The eight primitives
Covenant exposes a fixed vocabulary of eight primitives. They cover everything an agent stack needs to share a computer with a human, with another agent, and with itself across time. Every higher-level concept in the system is composed from these eight.
Intent
A natural-language request, addressed to the daemon. Intents are the entry point into the rest of the system. Every interaction between a human and an agent — and most interactions between agents — is mediated by an intent.
Stable UUID, issuer (an AgentId), issuing timestamp, priority, optional parent. Routed by the router via keyword overlap; falls back to a deterministic echo response when no agent matches.
Runtime
The mechanism for actually executing an agent. Today the runtime spawns each agent as a child process and shuttles JSON over stdin/stdout under a wall-clock budget. The trait is small and designed to back stricter isolation — gVisor, Firecracker — without changing the dispatch contract.
Agents declare their runtime in agent.toml: rust-bin, python3, or node. Per-task budgets cover CPU time, memory, disk, and a network policy (off, outbound-https-only, full).
Memory
A three-tier semantic store with cosine-similarity search over embedded vectors. Tiers are working (per-task scratch), episodic (task-grained, durable), and long-term (intentionally retained context).
SQLite-backed for production, in-memory for tests. Each record carries a UUID, a tier, an owner, the result text, an embedding vector, free-form JSON metadata, a creation timestamp, and an optional parent. Search is cosine over stored vectors, scoped by tier or unioned across all tiers.
See Memory tiers.
Identity
A single ed25519 keypair per Covenant install. The same key signs capability grants, signs Solana settlement transactions, and fronts the daemon's issuer field on audit events and memory records. Persisted as a raw 32-byte seed at $COVENANT_HOME/identity/local.key, mode 0600.
There is no second key system. See Identity and keys.
Permissions
Capability tokens. Each token names an action (a dotted string from a reserved namespace such as tool.web_search, memory.write, tool.call.<name>) and optionally a scope constraint expressed as JSON. Tokens are signed by the granter with ed25519 over a deterministic byte encoding of the fields, so they are independently verifiable.
Granted tokens are appended to a JSONL log; revocations are appended to a separate JSONL log as tombstones; the active set is the granted set with revocations subtracted. Capability checks are enforced at dispatch and audited regardless of outcome.
See Capability tokens.
Comms
How agents and clients talk to the daemon, to each other, and to external tooling. Three transports today:
- Local IPC — length-prefixed JSON over a Unix socket. The CLI uses this. Documented in Local IPC.
- HTTP gateway — JSON over HTTP on
127.0.0.1:8421. Same surface as the IPC, for browser-facing UIs. Documented in HTTP API. - MCP and A2A adapters — protocol-grade surfaces for tool integration and agent-to-agent traffic. Documented in MCP integration and Agent-to-agent.
Compositor
Whatever the operator uses to drive Covenant. The CLI today, a web UI alongside, a TUI later, and an optional Wayland compositor in the longer term. Compositors are clients of the daemon — they speak Local IPC or HTTP and own no state of their own beyond the user's preferences.
Settlement
How resource consumption is accounted for. Every memory write, every tool call, and (eventually) every external compute or token spent produces a SettlementReceipt. Receipts accumulate locally in JSONL and are batched and flushed to the on-chain program; once flushed, the on-chain signature populates and the receipt is reconcilable from chain state alone.
See Settlement.
Why these eight
Every primitive was selected because it is something every non-trivial agent stack needs and currently re-implements badly. The set is intentionally complete: an agent that uses all eight primitives can run alongside a different agent using all eight, on the same machine, without either knowing about the other, and the operator can audit and pay for both.