Files
stack/docs/fleet/reference/role-classes.md
Jarvis 9233019cff feat(fleet): add shared role semantics
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-14 17:14:05 -05:00

3.0 KiB

Fleet Role Classes and Authority

A fleet role class is a machine identity resolved from the persona library. Resolution uses the canonical class before consulting the baseline fleet/roles/ and operator fleet/roles.local/ layers. A readable role contract is required; an index entry alone is not semantic success.

Canonicalization

Only these legacy class aliases are recognized:

Requested class Canonical class
implementer code
reviewer review
operator-interaction interaction

No other alias is inferred. In particular, worker, analyst, and canary are custom classes only when an operator supplies a readable contract for that exact class. Tess and Ultron are instance names, not classes. agents[].alias is display-only and cannot grant authority.

Canonicalization happens before role lookup. For example, requesting implementer resolves code.md; a separate roles.local/implementer.md cannot redefine the legacy alias. A canonical roles.local/code.md still overrides the baseline roles/code.md contract.

Protected authority

Protected authority is immutable metadata derived only from canonical class. Role prose, instance name, display alias, tool policy, runtime, and custom role files cannot grant it.

Canonical class Granted authority Explicit limits
merge-gate Sole approve-to-land and merge authority No authority is inferred by similarly named custom roles or policies.
validator May issue a validation certificate Cannot approve-to-land or merge.
orchestrator May orchestrate, manage topology, and issue leases Cannot approve-to-land or merge.
team-leader May use orchestrator-leased capacity Cannot issue leases or mutate roster, configuration, credentials, or merge state.
interaction Request and status surface Cannot orchestrate, issue leases, mutate roster/configuration, or merge.
all other classes No protected authority implicitly Custom contracts do not acquire protected powers from prose.

Roster-v2 semantic validation requires a protected class and its canonical tool policy to match. It also rejects an unprotected class paired with a protected tool policy. The legacy tool-policy name operator-interaction canonicalizes to interaction.

This mapping describes authority metadata only. Lease issuance, validation-certificate storage or workflow, lifecycle reconciliation, credentials, roster mutation, and merge execution are outside this resolver contract.