Reference copy. Generated from
AGENT_CONFIG.mdat the repository root. Edit the source file, not this copy.
AGENT_CONFIG — Runtime config reading protocol
This file documents config checks that agents perform at runtime — behavioural guards that cannot be baked in at prompt-load time.
Agent extensions (agents.extend) are applied at insight-flow init /
prompt-build time and are already present in your loaded prompt; you do not
need to read the config for them. See CLAUDE.md for examples.
GIT PERMISSIONS (agents.git.permissions)
Applies to: task-git only.
At the start of every task-git run:
- Extract permissions from config:
cat taskflow.config.json | node -e "const c = JSON.parse(require('fs').readFileSync('/dev/stdin','utf-8'));console.log(JSON.stringify(c?.agents?.git?.permissions ?? {}));"
- If the extracted permissions contain
remoteOps: "deny", treatpush,forcePush,deleteBranchRemote, andcreatePRasfalse— unless that flag is explicitly set totruein the same permissions object. Example:{ "remoteOps": "deny", "push": true }→pushis allowed;forcePush,deleteBranchRemote,createPRare blocked. - Before each operation, check the corresponding flag. If the flag is explicitly
false(or resolved tofalseviaremoteOpsin step 2), skip the operation and print:⛔ Blocked by config: agents.git.permissions.<key> = falseTo unblock: set "<key>": true in taskflow.config.json → agents.git.permissions. - If
agents.git.permissionsis absent, treat all flags astrue.
| Operation | Config key |
|---|---|
| remoteOps shorthand | remoteOps |
| git checkout -b | createBranch |
| git checkout | checkout |
| git commit | commit |
| git push / git push -u | push |
| git push --force | forcePush |
| git merge | merge |
| git branch -d | deleteBranchLocal |
| git push origin --delete | deleteBranchRemote |
| gh/glab pr/mr create | createPR |