# Runtime manifest schema > Draft design doc (2026-05-31). Resolves PRD §17.2. Implementation detail — see [`../CONTEXT.md`](../CONTEXT.md) for the model. Schema grounded in the sister project's actual functional surface. ## Principle **SPT is not a harness.** The manifest declares only what *varies per harness*. Command templates are **opaque strings** — spt-core never parses out a model, tool list, or flag; the adapter writes the full command line and spt-core just runs it with substitution keys filled. Anything spt-core owns (sentinels, spool/registry/perch schemas, the event-block vocabulary, the version-trampoline mechanism, config knobs) is **not** in the manifest. ## What is NOT in the manifest (spt-core-owned) - **Sentinels** (`.idle`-equiv, echo-gate) — managed by `api state`/`api echo-gate`; the adapter only *calls* them. - **Spool / registry / perch `info.json` / daemon-state schemas** — core. - **Event-block vocabulary** — the XML tags spt-core surfaces to agents (e.g. ``, ``-equivalent) are a **fixed, documented constant**, not configurable. Adapters pass spt-core's output through unchanged. - **File-drop filenames** — statically `-commune.md` / `-signoff.md`. Only the *watched directory* is declared (in `[session]`). - **Config knobs** (pulse period, echo-commune window, route-guard window, daily-refresh) — spt-core **global settings**, with optional **per-endpoint override** for endpoints with unique needs. Not per-adapter. - **Cross-adapter fallback** (psyche/echo invocation falls back to another adapter on rate-limit) — a **node-wide setting**, not a manifest field, because it references *multiple* adapters (under spt-core, `ccs` is its own adapter, not a binary-swap within one). Adapter-agnostic IDs make this safe — an endpoint's Psyche can run under a fallback adapter temporarily. - **Plugin-cache / version-trampoline layout** — none of SPT's concern. A CC-plugin adapter updates via `claude plugin update` (delegated command). ## Manifest sections ### `[adapter]` — header ```toml [adapter] name = "claude-spt" version = "2.0.0" min_spt_core_version = "1.0.0" # readable before any update; compat gate hostable_types = ["LiveAgent", "ReadyAgent", "Psyche", "Worker"] ``` ### `[hooks.]` — inbound hook table Per harness event: the `api` command it fires, the stdin fields it maps in, and its **output capability** — `can_inject` (whether this hook can surface context to the agent). When `can_inject = false`, spt-core falls back to a sentinel + relay/poll path instead of expecting injection. This is the load-bearing harness-varying fact (CC's Stop hook can't inject). ```toml [hooks.SessionStart] fires = "api seed --pid {parent_pid} --session-id {session_id} --adapter {adapter_name}" reads = ["session_id", "source", "agent_type"] can_inject = true # via additionalContext [hooks.Stop] fires = "api state idle" reads = [] can_inject = false # no hookSpecificOutput schema → sentinel/relay fallback ``` ### `[session.]` — outbound session role templates One opaque command template per role: `self`, `psyche_init`, `psyche_resume`, `echo_commune`, `signoff`, `notif`. Plus `cwd`, env inject/remove, detachment, and the recursion-guard env var. **Model, tools, flags, dir-grants all live inside `command`** — not as fields. ```toml [session.psyche_init] command = "claude -p --agents {agents_json} --agent owl-psyche --name {session_name} --model sonnet --fallback-model opus --effort medium --dangerously-skip-permissions --disable-slash-commands --tools Read,Edit,Write --output-format json" cwd = "{psyche_dir}" env_remove = ["OWL_SESSION_ID"] recursion_guard_env = "SPT_ECHO_COMMUNE" # set on summarizer children so their own hooks bail detach = true keys = ["agents_json", "session_name", "psyche_dir"] # substitution keys spt-core fills ``` (`psyche_resume` adds `{session_id}`; both carry the spt-core-owned `{psyche_prompt}`. `signoff` is a `psyche_resume` variant firing a final context-save. `echo_commune` is a cheap-model template consuming history.) `notif` is the **endpoint-native notification render** (ADR-0007's `notif_command` seam): an OS toast, a Shell `alert-symbol`, anything the adapter can run. Declared on harness-adapter **and** shell-adapter manifests; spawned **detached** when a notif surfaces at this endpoint, combinable with the agent-surface delivery (the typed `notify` envelope). Keys spt-core fills: `{notif_id}`, `{notif_from}`, `{notif_subnet}`, `{notif_body}`. ```toml [session.notif] command = "powershell -Command New-BurntToastNotification -Text '{notif_from}','{notif_body}'" keys = ["notif_id", "notif_from", "notif_subnet", "notif_body"] ``` ### `[env]` — env-var table Vars to inject/read, and **how**. With `spt` on PATH the table is small. The injection *channel* is asymmetric: **spt-hosted** sessions inherit env from the broker that spawns them (no channel needed); **harness-hosted** sessions need the harness's declared channel (the broker didn't spawn them). File-bridge-only-when-not-launcher, applied to env. ```toml [env.OWL_SESSION_ID] direction = "inject" value = "{session_id}" channel = "CLAUDE_ENV_FILE" # harness-hosted only; spt-hosted inherits from broker ``` ### `[history]` — transcript access Three strategies; pick one. Pull-based (spt-core asks) or push-based (adapter sends). ```toml [history] strategy = "fetcher" # fetcher | locate_normalize | native fetcher = "claude-spt-history --session {session_id}" # adapter binary emits normalized history # locate_normalize: locate_template + normalize_command # native: adapter pushes via `api history-log`; spt-core stores (also used for Shells) ``` ### `[inject]` — inject-input methods Per activity-state, any combination: `pty`, `hook`, `relay`, `http`. ```toml [inject] activity = ["hook"] # non-disruptive during work idle = ["pty", "hook"] ``` ### `[session]` watched dirs (file-drop) ```toml [session] commune_dir = ".claude" # watched for -commune.md (filename fixed by spt-core) signoff_dir = ".claude" # watched for -signoff.md ``` ### `[identity]` ```toml [identity] session_id_source = "post_spawn" # post_spawn | uuid_inject parent_ancestor_name = "claude" # process-tree anchor when session_id absent ``` ### `[pty_digest]` — live activity buffer patterns (ADR-0008) ```toml [pty_digest] input_pattern = "\\nUSER> " # user-input boundary (opens a span until the next match) agent_pattern = "\\nAGENT> " # agent-output boundary (opens a span until the next match) tool_patterns = [ # one regex per known tool; name `arg` (+ optional `name`) groups "(?PWrite)\\((?P[^)]*)\\)", "(?PBash)\\((?P[^)]*)\\)", ] catchall_pattern = "(?P[A-Z][a-zA-Z]+)\\((?P[^)]*)\\)" # optional: unknowable user tools window_turns = 3 # optional presentation override (last N user turns); default ~3 persist = false # opt-in Path-B "Option (C)" coarse activity log; off by default ``` The two boundary markers are **required** when the section is present (an empty boundary degenerates the stream to one undifferentiated span); `tool_patterns`, `catchall_pattern`, and `window_turns` are optional. The patterns are **opaque regex strings** spt-core compiles and runs — model/tool semantics live in the adapter, never spt-core. Presentation knobs other than `window_turns` (tool-arg truncation ~25 chars, ANSI stripping, the rolling scan-buffer cap) are spt-core-owned defaults: the template controls *extraction*, spt-core controls *presentation*. Two access modes ride the one R-TERM-3 session surface (raw bytes vs parsed digest = two channels): a **snapshot pull** (`spt digest `) and a **delta-stream** (`spt digest --follow` — only changed turns are pushed). Local addressing only; the qualified `[subnet:]id@node` cross-node form is **M4**. ### `[update]` — adapter self-update ```toml [update] avenue = "delegated" # delegated | file_pull command = "claude plugin update spt" # delegated # file_pull: repo + path_regex version_check = true # verify spt-core satisfies min_spt_core_version before/after uninstall = "claude plugin uninstall spt" # optional; mirror of install — runs on `adapter remove` once quiesced ``` `spt adapter add` reuses this section as the **install** mechanism (install is the first update; `--github ` fetches the manifest first, then installs via the declared `avenue`). `uninstall` (optional) is its inverse, fired by `spt adapter remove` (soft-deregister; runs when no instance is live under the adapter, or immediately with `--force`). Absent `uninstall` ⇒ spt-core's default cleanup (drop its copy for `file_pull`; for `delegated`, just deregister and leave the harness's own files). --- ## Shell adapters (`kind = "shell"`) A second kind of adapter. Provides a `Shell` endpoint (a driven surface) rather than hosting agents. Same file location (`adapters/`), different manifest body. ```toml [adapter] name = "GameRobot" kind = "shell" # vs "harness" version = "1.0.0" min_spt_core_version = "1.0.0" [shell] spawn = "gamerobot-shell --link {link_token}" # broker-launched; opaque command template ephemeral = false # manifest property, NOT an agent choice; ephemeral ⇒ no offline perch + no history retention broadcast = "subnet" # subnet | same-node | none command_receipt = "http" # http | stdin | relay (how it receives agent commands) pre_close = "park-and-save" # optional instruction sent to the binary on link-break close_timeout_ms = 3000 # graceful termination window before force-close persistent = true # auto-online whenever the owner endpoint is online wake_command = "gamerobot-waker --link {link_token}" # long-running wake-watcher run WHILE offline; exit(wake-opcode) ⇒ revive can_shutdown = false # if true, the shell may fire `api owner-shutdown` to suspend its owner directly require_approval = "none" # none | remembered | always — per-spawn user-approval gate (floor; node/endpoint may tighten) max_instances_per_owner = 4 # optional cap on existing instances per owner (online+offline both count); omit ⇒ unlimited over_cap = "reject" # reject | approve — at the cap: refuse, or require per-spawn approval beyond it (doesn't raise the cap) [shell.capabilities] # the command vocabulary (agent→shell) — the toolset move = { args = ["direction", "distance"] } gesture = { args = ["name"] } alert = { args = ["symbol"] } screenshot = {} [shell.sensory] # the sensory vocabulary (shell→agent, REST-only) types = ["image", "sound", "event"] # "event" = arbitrary descriptive payloads ``` The capability + sensory vocabularies live **here**, not on the perch — spt-core resolves them by `adapter_name`. Command-delivery (`command_receipt`) reuses the agent inject-input modes. The shell binary binds via `api bind` (type=Shell, owner from the link) and pushes sensory via `api emit --type `. **Sleep/wake:** when offline (+ `wake_command` set), spt-core runs the wake-watcher (mutually exclusive with the shell binary); `exit(wake-opcode)` → wake resolution; crash-exit → respawn with exponential backoff + give-up (until the next relink/launch). **The wake opcode is exit code 86.** The wake-watcher template shares the spawn template's substitution catalog (`{id}`, `{adapter_name}`, `{link_token}`), but its `{link_token}` is minted *unparked* — an offline link has no live credential (the close retired it); a waker wakes by exit code, never by driving the link. `persistent` auto-onlines the shell with its owner. `can_shutdown` authorizes `api owner-shutdown`. Cross-node *fresh-spawn* to wake an owner requires the owner's `shell_wake_spawn_anywhere` settings flag (pre-consent). **Instantiation governance:** `require_approval` gates `shell spawn` (reusing the consent grant store — `remembered` persists a grant via allow-always, `always` prompts every spawn); `max_instances_per_owner` + `over_cap` cap how many instances one owner may hold (online + offline both count toward the cap). An instance's **alias** is **not** a manifest field — it is per-instance runtime state on the shell perch's `info.json` (set at `shell spawn --alias` / `shell rename`), since the manifest describes the *adapter*, not individual instances. ## Worked example: `claude-spt` (today's behavior, expressed) Maps the sister project's actual surface onto the schema. | Concern | Today (modern SPT) | Manifest expression | |---|---|---| | 7 CC hooks | hooks.json → `owl.exe ` | `[hooks.*]` table; `Stop.can_inject=false` drives the echo-gate fallback | | Psyche init | `claude -p --agents … --model sonnet --fallback-model opus …` | `[session.psyche_init].command` (opaque) | | Psyche resume | `claude -p --resume --model sonnet …` | `[session.psyche_resume]` + `{session_id}` | | Echo-commune | `claude -p --model haiku --effort low …`, `OWL_ECHO_COMMUNE=1` guard | `[session.echo_commune]` + `recursion_guard_env` | | `ccs` fallback | tier-2 binary swap | **node-wide cross-adapter fallback** (not manifest; `ccs` is its own adapter) | | Transcript read | `.claude/projects//.jsonl` | `[history]` (fetcher or locate_normalize) | | Commune/signoff | `.claude/-commune.md` watched | `[session].commune_dir/signoff_dir`; filenames fixed | | Env | `$OWL`/`$LIVE`/`OWL_SESSION_ID` via `CLAUDE_ENV_FILE` | `[env]`; PATH removes most; channel only harness-hosted | | Identity | `OWL_SESSION_ID` + `claude.exe` ancestor walk | `[identity]` | | Update | (today: cplugs) | `[update] avenue="delegated" command="claude plugin update"` | | period / echo-window / route-guard / 24h refresh | hardcoded/flags | spt-core **global knobs** (per-endpoint override), not manifest | ## Open sub-items - Exact substitution-key catalog (which keys spt-core guarantees to fill per role). - TOML vs YAML final choice; schema-validation + helpful errors for adapter authors. - The fixed event-block vocabulary's final tag names (`` etc.). - Capability-declaration shape beyond `hostable_types` (per-type operation advertisement).