Agent Launch Flags API: Design Options
Research and design-alternatives dossier for the Agent launch flags API roadmap item. This page holds the exploratory proposal, phasing, and open questions; the roadmap item tracks only current status and remaining work.
Problem
docker/runtime/entrypoint.sh hardcodes final launch argv per agent in a shell case statement keyed on $JACKIN_AGENT (Claude gets --dangerously-skip-permissions --verbose, Codex gets --enable goals --dangerously-bypass-approvals-and-sandbox, Amp gets --dangerously-allow-all, Kimi gets --yolo, OpenCode sets OPENCODE_CONFIG_CONTENT='{"permission":"allow"}', Grok gets --always-approve). A security-conscious role author who wants to run Claude without --dangerously-skip-permissions (for audit replay, for example) cannot express that in jackin.role.toml. The role manifest has per-agent model and provider config, but no launch-argument override or safe-mode field. Launch flags remain a shell policy decision, not a jackin❯ manifest policy decision.
By default jackin❯ always passes the dangerous-mode flags (this is the whole point — autonomous agents). But role authors need the ability to override or extend these args.
Proposal
Two APIs, ordered:
1. Static API in jackin.role.toml
Expose launch-argument controls in the versioned role manifest. The current manifest uses top-level agents = [...] plus per-agent tables such as [claude], [codex], [kimi], [opencode], and [grok]; the final schema should fit that existing shape unless a schema bump deliberately moves to an agent map. Default behavior stays identical: existing high-autonomy args remain defaults.
Example:
[claude]
launch_args = ["--dangerously-skip-permissions", "--verbose"][claude]
safe_mode = trueWhen safe_mode = true, the dangerous-mode flags are omitted for that agent. When launch_args is set, it overrides the defaults entirely for that agent. Exact names remain open; the shipped schema does not yet include either field.
2. Runtime API via construct image binary
Provide a command inside the construct image, likely in jackin-capsule, that role hooks can call before agent exec to dynamically adjust agent launch arguments. This allows a role to evaluate runtime conditions and modify flags without editing the image entrypoint.
Example: a role might call the binary to add --model overrides or remove --dangerously-skip-permissions based on workspace conditions.
3. Move launch dispatch to Rust
Move final launch argv construction out of bash into a Rust surface. Bash remains only the hook-compatible wrapper that can source source.sh before exec. The AgentRuntime trait already exists (crates/jackin-core/src/agent/runtime.rs), so this item can add a launch-argv method to that adapter surface instead of first waiting for trait extraction.
Non-goals
- Do not remove the default dangerous-mode behavior. Autonomous agents are the core value proposition.
- Do not allow operators to add arbitrary flags the agent runtime doesn't understand.
- Do not bypass the
AgentRuntimeadapter surface with a second launch-dispatch table.
Implementation Phases
Phase 1 — Extend AgentRuntime
Add launch_argv() or an equivalent typed method to each AgentRuntime impl. The trait exists, but launch argv is not part of it yet.
Phase 2 — Static manifest API
Add the static launch-argument controls to the role manifest schema. This is a versioned schema change — migration rules apply.
Phase 3 — Runtime API binary
Design and implement the construct-image binary for dynamic flag adjustment.
Phase 4 — Move dispatch to Rust
Move launch dispatch from entrypoint.sh to Rust while preserving hook semantics that require a shell before exec.
Open Questions
- What is the exact shape of the runtime API binary? What arguments does it accept?
- Should safe mode be a per-agent field only, or should there also be a role-wide default?
- How does the runtime API interact with the static manifest settings? (Override? Merge? Prepend/append?)
- Should static launch args be unrestricted strings, a typed enum of known flags, or a small policy object per agent?