Enforce agent capability leases and policy decisions in local agent runtime

[mdheller]

Objective

Integrate agent-machine with the SourceOS/SociOS governed local-first agentic graph foundation.

agent-machine should enforce capability leases, policy decisions, model/provider constraints, local-only mode, enterprise firewall profiles, and audit emission for local agent execution.

Required work

• Add .sourceos/manifest.json.
• Load and validate AgentCapabilityLease fixtures once available from sourceos-spec.
• Enforce policy decisions before tool execution, model routing, memory access, shell access, network access, and MCP server access.
• Emit audit events for execution allow, deny, error, lease expiry, lease revocation, and policy mismatch.
• Support local-only mode.
• Support enterprise firewall/network profile constraints.
• Define dangerous surfaces and runtime trust boundaries.

Dangerous surfaces

• agent.execute.tool
• agent.access.memory
• agent.access.shell
• agent.access.network
• agent.model.route
• agent.mcp.invoke
• agent.secret_ref.use

Acceptance criteria

• Agent execution requires a valid lease for high-risk and critical actions.
• Policy denial is terminal and audit-visible.
• Expired or revoked leases cannot execute.
• Model/provider route changes are policy-bound.
• .sourceos/manifest.json validates against the sourceos-spec manifest contract once available.

Related

• M1: Governed local-first agentic graph foundation sourceos-spec#86
• Define local-first agentic graph foundation sourceos-spec#85
• Add signed agent manifest and capability lease contracts SocioProphet/agent-registry#15
• Define policy decision contract and precedence for agentic graph sync SocioProphet/policy-fabric#50