities.json "Known cities"
EXEC ["serve"]
LABEL description="Weather assistant"
| Instruction | Purpose |
|---|---|
FROM |
Base agent — scratch or parent ref for inheritance |
RUNTIME |
Runtime OCI image (follows bin spec) |
MODEL |
LLM provider/model |
NAME |
Agent name |
CONTEXT |
System prompt context (inline, heredoc, file://) |
CONFIG |
Typed runtime parameter (int, float, bool, string) |
BIN |
Tool binary as an OCI image |
ADD |
Data file bundled into the workspace |
EXEC |
Runtime invocation args (JSON array) |
LABEL |
OCI annotation |
ARG |
Build-time ${VAR} substitution |
Examples
Each example is a standalone go run program.
# Build and inspect
go run ./examples/build/ demo/meteo/Agentfile
# Push to registry
go run ./examples/push/ demo/meteo/Agentfile ghcr.io/openotters/agents/meteo:1.0.0
# Pull from registry
go run ./examples/pull/ ghcr.io/openotters/agents/meteo:1.0.0
# Run locally
go run ./examples/run/ --runtime ./runtime --model ollama/qwen3:8b --api-base http://localhost:11434/v1 demo/meteo/Agentfile
See examples/ for the full list.
Security
What's enforced today:
- Closed capabilities — zero tools by default, each
BINgrants exactly one. No shell, no exec. - No secrets in artifacts —
MODELnames the model, API keys are injected by the runtime. Artifacts are safe to share and publish. - OCI supply chain — runtime, tools, and base agents are content-addressed OCI refs. Pin a digest for full reproducibility. Registries provide signing and scanning.
- Static binaries — tools are single static binaries (
FROM scratch). No interpreters, no dynamic linking, minimal attack surface. - Sandboxed filesystem layout —
etc/andusr/bin/are designed read-only,workspace/andtmp/are read-write. - Auditable — the full capability set is visible in the Agentfile and preserved in the OCI config blob.
- Runtime API contract — runtimes must implement a defined gRPC API (
agent/api/v1/agent.proto). No arbitrary process execution.
Not yet enforced (requires containerized executor):
- Read-only mounts — the local system executor uses the filesystem without enforcement. Docker/K8s executors would mount
etc/andusr/bin/as immutable volumes. - Namespace isolation — the agent root is not sandboxed on the local filesystem. Containerized executors provide process and network isolation.
Specification
Directories
¶
| Path | Synopsis |
|---|---|
|
Package build packs an Agentfile and its referenced contexts and bins into an OCI artifact that can be pushed to a registry or inspected as a standalone manifest.
|
Package build packs an Agentfile and its referenced contexts and bins into an OCI artifact that can be pushed to a registry or inspected as a standalone manifest. |
|
examples
|
|
|
build
command
|
|
|
export
command
Export parses an Agentfile, builds the OCI artifact, and exports it to a JSON file.
|
Export parses an Agentfile, builds the OCI artifact, and exports it to a JSON file. |
|
import
command
Import loads an exported agent artifact JSON file.
|
Import loads an exported agent artifact JSON file. |
|
parse
command
Parse reads an Agentfile and dumps the parsed structure as JSON.
|
Parse reads an Agentfile and dumps the parsed structure as JSON. |
|
pull
command
Pull downloads an agent artifact from a registry using oras, then loads and dumps the Agentfile as JSON.
|
Pull downloads an agent artifact from a registry using oras, then loads and dumps the Agentfile as JSON. |
|
push
command
Push parses an Agentfile, builds the OCI artifact, and pushes it to a registry using oras.
|
Push parses an Agentfile, builds the OCI artifact, and pushes it to a registry using oras. |
|
run
command
Run parses an Agentfile, materializes the agent workspace, and starts the runtime.
|
Run parses an Agentfile, materializes the agent workspace, and starts the runtime. |
|
validate
command
Validate checks whether an Agentfile is syntactically and semantically valid.
|
Validate checks whether an Agentfile is syntactically and semantically valid. |
|
Package agent defines the lifecycle contract for a running agent and the shared status tracker used by concrete backends.
|
Package agent defines the lifecycle contract for a running agent and the shared status tracker used by concrete backends. |
|
system
Package system implements executor.Provider using local OS processes and a chrooted billy filesystem per agent.
|
Package system implements executor.Provider using local OS processes and a chrooted billy filesystem per agent. |
|
Package export serializes an OCI artifact stored in a memory store to a portable JSON blob and restores it back into a memory store.
|
Package export serializes an OCI artifact stored in a memory store to a portable JSON blob and restores it back into a memory store. |
|
mocks
|
|
|
Package model resolves LLM credentials at runtime.
|
Package model resolves LLM credentials at runtime. |
|
Package oci wraps oras-go for agentfile use: authenticated remote repositories, manifest/index resolution, blob fetching, and a Puller abstraction that extracts a bin layer from an image.
|
Package oci wraps oras-go for agentfile use: authenticated remote repositories, manifest/index resolution, blob fetching, and a Puller abstraction that extracts a bin layer from an image. |
|
Package resolve resolves FROM inheritance by pulling parent agent artifacts and merging them with child instructions.
|
Package resolve resolves FROM inheritance by pulling parent agent artifacts and merging them with child instructions. |
|
Package spec reads Agentfiles into structured Agentfile values.
|
Package spec reads Agentfiles into structured Agentfile values. |
|
Package store reads OCI manifests and Agentfiles out of oras targets.
|
Package store reads OCI manifests and Agentfiles out of oras targets. |
|
Package validate exposes Agentfile validation entry points for files, readers, and programmatically constructed structs.
|
Package validate exposes Agentfile validation entry points for files, readers, and programmatically constructed structs. |
Click to show internal directories.
Click to hide internal directories.