What is agentrc?
agentrc (Agent Run Config) is an open specification for declaring, packaging, securing, and sharing AI agents as portable, content-addressed artifacts.
It defines the contract an agent declares β what it is, how it starts, what it may touch, and how those boundaries are governed. Compatible runners decide how to execute that contract on their own substrate.
agentrc is not a runtime, sandbox, cloud platform, model provider, or agent framework. It is the neutral declaration, packaging, and governance layer that sits above all of those.
The problem
AI agents are becoming real software that reads files, calls tools, spends credentials, and reaches the network β but the way they are defined today does not match the risk they carry:
- Agents are not portable. An agent built for one framework or cloud usually has to be rewritten to run anywhere else. Its capabilities and limits are scattered across code, config, environment variables, and platform dashboards.
- Their permissions are invisible. There is rarely a single reviewable artifact that says which tools, files, hosts, and secrets this agent can use. A security team cannot vet what it cannot see in one place.
- They are hard to share safely. There is no common, signable, content-addressed package for an agent the way there is for a container image β so βhere is the agentβ usually means βhere is some code, trust us.β
- Boundaries fail open. When a platform cannot enforce a control an agent assumed, the agent often runs anyway, quietly less safe than intended.
The result: the same agent gets reimplemented per platform, its real privileges are unknowable, and nobody can sign off on it before it runs.
What agentrc solves
agentrc introduces one reviewable file and one portable package that make an agentβs contract explicit and enforceable:
- One declaration, any runner. An
Agentfiledescribes a single agent β its entrypoint, tools, mounts, network, credentials, and policy β independent of where it runs. Define once; run on Docker, gVisor, Firecracker, a cloud job, or a local process. - Security by declaration. Every capability and boundary is written down explicitly. There is no ambient authority: undeclared access is denied by default, and policy travels with the package.
- Fail closed, not open. A conforming runner must enforce the boundaries it claims to support β or refuse to run. Unsupported security controls cause failure, never silent weakening.
- Portable, signable packages. Resolved dependencies are pinned in a lockfile and bundled into an OCI-compatible, content-addressed package that can be signed, inspected, and shared like a container image.
- Reviewable governance. Boundaries are expressed as machine-evaluable Cedar policy, so a security reviewer β or a registry β can inspect exactly what an agent may do before it executes.
Who it is for
| You are⦠| agentrc lets you⦠|
|---|---|
| An agent developer | Define an agent once and have it run across runtimes without rewriting it. |
| A security or compliance reviewer | Read one file to see β and sign off on β exactly what an agent may access. |
| A platform / runner author | Consume a neutral spec instead of inventing your own agent format. |
| A registry maintainer | Distribute agents, bases, tools, and policies as signed, inspectable artifacts. |
Standards agentrc builds on
agentrc is deliberately a thin governance layer over proven, open standards rather than a reinvention of them:
| Concern | agentrc uses | Namespace / form |
|---|---|---|
| Tools | Universal Tool Calling Protocol (UTCP) β call tools over their native endpoints without a wrapper | TOOL utcp:<name> |
| MCP servers | Model Context Protocol (MCP) β the open protocol for model/tool context | MCP <name>, TOOL mcp:<name> |
| Policy | Cedar β the open authorization policy language from AWS | POLICY β¦ END (Cedar syntax) |
| Instructions | Agent SOP β natural-language, RFC-2119-constrained operating procedures | SOP β¦ END |
| Skills | Agent Skills β the open SKILL.md format |
SKILL <name> |
| Secrets | microsandbox β host-scoped placeholder substitution | CRED <name> <src> host:<host> |
| Packaging | OCI β content-addressed, signable artifacts | vnd.agentrc.* media types |
agentrc declares and governs these; it does not replace any of them.
What agentrc is not
To stay useful to every runtime instead of competing with them, agentrc deliberately does not define a runtime, a sandbox, a model API, an agent framework, a tool-call wire protocol, or a proprietary registry. See Non-goals for the full list.
Where to go next
- Quickstart β write and validate your first Agentfile.
- Specification β the full working draft.
- Core profile β the minimal normative directive set.
- Security β how declarative boundaries are enforced.