8bitAlex
diff --git a/‎llms.txt‎
Lines changed: 1 addition & 0 deletions b/‎llms.txt‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎schemas/raid-defs.schema.json‎
Lines changed: 29 additions & 0 deletions b/‎schemas/raid-defs.schema.json‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎site/docs/references/schema.mdx‎
Lines changed: 39 additions & 0 deletions b/‎site/docs/references/schema.mdx‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎site/docs/usage/context.mdx‎
Lines changed: 27 additions & 2 deletions b/‎site/docs/usage/context.mdx‎
Lines changed: 27 additions & 2 deletions
diff --git a/‎site/docs/whats-new.mdx‎
Lines changed: 2 additions & 0 deletions b/‎site/docs/whats-new.mdx‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/internal/lib/agent.go‎
Lines changed: 29 additions & 0 deletions b/‎src/internal/lib/agent.go‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎src/internal/lib/agent_test.go‎
Lines changed: 120 additions & 0 deletions b/‎src/internal/lib/agent_test.go‎
Lines changed: 120 additions & 0 deletions
diff --git a/‎src/internal/lib/command.go‎
Lines changed: 5 additions & 1 deletion b/‎src/internal/lib/command.go‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎src/internal/lib/context.go‎
Lines changed: 45 additions & 0 deletions b/‎src/internal/lib/context.go‎
Lines changed: 45 additions & 0 deletions
@@ -23,6 +23,7 @@ Raid is written in Go, distributed as a single self-contained binary, and publis
 - [Tasks](https://raidcli.dev/docs/features/tasks): All 11 task types — Shell, Script, Set, Git, HTTP, Wait, Prompt, Confirm, Print, Template, Group
 - [Task groups](https://raidcli.dev/docs/features/task-groups): Reusable task sequences invoked by `ref`
 - [Variables](https://raidcli.dev/docs/features/variables): Variable scoping, substitution, defaults, and overrides
+- [Agent metadata on commands](https://raidcli.dev/docs/references/schema#agent-metadata): Optional `agent:` block (`safe`, `reads`, `writes`, `description`) so MCP clients can decide whether to auto-execute. Defaults to `safe: false` for commands without the block.
 
 ## Usage
 
 
@@ -547,6 +547,9 @@
                     "options": {
                         "$ref": "#/$defs/taskOptions"
                     },
+                    "agent": {
+                        "$ref": "#/$defs/commandAgent"
+                    },
                     "out": {
                         "type": "object",
                         "description": "Output configuration for the command",
@@ -634,6 +637,32 @@
             },
             "additionalProperties": false
         },
+        "commandAgent": {
+            "type": "object",
+            "description": "Agent-facing safety metadata for a command. MCP clients read this from the `raid://workspace/commands` resource to decide whether to auto-execute or require user confirmation. Absence of the block is equivalent to `{safe: false}` — agents should treat unannotated commands as requiring confirmation.",
+            "properties": {
+                "safe": {
+                    "type": "boolean",
+                    "description": "When true, the command is idempotent with no side effects and may be auto-executed by MCP clients. Defaults to false.",
+                    "default": false
+                },
+                "reads": {
+                    "type": "array",
+                    "items": {"type": "string"},
+                    "description": "Paths or globs the command reads. Informational only — raid does not parse or enforce these. Mirrors Claude Code's permission-model fields."
+                },
+                "writes": {
+                    "type": "array",
+                    "items": {"type": "string"},
+                    "description": "Paths or globs the command writes. Informational only — raid does not parse or enforce these."
+                },
+                "description": {
+                    "type": "string",
+                    "description": "Agent-facing description. Overrides the command's `usage` field in the MCP workspace resource when set."
+                }
+            },
+            "additionalProperties": false
+        },
         "verifyArray": {
             "type": "array",
             "description": "Declarative precondition checks. Each entry runs `tasks:` to assert a dependency or environmental precondition; if any task exits non-zero and `onFail:` is provided, raid runs the remediation once and re-runs `tasks:` exactly once. `raid doctor` runs every verify entry on the active profile and per-repo `raid.yaml` files and surfaces each as a finding (ok / warn / error). Keep checks small and fast: each entry is run on every doctor invocation.",
 
@@ -151,6 +151,7 @@ commands:
 | `flags` | list | No | Declared flags / options. See [Flags](#command-flags). |
 | [`tasks`](#task) | list | Yes | Task sequence to run |
 | [`options`](#options) | object | No | Shared options block. Same shape as on tasks. Fires once per command — independent of per-task `options`. |
+| [`agent`](#agent-metadata) | object | No | MCP-facing safety hint. Absence equates to `{safe: false}`. |
 | [`out`](#output) | object | No | Output configuration |
 
 Command names cannot shadow built-in names: `install`, `env`, `profile`, `doctor`.
@@ -180,6 +181,44 @@ Each entry under `flags` declares a long-form `--name` flag (and optionally a `-
 | `required` | bool | No | If true, cobra rejects the invocation when the flag is omitted. |
 | `default` | string \| bool \| int | No | Value used when the flag is omitted. Must match `type`. |
 
+### Agent metadata
+
+Optional `agent:` block on a command surfaces safety hints to MCP clients (the `raid context serve` agent toolkit). Clients read the resolved form from the [`raid://workspace/commands`](../usage/context#workspace-resources) resource and use it to decide whether to auto-execute a command or prompt the user for approval.
+
+**Default unsafe:** a command without an `agent:` block surfaces to MCP clients as `{safe: false}`. Existing config keeps its current "requires confirmation" semantics; opt commands in by setting `safe: true`.
+
+**Hint only:** raid does not gate execution on these fields. The agent client implements the policy.
+
+```yaml
+commands:
+  - name: test
+    usage: "Run unit tests"
+    tasks:
+      - type: Shell
+        cmd: "go test ./..."
+    agent:
+      safe: true
+      reads:  ["./..."]
+      writes: []
+      description: "Run the Go unit-test suite. Idempotent, no side effects."
+
+  - name: deploy
+    usage: "Deploy to production"
+    tasks:
+      - type: Shell
+        cmd: "./scripts/deploy.sh"
+    agent:
+      safe: false
+      description: "Deploys live infrastructure. Requires user confirmation."
+```
+
+| Field | Type | Required | Description |
+|---|---|---|---|
+| `safe` | bool | No | When `true`, the command is idempotent and free of side effects — MCP clients that respect the hint may auto-execute it. Defaults to `false`. |
+| `reads` | list&lt;string&gt; | No | Paths or globs the command reads. Informational only — raid does not parse or enforce these. |
+| `writes` | list&lt;string&gt; | No | Paths or globs the command writes. Informational only. |
+| `description` | string | No | Agent-facing description. Overrides `usage` in the MCP workspace resource when set. |
+
 ### Output
 
 When `out` is omitted, both stdout and stderr are shown. When `out` is present, only streams explicitly set to `true` are displayed. The `file` field writes all output to the specified path regardless of the `stdout`/`stderr` settings.
 
@@ -173,7 +173,7 @@ The same data the snapshot exposes statically is also available as a live [Model
 raid context serve   # blocks; intended to be launched by an MCP host
 ```
 
-### What's exposed
+### Workspace resources
 
 **Resources** — six `raid://workspace/*` URIs that mirror the static snapshot's `workspace` object. Each is fetched live on demand:
 
@@ -182,10 +182,35 @@ raid context serve   # blocks; intended to be launched by an MCP host
 | `raid://workspace/profile` | `text/plain` | Active profile name |
 | `raid://workspace/env` | `text/plain` | Active environment name |
 | `raid://workspace/repos` | `application/json` | Repositories with current git state |
-| `raid://workspace/commands` | `application/json` | User-defined raid commands |
+| `raid://workspace/commands` | `application/json` | User-defined raid commands, including [agent safety metadata](#agent-metadata-on-workspace-commands) |
 | `raid://workspace/recent` | `application/json` | Recent command invocations |
 | `raid://workspace/vars` | `application/json` | Persisted raid variables (`Set` task values + `RAID_REPO_*`). The server watches `~/.raid/vars` and reloads when another process modifies it, so reads are live across concurrent raid invocations. |
 
+#### Agent metadata on workspace commands
+
+Each entry in `raid://workspace/commands` carries an `agent` object so MCP clients can decide whether to auto-execute a command or prompt the user. `agent.safe` is always present in the JSON (no `omitempty`); a command authored without an [`agent:`](../references/schema#agent-metadata) block in the YAML surfaces here as `{"safe": false}`.
+
+```json
+{
+  "name": "test",
+  "description": "Run unit tests",
+  "agent": {
+    "safe": true,
+    "reads": ["./..."],
+    "description": "Run unit tests. Idempotent, no side effects."
+  }
+}
+```
+
+| Field | Always present | Description |
+|---|---|---|
+| `safe` | yes | `true` only when explicitly authored. Defaults to `false`. |
+| `reads` | no (omitted when empty) | Paths or globs the command reads. Informational. |
+| `writes` | no (omitted when empty) | Paths or globs the command writes. Informational. |
+| `description` | no (omitted when empty) | Agent-facing description. Falls back to the command's `usage` field when no explicit `agent.description` is set. |
+
+Raid never gates the `raid_run_task` tool on this metadata — it surfaces the hint and the client implements the policy.
+
 **Tools** — the canonical raid agent toolkit defined in [issue #45](https://github.com/8bitalex/raid/issues/45):
 
 | Tool | Purpose |
 
@@ -11,6 +11,8 @@ User-visible changes per release, latest first. For full commit history see the
 
 ## 0.14.0 — upcoming
 
+**Agent-oriented metadata on commands.** Commands now accept an optional `agent:` block (`safe`, `reads`, `writes`, `description`) so MCP clients can decide whether to auto-execute a command or prompt the user for approval. The `raid://workspace/commands` resource always emits `agent.safe` for every command — entries authored without an `agent:` block surface as `{safe: false}`, preserving the current "requires confirmation" semantics by default. The metadata is a hint: raid surfaces it; the agent client implements the policy. Both top-level profile commands and per-repo `raid.yaml` commands carry the metadata. See [Schema → Agent metadata](/docs/references/schema#agent-metadata) and [Context → Agent metadata on workspace commands](/docs/usage/context#agent-metadata-on-workspace-commands). Closes [#51](https://github.com/8bitAlex/raid/issues/51).
+
 **`raid doctor` runs `verify:` entries with self-heal.** Every `verify:` entry on the active profile and per-repo `raid.yaml` files now runs as part of `raid doctor` and produces its own finding: `ok` for a first-try pass, `warn` when the optional `onFail:` block recovered a failing precondition (the verify holds *now*, but didn't before — worth knowing), and `error` when the precondition can't be made to hold. Failures don't short-circuit subsequent entries, so a single `raid doctor` run reports the full picture. Doctor invokes the actual `tasks:` and `onFail:` blocks — any task type raid supports (shell, HTTP, Git, Template, Prompt/Confirm, SetVar, …), not just shell. Keep verify checks small and fast, since they'll run every time you (or CI, or an agent) checks raid's health. See [Doctor → Verify entries](/docs/usage/doctor#verify-entries). Closes [#42](https://github.com/8bitAlex/raid/issues/42).
 
 **Declarative `verify:` blocks.** Profiles and per-repo `raid.yaml`s now accept a top-level `verify:` list. Each entry runs `tasks:` to assert a precondition (a tool is installed, a port is reachable, a credentials file exists), and an optional `onFail:` remediation gets exactly one chance to fix things — if it succeeds, raid re-runs `tasks:` once and the verify is reported as remediated; otherwise it surfaces as a structured `VERIFY_FAILED` error. Verify entries share execution context with `install:` tasks (active env + raid vars + task options). `raid doctor` integration is now wired (see entry above). See [Schema → Verify](/docs/references/schema#verify). Closes [#38](https://github.com/8bitAlex/raid/issues/38).
 
@@ -0,0 +1,29 @@
+package lib
+
+// Agent is the optional safety / metadata hint on a user-defined
+// command. MCP clients read the resolved form (see WorkspaceAgent)
+// from the `raid://workspace/commands` resource and use it to decide
+// whether to auto-execute a command or prompt the user for approval.
+//
+// Raid never gates execution on Agent — it surfaces the hint and the
+// client implements the policy. Absence of the block is equivalent to
+// `{Safe: false}` so unannotated commands stay opt-in to automation.
+type Agent struct {
+	// Safe declares the command idempotent and side-effect free. MCP
+	// clients that respect the hint may auto-run safe commands; unsafe
+	// commands require explicit user approval. Defaults to false.
+	Safe bool `json:"safe" yaml:"safe"`
+	// Reads lists the paths or globs the command reads. Informational
+	// only — raid does not parse or enforce these. Mirrors Claude
+	// Code's permission-model fields so authors can reason about
+	// safety the same way across tools.
+	Reads []string `json:"reads,omitempty" yaml:"reads,omitempty"`
+	// Writes lists the paths or globs the command writes. Same
+	// semantics as Reads — informational, not enforced.
+	Writes []string `json:"writes,omitempty" yaml:"writes,omitempty"`
+	// Description is an agent-facing description of the command. When
+	// set, it overrides the command's `usage` field in the workspace
+	// resource — useful when the human-facing usage line is too terse
+	// to give an agent enough context to choose the command.
+	Description string `json:"description,omitempty" yaml:"description,omitempty"`
+}
@@ -0,0 +1,120 @@
+package lib
+
+import (
+	"encoding/json"
+	"reflect"
+	"strings"
+	"testing"
+)
+
+func TestResolveAgent_nilProducesSafeFalse(t *testing.T) {
+	got := resolveAgent(Command{Name: "lint", Usage: "Run linters"})
+	if got.Safe {
+		t.Errorf("Safe = true, want false for nil Agent")
+	}
+	if got.Description != "Run linters" {
+		t.Errorf("Description = %q, want fallback to Usage", got.Description)
+	}
+	if got.Reads != nil || got.Writes != nil {
+		t.Errorf("Reads/Writes = %v/%v, want nil for nil Agent", got.Reads, got.Writes)
+	}
+}
+
+func TestResolveAgent_safeTrueRoundTrips(t *testing.T) {
+	got := resolveAgent(Command{
+		Name:  "test",
+		Usage: "Run tests",
+		Agent: &Agent{Safe: true},
+	})
+	if !got.Safe {
+		t.Error("Safe = false, want true")
+	}
+}
+
+func TestResolveAgent_descriptionOverridesUsage(t *testing.T) {
+	got := resolveAgent(Command{
+		Name:  "deploy",
+		Usage: "deploy",
+		Agent: &Agent{Description: "Deploy the service to prod — destructive"},
+	})
+	if got.Description != "Deploy the service to prod — destructive" {
+		t.Errorf("Description = %q, want explicit override", got.Description)
+	}
+}
+
+func TestResolveAgent_emptyDescriptionFallsBackToUsage(t *testing.T) {
+	got := resolveAgent(Command{
+		Name:  "test",
+		Usage: "Run tests",
+		Agent: &Agent{Safe: true}, // Description left empty
+	})
+	if got.Description != "Run tests" {
+		t.Errorf("Description = %q, want fallback to Usage when Agent.Description empty", got.Description)
+	}
+}
+
+func TestResolveAgent_fallsBackToNameWhenUsageAndDescriptionEmpty(t *testing.T) {
+	// Schema only requires name+tasks, so a valid command can have neither
+	// usage nor agent.description. MCP clients still need a non-empty
+	// descriptor, so the command name is the last-resort fallback.
+	got := resolveAgent(Command{Name: "lint"})
+	if got.Description != "lint" {
+		t.Errorf("Description = %q, want fallback to Name", got.Description)
+	}
+
+	got = resolveAgent(Command{Name: "deploy", Agent: &Agent{Safe: false}})
+	if got.Description != "deploy" {
+		t.Errorf("Description = %q, want fallback to Name when Agent present but empty", got.Description)
+	}
+}
+
+func TestResolveAgent_readsWritesPreserved(t *testing.T) {
+	reads := []string{"src/**/*.go", "go.mod"}
+	writes := []string{"dist/"}
+	got := resolveAgent(Command{
+		Name:  "build",
+		Usage: "Build",
+		Agent: &Agent{Safe: false, Reads: reads, Writes: writes},
+	})
+	if !reflect.DeepEqual(got.Reads, reads) {
+		t.Errorf("Reads = %v, want %v", got.Reads, reads)
+	}
+	if !reflect.DeepEqual(got.Writes, writes) {
+		t.Errorf("Writes = %v, want %v", got.Writes, writes)
+	}
+}
+
+func TestWorkspaceAgent_JSONAlwaysEmitsSafeField(t *testing.T) {
+	// Public-contract assertion: even when the Command has no Agent block,
+	// the marshalled WorkspaceCommand must include "safe":false. MCP
+	// clients rely on reading agent.safe without checking presence first.
+	wc := WorkspaceCommand{
+		Name:        "lint",
+		Description: "Lint everything",
+		Agent:       resolveAgent(Command{Name: "lint", Usage: "Lint everything"}),
+	}
+	buf, err := json.Marshal(wc)
+	if err != nil {
+		t.Fatalf("Marshal: %v", err)
+	}
+	if !strings.Contains(string(buf), `"safe":false`) {
+		t.Errorf("JSON missing safe field: %s", buf)
+	}
+}
+
+func TestWorkspaceAgent_omitsEmptySlicesAndDescription(t *testing.T) {
+	// A nil-Agent command falls back to Usage for Description; Reads and
+	// Writes should be omitted from the JSON since they're nil.
+	wc := WorkspaceCommand{
+		Name:  "lint",
+		Agent: resolveAgent(Command{Name: "lint", Usage: "Lint"}),
+	}
+	buf, err := json.Marshal(wc)
+	if err != nil {
+		t.Fatalf("Marshal: %v", err)
+	}
+	got := string(buf)
+	if strings.Contains(got, "reads") || strings.Contains(got, "writes") {
+		t.Errorf("JSON should omit empty reads/writes: %s", got)
+	}
+}
@@ -20,7 +20,11 @@ type Command struct {
 	Flags   []Flag       `json:"flags,omitempty"`
 	Tasks   []Task       `json:"tasks"`
 	Options *TaskOptions `json:"options,omitempty"`
-	Out     *Output      `json:"out,omitempty"`
+	// Agent carries optional MCP-facing safety metadata. A nil Agent
+	// surfaces to MCP clients as `{safe: false}` so unannotated
+	// commands keep their "requires confirmation" semantics.
+	Agent *Agent  `json:"agent,omitempty"`
+	Out   *Output `json:"out,omitempty"`
 }
 
 // Arg declares a positional argument for a custom command. The supplied value
 
@@ -74,6 +74,50 @@ type WorkspaceCommand struct {
 	Name        string          `json:"name"`
 	Description string          `json:"description,omitempty"`
 	Steps       []WorkspaceStep `json:"steps,omitempty"`
+	// Agent is the resolved MCP-facing safety hint. Always emitted so
+	// clients can rely on `agent.safe` being present — a command with
+	// no `agent:` block in YAML surfaces as `{safe: false}`.
+	Agent WorkspaceAgent `json:"agent"`
+}
+
+// WorkspaceAgent is the wire form of Agent. `Safe` has no `omitempty`
+// so it's always present in the JSON, which is load-bearing for the
+// "default unsafe" contract — clients can read `agent.safe` without
+// distinguishing absence from `false`.
+type WorkspaceAgent struct {
+	Safe        bool     `json:"safe"`
+	Reads       []string `json:"reads,omitempty"`
+	Writes      []string `json:"writes,omitempty"`
+	Description string   `json:"description,omitempty"`
+}
+
+// resolveAgent flattens a Command's optional Agent block into the
+// always-emitted wire form. A nil Agent yields `{Safe: false}` with
+// Description falling back to the command's `usage`. When the block
+// is present, an empty Description still falls back to `usage` so
+// MCP clients always see a non-empty descriptor.
+func resolveAgent(cmd Command) WorkspaceAgent {
+	if cmd.Agent == nil {
+		return WorkspaceAgent{Description: descriptionFallback(cmd, "")}
+	}
+	return WorkspaceAgent{
+		Safe:        cmd.Agent.Safe,
+		Reads:       cmd.Agent.Reads,
+		Writes:      cmd.Agent.Writes,
+		Description: descriptionFallback(cmd, cmd.Agent.Description),
+	}
+}
+
+// descriptionFallback guarantees a non-empty descriptor for MCP clients:
+// agent.description → usage → command name.
+func descriptionFallback(cmd Command, desc string) string {
+	if desc != "" {
+		return desc
+	}
+	if cmd.Usage != "" {
+		return cmd.Usage
+	}
+	return cmd.Name
 }
 
 // WorkspaceStep describes one named task inside a command's task sequence.
@@ -133,6 +177,7 @@ func GetWorkspaceContext() WorkspaceContext {
 			Name:        cmd.Name,
 			Description: cmd.Usage,
 			Steps:       collectSteps(cmd.Tasks),
+			Agent:       resolveAgent(cmd),
 		})
 	}
 	return wc