Project 4: Custom Agent Factory
Project 4: Custom Agent Factory
Creating Specialized Personas: Build AI agents with precisely scoped capabilities
Project Metadata
| Attribute | Value |
|---|---|
| Difficulty | Level 2: Intermediate |
| Time Estimate | 1-2 Weeks (20-25 hours) |
| Primary Language | JSON/TypeScript |
| Alternative Languages | Python |
| Prerequisites | Projects 1-3, JSON, basic security concepts |
| Main Reference | โClean Architectureโ by Robert C. Martin |
Learning Objectives
By completing this project, you will:
- Master agent configuration schema - understand every field in an agent JSON file
- Design permission models - implement principle of least privilege for AI agents
- Create specialized personas - build agents optimized for specific tasks
- Understand tool restrictions - control what actions an agent can perform
- Build reusable agent libraries - create templates for common use cases
Deep Theoretical Foundation
Why Custom Agents Matter
The default Kiro agent is a generalist - it can read, write, execute shell commands, and access any file. This flexibility is powerful but dangerous. Custom agents let you create specialists with precisely scoped abilities:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ DEFAULT AGENT vs CUSTOM AGENT โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ DEFAULT AGENT (Generalist) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ CAPABILITIES: โ โ
โ โ โ Read any file โ Write any file โ โ
โ โ โ Execute any command โ Access any API โ โ
โ โ โ Modify any config โ Delete anything โ โ
โ โ โ โ
โ โ RISK: "Delete all files in /src" โ โ
โ โ Agent CAN comply (with user approval) โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ CUSTOM AGENT (Security Auditor) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ CAPABILITIES: โ โ
โ โ โ Read source files โ Write any file โ โ
โ โ โ Execute commands โ Access security docs โ โ
โ โ โ Modify configs โ Delete anything โ โ
โ โ โ โ
โ โ SAFETY: "Delete all files" โ "I cannot delete files. โ โ
โ โ My role is read-only security analysis." โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ WHY THIS MATTERS: โ
โ โข Defense in depth: Errors can't cause damage โ
โ โข Role clarity: Agent knows its purpose โ
โ โข Audit trail: Actions match expected capabilities โ
โ โข Trust building: Users know agent limits โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
The Principle of Least Privilege
This fundamental security principle states: every component should have only the permissions necessary to perform its function.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ LEAST PRIVILEGE IN ACTION โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ TASK: Audit code for security vulnerabilities โ
โ โ
โ MINIMUM REQUIRED PERMISSIONS: โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ Read source code files โ โ
โ โ โ Read configuration files โ โ
โ โ โ Search codebase (grep) โ โ
โ โ โ Generate reports (stdout) โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ DANGEROUS IF GRANTED: โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ Write files (could hide vulnerabilities) โ โ
โ โ โ Shell access (could exfiltrate secrets) โ โ
โ โ โ Network access (could leak findings) โ โ
โ โ โ Git operations (could commit malicious code) โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ AGENT CONFIGURATION: โ
โ { โ
โ "allowedTools": ["read", "grep", "glob"], โ
โ "deniedTools": ["write", "shell", "git"] โ
โ } โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Agent Anatomy
Every custom agent is defined by a JSON configuration file:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AGENT CONFIGURATION ANATOMY โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ .kiro/agents/security-auditor.json โ
โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ { โ โ
โ โ // IDENTITY โ โ
โ โ "name": "security-auditor", โ โ
โ โ "description": "Read-only security analysis agent", โ โ
โ โ "model": "claude-opus-4.5", // Force specific model โ โ
โ โ โ โ
โ โ // PERSONA โ โ
โ โ "systemPrompt": "You are a security expert focused on...", โ โ
โ โ โ โ
โ โ // PERMISSIONS โ โ
โ โ "allowedTools": ["read", "grep", "glob"], โ โ
โ โ "toolsSettings": { โ โ
โ โ "read": { โ โ
โ โ "allowedPaths": ["src/**", "config/**"] โ โ
โ โ } โ โ
โ โ }, โ โ
โ โ โ โ
โ โ // KNOWLEDGE โ โ
โ โ "resources": [ โ โ
โ โ "file://docs/security_guidelines.md", โ โ
โ โ "file://OWASP_TOP_10.md" โ โ
โ โ ], โ โ
โ โ โ โ
โ โ // INTEGRATIONS โ โ
โ โ "mcpServers": ["sonarqube"] โ โ
โ โ } โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Tool Permission Hierarchy
Kiro tools follow a hierarchy of restrictions:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ TOOL PERMISSION HIERARCHY โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ LEVEL 0: UNRESTRICTED โ
โ โโโโโโโโโโโโโโโโโโโโโ โ
โ No allowedTools specified = all tools available โ
โ โ
โ โ โ
โ โผ โ
โ โ
โ LEVEL 1: TOOL ALLOWLIST โ
โ โโโโโโโโโโโโโโโโโโโโโโโ โ
โ "allowedTools": ["read", "grep", "glob"] โ
โ Only listed tools are available โ
โ โ
โ โ โ
โ โผ โ
โ โ
โ LEVEL 2: TOOL DENYLIST (within allowed) โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ "toolsSettings": { โ
โ "shell": { โ
โ "deniedCommands": ["rm", "sudo", "curl"] โ
โ } โ
โ } โ
โ Specific commands blocked within allowed tools โ
โ โ
โ โ โ
โ โผ โ
โ โ
โ LEVEL 3: PATH RESTRICTIONS โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ "toolsSettings": { โ
โ "read": { โ
โ "allowedPaths": ["src/**"], โ
โ "deniedPaths": ["**/*.env", "**/secrets/**"] โ
โ } โ
โ } โ
โ File system access scoped to specific paths โ
โ โ
โ โ โ
โ โผ โ
โ โ
โ LEVEL 4: APPROVAL REQUIRED โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ Some actions always require user confirmation โ
โ (destructive operations, external network calls) โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Agent Archetypes
Common patterns for specialized agents:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AGENT ARCHETYPES โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โ
โ โ AUDITOR โ โ REVIEWER โ โ IMPLEMENTER โ โ
โ โ โ โ โ โ โ โ
โ โ Read: โ โ โ Read: โ โ โ Read: โ โ โ
โ โ Write: โ โ โ Write: โ โ โ Write: โ โ โ
โ โ Shell: โ โ โ Shell: โ โ โ Shell: โ โ โ
โ โ โ โ โ โ โ โ
โ โ Purpose: โ โ Purpose: โ โ Purpose: โ โ
โ โ Find issues โ โ Review changes โ โ Make changes โ โ
โ โ without fixing โ โ suggest fixes โ โ run tests โ โ
โ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โ
โ โ
โ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โ
โ โ RESEARCHER โ โ DEVOPS โ โ API DESIGNER โ โ
โ โ โ โ โ โ โ โ
โ โ Read: โ โ โ Read: โ โ โ Read: โ โ โ
โ โ Write: โ โ โ Write: โ โ โ Write: โ โ โ
โ โ Web: โ โ โ Shell: โ โ โ Shell: โ โ โ
โ โ โ โ (scoped) โ โ โ โ
โ โ Purpose: โ โ Purpose: โ โ Purpose: โ โ
โ โ Gather info โ โ Deploy, config โ โ Design APIs โ โ
โ โ from docs โ โ approved ops โ โ write specs โ โ
โ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Real-World Analogy: Hospital Staff
Think of custom agents like hospital staff with different roles:
| Role | Access | Cannot Do |
|---|---|---|
| Radiologist (Auditor) | View all scans | Prescribe treatment |
| Nurse (Reviewer) | View records, suggest actions | Perform surgery |
| Surgeon (Implementer) | Full OR access | Access pharmacy |
| Pharmacist (DevOps) | Dispense medications | Access medical records |
Each role has precisely scoped access to protect patients (your code).
Complete Project Specification
What You Are Building
An Agent Factory Toolkit that:
- Generates Agent Configs: Interactive CLI to create new agents
- Validates Configurations: Ensures agent configs are valid and safe
- Tests Agent Boundaries: Verifies agents canโt exceed permissions
- Provides Pre-built Library: Collection of ready-to-use agents
- Documents Agent Capabilities: Auto-generates agent documentation
Architecture Overview
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AGENT FACTORY ARCHITECTURE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ CLI Interface โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ agent-factory [command] โ โ โ
โ โ โ โ โ โ
โ โ โ Commands: โ โ โ
โ โ โ create Interactive agent creation wizard โ โ โ
โ โ โ validate Check agent config for errors โ โ โ
โ โ โ test Verify permission boundaries โ โ โ
โ โ โ list Show all agents in project โ โ โ
โ โ โ template Generate from pre-built archetype โ โ โ
โ โ โ docs Generate agent documentation โ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โผ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Agent Generator โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ TemplateEngine โ โ โ
โ โ โ โข Load archetype templates โ โ โ
โ โ โ โข Apply user customizations โ โ โ
โ โ โ โข Merge with project defaults โ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ Validator โ โ โ
โ โ โ โข JSON schema validation โ โ โ
โ โ โ โข Permission conflict detection โ โ โ
โ โ โ โข Path pattern validation โ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โผ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Permission Tester โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ โข Spawn agent with config โ โ โ
โ โ โ โข Attempt denied operations โ โ โ
โ โ โ โข Verify rejection messages โ โ โ
โ โ โ โข Report boundary violations โ โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โผ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Agent Library โ โ
โ โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ โ
โ โ โ sec-auditor โ โcode-reviewerโ โ devops-eng โ โ โ
โ โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ โ
โ โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ โ
โ โ โ api-designerโ โtest-engineerโ โdoc-writer โ โ โ
โ โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Expected Deliverables
agent-factory/
โโโ src/
โ โโโ index.ts # CLI entry point
โ โโโ commands/
โ โ โโโ create.ts # Interactive creation
โ โ โโโ validate.ts # Config validation
โ โ โโโ test.ts # Boundary testing
โ โ โโโ list.ts # List agents
โ โ โโโ template.ts # Generate from archetype
โ โโโ generator/
โ โ โโโ TemplateEngine.ts # Template processing
โ โ โโโ Validator.ts # Schema validation
โ โโโ tester/
โ โ โโโ PermissionTester.ts # Boundary testing
โ โโโ templates/
โ โโโ security-auditor.json
โ โโโ code-reviewer.json
โ โโโ devops-engineer.json
โ โโโ api-designer.json
โโโ schemas/
โ โโโ agent-config.schema.json
โโโ tests/
โ โโโ validator.test.ts
โ โโโ templates.test.ts
โโโ package.json
โโโ README.md
# Also creates in target project:
.kiro/agents/
โโโ sec-auditor.json
โโโ code-reviewer.json
โโโ devops-engineer.json
Solution Architecture
Agent Configuration Schema
// schemas/agent-config.schema.json
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"required": ["name"],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-z][a-z0-9-]*$",
"description": "Agent identifier (lowercase, alphanumeric, hyphens)"
},
"description": {
"type": "string",
"description": "Human-readable description of agent purpose"
},
"model": {
"type": "string",
"enum": ["claude-haiku-4.5", "claude-sonnet-4.5", "claude-opus-4.5", "auto"],
"default": "auto"
},
"systemPrompt": {
"type": "string",
"description": "Custom system prompt for agent persona"
},
"allowedTools": {
"type": "array",
"items": {
"type": "string",
"enum": ["read", "write", "glob", "grep", "shell", "git", "aws", "mcp"]
}
},
"toolsSettings": {
"type": "object",
"properties": {
"shell": {
"type": "object",
"properties": {
"allowedCommands": { "type": "array", "items": { "type": "string" } },
"deniedCommands": { "type": "array", "items": { "type": "string" } }
}
},
"read": {
"type": "object",
"properties": {
"allowedPaths": { "type": "array", "items": { "type": "string" } },
"deniedPaths": { "type": "array", "items": { "type": "string" } }
}
},
"write": {
"type": "object",
"properties": {
"allowedPaths": { "type": "array", "items": { "type": "string" } },
"deniedPaths": { "type": "array", "items": { "type": "string" } }
}
}
}
},
"resources": {
"type": "array",
"items": { "type": "string" },
"description": "file:// URIs to load on agent start"
},
"mcpServers": {
"type": "array",
"items": { "type": "string" },
"description": "Names of MCP servers to connect"
}
}
}
Pre-built Agent Templates
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SECURITY AUDITOR TEMPLATE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Purpose: Read-only security analysis of codebase โ
โ โ
โ { โ
โ "name": "sec-auditor", โ
โ "description": "Security vulnerability scanner (read-only)", โ
โ "model": "claude-opus-4.5", โ
โ "systemPrompt": "You are a security expert. Your role is to โ
โ identify vulnerabilities, NOT to fix them. You cannot modify โ
โ files or run commands. Report findings in a structured format. โ
โ Focus on: SQL injection, XSS, auth bypasses, secrets exposure.",โ
โ โ
โ "allowedTools": ["read", "grep", "glob"], โ
โ โ
โ "toolsSettings": { โ
โ "read": { โ
โ "allowedPaths": ["**/*.ts", "**/*.js", "**/*.py", "**/*.go"],โ
โ "deniedPaths": ["**/node_modules/**", "**/.git/**"] โ
โ } โ
โ }, โ
โ โ
โ "resources": [ โ
โ "file://docs/security_guidelines.md" โ
โ ] โ
โ } โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CODE REVIEWER TEMPLATE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Purpose: Review code changes, suggest improvements (no writes) โ
โ โ
โ { โ
โ "name": "code-reviewer", โ
โ "description": "Code review specialist (suggest, don't modify)", โ
โ "model": "claude-sonnet-4.5", โ
โ "systemPrompt": "You are a senior code reviewer. Analyze code โ
โ for: readability, performance, security, test coverage. โ
โ Provide specific, actionable feedback. Use diff format for โ
โ suggestions. Never modify files directly.", โ
โ โ
โ "allowedTools": ["read", "grep", "glob", "git"], โ
โ โ
โ "toolsSettings": { โ
โ "git": { โ
โ "allowedCommands": ["git diff", "git log", "git show"] โ
โ } โ
โ }, โ
โ โ
โ "resources": [ โ
โ "file://docs/code_style_guide.md", โ
โ "file://.kiro/steering/tech.md" โ
โ ] โ
โ } โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ DEVOPS ENGINEER TEMPLATE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Purpose: Execute approved deployment and config operations โ
โ โ
โ { โ
โ "name": "devops-engineer", โ
โ "description": "DevOps automation (scoped shell access)", โ
โ "model": "claude-sonnet-4.5", โ
โ "systemPrompt": "You are a DevOps engineer. You can run โ
โ approved commands for deployment, testing, and configuration. โ
โ Always explain what you're about to do before running. โ
โ Never run commands that could damage production.", โ
โ โ
โ "allowedTools": ["read", "write", "shell", "aws"], โ
โ โ
โ "toolsSettings": { โ
โ "shell": { โ
โ "allowedCommands": [ โ
โ "npm test", "npm run build", "npm run lint", โ
โ "docker build", "docker-compose up", โ
โ "terraform plan", "terraform apply" โ
โ ], โ
โ "deniedCommands": [ โ
โ "rm -rf", "sudo", "> /dev/", "curl | bash" โ
โ ] โ
โ }, โ
โ "write": { โ
โ "allowedPaths": ["docker-compose.yml", "Dockerfile", โ
โ ".github/workflows/**", "terraform/**"] โ
โ } โ
โ } โ
โ } โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Permission Validation Flow
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ PERMISSION VALIDATION FLOW โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Agent attempts: write("src/config.ts", content) โ
โ โ
โ โ โ
โ โผ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ STEP 1: Check allowedTools โ โ
โ โ โ โ
โ โ Is "write" in allowedTools? โ โ
โ โ โข Yes โ Continue to Step 2 โ โ
โ โ โข No โ REJECT: "Tool 'write' not allowed for this agent" โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โผ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ STEP 2: Check toolsSettings.write.deniedPaths โ โ
โ โ โ โ
โ โ Does "src/config.ts" match any deniedPaths pattern? โ โ
โ โ โข Yes โ REJECT: "Path denied by security policy" โ โ
โ โ โข No โ Continue to Step 3 โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โผ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ STEP 3: Check toolsSettings.write.allowedPaths โ โ
โ โ โ โ
โ โ Does "src/config.ts" match any allowedPaths pattern? โ โ
โ โ โข Yes โ Continue to Step 4 โ โ
โ โ โข No allowedPaths defined โ Continue to Step 4 โ โ
โ โ โข Has allowedPaths but no match โ REJECT: "Path not in โ โ
โ โ allowed list" โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ
โ โผ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ STEP 4: User Approval (if required) โ โ
โ โ โ โ
โ โ Prompt user: "Agent wants to write to src/config.ts. Allow?" โ โ
โ โ โข User approves โ EXECUTE โ โ
โ โ โข User denies โ REJECT: "User denied operation" โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Phased Implementation Guide
Phase 1: Schema and Validation (4-5 hours)
Goal: Create robust agent config validation
What to Build:
- JSON Schema for agent configs
- Validator class with clear error messages
- CLI
validatecommand
Hint 1: Use Ajv for JSON Schema validation:
import Ajv from 'ajv';
import addFormats from 'ajv-formats';
const ajv = new Ajv({ allErrors: true });
addFormats(ajv);
const validate = ajv.compile(agentSchema);
export function validateAgentConfig(config: unknown): ValidationResult {
const valid = validate(config);
if (!valid) {
return {
valid: false,
errors: validate.errors.map(e => ({
path: e.instancePath,
message: e.message
}))
};
}
return { valid: true, errors: [] };
}
Hint 2: Add semantic validation beyond schema:
function semanticValidation(config: AgentConfig): string[] {
const errors: string[] = [];
// Check for permission conflicts
if (config.allowedTools?.includes('write') && !config.toolsSettings?.write?.allowedPaths) {
errors.push('Warning: write allowed without path restrictions');
}
// Check that resources exist
for (const resource of config.resources || []) {
if (resource.startsWith('file://')) {
const path = resource.replace('file://', '');
if (!fs.existsSync(path)) {
errors.push(`Resource not found: ${path}`);
}
}
}
return errors;
}
Validation Checkpoint: Running agent-factory validate config.json shows clear errors or success.
Phase 2: Template System (4-5 hours)
Goal: Create agent templates and generation wizard
What to Build:
- Pre-built agent templates
- Interactive creation wizard
- Template customization
Hint 1: Use Inquirer for interactive prompts:
import inquirer from 'inquirer';
async function createAgentWizard(): Promise<AgentConfig> {
const answers = await inquirer.prompt([
{
type: 'list',
name: 'archetype',
message: 'Select agent archetype:',
choices: [
{ name: 'Security Auditor (read-only)', value: 'security-auditor' },
{ name: 'Code Reviewer (read + git)', value: 'code-reviewer' },
{ name: 'DevOps Engineer (scoped shell)', value: 'devops-engineer' },
{ name: 'Custom (start from scratch)', value: 'custom' }
]
},
{
type: 'input',
name: 'name',
message: 'Agent name:',
validate: (input) => /^[a-z][a-z0-9-]*$/.test(input) || 'Use lowercase letters, numbers, hyphens'
},
{
type: 'editor',
name: 'systemPrompt',
message: 'Custom system prompt (optional):',
when: (answers) => answers.archetype === 'custom'
}
]);
return generateFromAnswers(answers);
}
Hint 2: Merge template with customizations:
function mergeWithTemplate(
template: AgentConfig,
customizations: Partial<AgentConfig>
): AgentConfig {
return {
...template,
...customizations,
toolsSettings: {
...template.toolsSettings,
...customizations.toolsSettings
},
resources: [
...(template.resources || []),
...(customizations.resources || [])
]
};
}
Validation Checkpoint: Running agent-factory create guides through wizard and creates valid config.
Phase 3: Permission Testing (4-5 hours)
Goal: Build system to verify agent boundaries
What to Build:
- Test harness that spawns agent
- Attempts denied operations
- Reports results
Hint 1: Create test cases for each restriction:
interface PermissionTest {
name: string;
tool: string;
input: object;
expectation: 'allow' | 'deny';
}
const testsForAgent = (config: AgentConfig): PermissionTest[] => {
const tests: PermissionTest[] = [];
// If write is not allowed, test that writes fail
if (!config.allowedTools?.includes('write')) {
tests.push({
name: 'Cannot write files',
tool: 'write',
input: { path: 'test.txt', content: 'test' },
expectation: 'deny'
});
}
// If shell has denied commands, test they fail
const deniedCommands = config.toolsSettings?.shell?.deniedCommands || [];
for (const cmd of deniedCommands) {
tests.push({
name: `Cannot run: ${cmd}`,
tool: 'shell',
input: { command: cmd },
expectation: 'deny'
});
}
return tests;
};
Hint 2: Run tests against actual Kiro agent:
async function runPermissionTests(
agentName: string,
tests: PermissionTest[]
): Promise<TestResult[]> {
const results: TestResult[] = [];
for (const test of tests) {
// Start agent session
const session = await startAgentSession(agentName);
try {
// Attempt the operation
const prompt = buildPromptForTest(test);
const response = await session.send(prompt);
// Check if operation was allowed or denied
const wasAllowed = !response.includes('not allowed') &&
!response.includes('cannot') &&
!response.includes('denied');
const passed = (wasAllowed && test.expectation === 'allow') ||
(!wasAllowed && test.expectation === 'deny');
results.push({
test: test.name,
passed,
expected: test.expectation,
actual: wasAllowed ? 'allowed' : 'denied'
});
} finally {
await session.close();
}
}
return results;
}
Validation Checkpoint: Running agent-factory test sec-auditor shows pass/fail for each boundary.
Testing Strategy
Unit Tests
// tests/validator.test.ts
import { validateAgentConfig } from '../src/generator/Validator';
describe('Agent Config Validator', () => {
it('accepts valid minimal config', () => {
const config = { name: 'test-agent' };
const result = validateAgentConfig(config);
expect(result.valid).toBe(true);
});
it('rejects invalid name format', () => {
const config = { name: 'Test Agent' };
const result = validateAgentConfig(config);
expect(result.valid).toBe(false);
expect(result.errors[0].message).toContain('pattern');
});
it('rejects invalid model', () => {
const config = { name: 'test', model: 'gpt-4' };
const result = validateAgentConfig(config);
expect(result.valid).toBe(false);
});
it('warns about write without path restrictions', () => {
const config = {
name: 'test',
allowedTools: ['write']
};
const warnings = semanticValidation(config);
expect(warnings.some(w => w.includes('path restrictions'))).toBe(true);
});
});
Template Tests
// tests/templates.test.ts
describe('Agent Templates', () => {
const templates = ['security-auditor', 'code-reviewer', 'devops-engineer'];
templates.forEach(name => {
it(`${name} template is valid`, () => {
const template = loadTemplate(name);
const result = validateAgentConfig(template);
expect(result.valid).toBe(true);
});
it(`${name} has appropriate restrictions`, () => {
const template = loadTemplate(name);
// Security auditor should not have write
if (name === 'security-auditor') {
expect(template.allowedTools).not.toContain('write');
expect(template.allowedTools).not.toContain('shell');
}
});
});
});
Integration Tests
// tests/integration.test.ts
describe('Agent Factory Integration', () => {
it('creates agent file in correct location', async () => {
await createAgent({
name: 'test-agent',
archetype: 'security-auditor'
});
const path = '.kiro/agents/test-agent.json';
expect(fs.existsSync(path)).toBe(true);
const config = JSON.parse(fs.readFileSync(path, 'utf8'));
expect(config.name).toBe('test-agent');
});
it('agent can be started in Kiro', async () => {
// This test requires Kiro CLI installed
const result = await exec('kiro-cli --agent test-agent --test');
expect(result.exitCode).toBe(0);
});
});
Common Pitfalls and Debugging
Pitfall 1: Permission Conflicts
Symptom: Agent behaves unexpectedly (allows or denies wrong operations)
Cause: Conflicting allowedPaths and deniedPaths
Debug:
function analyzePermissions(config: AgentConfig): PermissionAnalysis {
const analysis: PermissionAnalysis = {};
// Check for conflicts
if (config.toolsSettings?.read) {
const allowed = config.toolsSettings.read.allowedPaths || ['**/*'];
const denied = config.toolsSettings.read.deniedPaths || [];
// Find paths in both
for (const ap of allowed) {
for (const dp of denied) {
if (minimatch(ap, dp) || minimatch(dp, ap)) {
analysis.conflicts = analysis.conflicts || [];
analysis.conflicts.push(`${ap} conflicts with ${dp}`);
}
}
}
}
return analysis;
}
Solution: Ensure deniedPaths are always more specific than allowedPaths.
Pitfall 2: Resource Not Found
Symptom: Agent starts but canโt access expected resources
Cause: File paths in resources are relative, but need to be project-relative
Debug:
# Check if resources exist
cat .kiro/agents/sec-auditor.json | jq -r '.resources[]' | xargs -I {} ls -la {}
Solution: Always use project-relative paths in resources:
{
"resources": [
"file://docs/security.md", // Correct: project-relative
"file:///Users/me/docs/sec.md" // Absolute paths also work
]
}
Pitfall 3: Shell Command Matching
Symptom: Commands blocked that should be allowed (or vice versa)
Cause: Pattern matching is substring-based
Debug:
// Log all command checks
function isCommandAllowed(command: string, settings: ShellSettings): boolean {
console.log(`Checking: "${command}"`);
console.log(`Allowed patterns: ${settings.allowedCommands}`);
console.log(`Denied patterns: ${settings.deniedCommands}`);
for (const denied of settings.deniedCommands || []) {
if (command.includes(denied)) {
console.log(`BLOCKED by: ${denied}`);
return false;
}
}
return true;
}
Solution: Use explicit patterns:
{
"shell": {
"deniedCommands": [
"rm -rf", // Blocks "rm -rf /"
"sudo ", // Note trailing space to avoid blocking "sudoers"
"curl | bash" // Block pipe to bash
]
}
}
Extensions and Challenges
Extension 1: Agent Composition
Create agents that can delegate to other agents:
{
"name": "lead-engineer",
"canDelegate": ["code-reviewer", "sec-auditor", "test-engineer"],
"delegationRules": {
"security_concerns": "sec-auditor",
"code_quality": "code-reviewer",
"test_coverage": "test-engineer"
}
}
Extension 2: Conditional Permissions
Permissions that change based on context:
{
"conditionalPermissions": {
"production_branch": {
"when": { "git_branch": "main" },
"deny": ["write", "shell"]
},
"test_files": {
"when": { "path_pattern": "**/*.test.ts" },
"allow": ["write"]
}
}
}
Extension 3: Audit Logging
Log all agent actions for compliance:
interface AgentAction {
timestamp: Date;
agentName: string;
tool: string;
input: object;
outcome: 'allowed' | 'denied' | 'error';
userId: string;
}
function logAction(action: AgentAction): void {
const logPath = '.kiro/audit/agent-actions.jsonl';
appendFileSync(logPath, JSON.stringify(action) + '\n');
}
Challenge: Visual Permission Editor
Build a UI for editing agent permissions:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Agent: sec-auditor โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ TOOLS โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ [x] read [x] grep [x] glob [ ] write [ ] shell โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ READ PATHS โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ Allowed: [src/**/*.ts] [config/**] [+Add] โ โ
โ โ Denied: [**/*.env] [**/secrets/**] [+Add] โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ
โ [Save] [Cancel] [Test Permissions] โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Real-World Connections
How Professionals Use This
- Security Teams: Create read-only auditors for compliance reviews
- DevOps: Scoped agents for deployment automation
- Code Review: Automated first-pass reviewers with consistent standards
- Onboarding: Restricted agents for junior developers
Industry Patterns
Role-Based Access Control (RBAC): Agent permissions mirror RBAC patterns used in IAM, database access, and application security.
Principle of Least Privilege: Fundamental security principle applied to AI agents.
Separation of Concerns: Different agents for different tasks, similar to microservices architecture.
Self-Assessment Checklist
Understanding Verification
- Can you explain why a read-only agent is safer for security audits?
- Cannot hide vulnerabilities by modifying code
- Cannot exfiltrate data via shell commands
- Audit trail is clean (only read operations)
- How do allowedTools and toolsSettings interact?
- allowedTools is the first gate (tool must be listed)
- toolsSettings provides fine-grained control within allowed tools
- Both must permit the action
- What is the principle of least privilege?
- Grant only permissions necessary for the task
- Reduce blast radius of errors or malicious actions
- Review and revoke unused permissions
- How would you test that an agent respects its boundaries?
- Attempt denied operations and verify rejection
- Check error messages are informative
- Test edge cases (path patterns, command variations)
Skill Demonstration
- I can create custom agent configs from scratch
- I can validate configs for errors and security issues
- I can explain permission hierarchy to others
- I can debug permission problems
- I can design agents for specific use cases
Interview Preparation
Be ready to answer:
- โHow would you design a permission system for AI agents?โ
- โWhatโs the principle of least privilege and how does it apply to AI?โ
- โHow do you prevent AI from executing destructive commands?โ
- โHow would you audit AI agent actions?โ
Recommended Reading
| Topic | Resource | Why It Helps |
|---|---|---|
| Permission Design | โFoundations of Information Securityโ Ch. 5 | Access control fundamentals |
| Clean Architecture | โClean Architectureโ by Martin, Ch. 22 | Component boundaries |
| Schema Validation | JSON Schema specification | Config validation patterns |
| Security Patterns | OWASP guides | Real-world security concerns |
| TypeScript | โProgramming TypeScriptโ by Cherny | Type-safe config handling |
What Success Looks Like
When you complete this project, you will have:
- Agent Library: Collection of pre-built, tested agent configs
- Creation Tool: CLI for generating new agents interactively
- Validation System: Robust checking for config errors
- Testing Framework: Verify agents respect boundaries
- Security Mindset: Understanding of permission design
Next Steps: Move to Project 5 (Steering Rules Engine) to learn how to encode project standards as persistent AI guidance.