Check the environment
Run diagnostics for the current workspace. JSON mode is suitable for automation.
Terminal
$ jeden doctor --cwd .
$ jeden doctor --json --cwd .
Inspect the capability registry
Confirm which tools, commands, views, services, plugins, and MCP servers are healthy.
Terminal
$ jeden capabilities --json --cwd .
Configure a managed route
Operator-managed installations provide these values without putting them in project files. A direct deployment requires the following runtime environment:
Environment
BRAMA_URL=<brama-url>
WISENT_APP_AGENT_ID=wisent-app
WISENT_APP_AGENT_AUTH_SECRET=<signing-credential>
ENTITLEMENTS_ROUTER_BIN optionally overrides the executable used by authentication status and reauthorization commands.
Run the first task
Interactive
$ jeden --cwd ../content-platform
One shot
$ jeden run "summarize package.json" --cwd .
$ jeden run "create notes.txt" --cwd . --allow-write
The second command exposes write-capable tools but does not bypass the configured approval mode. Use --yolo or --auto-approve only in an already isolated environment.
Add project context
Create a JEDEN.md or AGENTS.md in the repository. Jeden discovers context from the project ancestor down to --cwd. Keep requirements concrete: commands, boundaries, architecture, and verification rules.
Core
CLI reference
The same runtime serves interactive terminal sessions, one-shot automation, RPC, ACP, and mutually authenticated headless clients.
Global invocation
Usage
jeden [--cwd path] [--model name] [--max-tokens n]
[--allow-write] [--allow-command]
[--yolo|--auto-approve] [--max-steps n]
| Flag | Meaning |
| --cwd path | Set the workspace root and filesystem jail for the run. |
| --model name | Select the model route for this invocation. |
| --max-tokens n | Bound model output tokens for each request. |
| --max-steps n | Bound the number of model/tool loop iterations. |
| --allow-write | Expose write-capable tools to the model. |
| --allow-command | Expose command and process execution tools. |
| --yolo, --auto-approve | Approve allowed effects without interactive confirmation. Use only inside a trusted isolation boundary. |
Session and runtime commands
| Command | Purpose |
| jeden sessions [limit] | List recent durable sessions. |
| jeden show <session> | Inspect a session by ID or path. |
| jeden export <session> [output] | Export a complete session document. |
| jeden artifacts <session> | List artifacts retained by a session. |
| jeden artifact <session> <name> [output] | Recover one artifact. |
| jeden config … | List, locate, read, set, or reset native configuration. |
| jeden doctor [--json] | Diagnose the current environment. |
| jeden conformance [--json] | Evaluate runtime conformance contracts. |
| jeden capabilities [--json] | Read the versioned capability and health registry. |
Interactive slash commands
Entering a management command without arguments opens a native searchable view where one exists. Direct arguments remain available for automation.
/model/tools/approval/mcp/plugins/marketplace/browser/plan/goal/loop/todo/roadmap/memory/jobs/collab/export/compact/handoff/resume
Picker controls
| Type | Filter labels, details, and status badges. |
| ↑ / ↓ | Move the active row. |
| Home / End / Page Up / Page Down | Jump through results. |
| Ctrl-U | Clear the filter. |
| Enter | Execute the selected action. |
| Esc | Close the current view. |
Destructive rows open a confirmation view with Cancel selected by default. When standard input is not a terminal, interactive views render deterministic text lists.
Core
Models & routing
Model selection is separate from policy and execution. Jeden signs OpenAI-compatible requests to Brama and records the route, usage, and billing decision in the session.
Selection precedence
- The invocation’s
--model value. - The
JEDEN_MODEL environment variable. - The model selected through native configuration or
/model. - The operator-provided default route.
Examples
$ jeden --model claude-code-subscription
$ jeden run "review this diff" --model <route>
/model
/model <route>
Authentication ownership
/login [provider] and /logout [provider] inspect or delegate to the entitlement owner. Jeden does not reimplement provider login inside the model loop. /settings shows provider and entitlement state without returning credentials.
Subscription routing
Weles owns subscription state and payment policy. Jeden discovers active subscriptions and quota snapshots, freezes a deterministic order for each logical request, and sends the selected billing target to Brama.
- Request, idempotency, and decision identities remain stable across attempts.
- Typed quota exhaustion places a target into a durable
Retry-After-bounded cooldown. - Failover never occurs after model output becomes visible.
- Served account, subscription, quota bucket, and decision ID are retained in usage and audit events.
Payment boundaryJeden never accepts or stores card numbers, CVC/CVV values, processor tokens, or billing addresses. Payment setup opens a Weles-hosted HTTPS flow.
Usage controls
Interactive
/usage
/usage show
/usage reset
/subscriptions list
/subscriptions status
Core
Configuration
Jeden combines operator environment, user preferences, project settings, and discovered instructions without blurring their precedence.
Precedence
- Environment variables win over file configuration.
- Project config at
<cwd>/.jeden/config.json overrides user config. - User config loads from
~/.jeden/config.json and ~/.jeden/config.yml. - Built-in defaults apply when no value is supplied.
Configuration commands
$ jeden config list --json --cwd .
$ jeden config path --cwd .
$ jeden config get tools.approvalMode
$ jeden config set tools.approvalMode write
$ jeden config reset tools.approvalMode
Native settings
| Key | Default and purpose |
| tools.approvalMode | always-ask. Allowed values: always-ask, write, yolo. |
| commands.enableClaudeUser | true. Load commands from ~/.claude/commands. |
| commands.enableClaudeProject | true. Load commands from .claude/commands. |
| commands.enableOpencodeUser | true. Load commands from ~/.config/opencode/commands. |
| commands.enableOpencodeProject | true. Load commands from .opencode/commands. |
| startup.showSplash | false. Show the startup animation. |
| startup.quiet | false. Suppress startup chrome. |
| context.maxBytes | 131072. Maximum UTF-8 bytes loaded from discovered context. |
| context.maxTokens | 32768. Approximate context token budget. |
| rules.alwaysApply | []. Sticky typed rules injected whenever the system prompt is rebuilt. |
| secrets.mode | redact. Choose redact or obfuscate for known model-bound secrets. |
| secrets.minLength | 8. Minimum automatically discovered environment-secret length. |
| secrets.discoverEnvironment | true. Protect secret-named environment values. |
Discovered context
User context loads from ~/.jeden/instructions.md and ~/.jeden/context.md. Project discovery walks ancestors down to --cwd and reads:
JEDEN.mdAGENTS.mdCLAUDE.mdRULES.md.jeden/instructions.md.jeden/context.md
A context line such as @./extra.md imports another file under the same context root. Imports remain within that root; oversized files are skipped.
Core
Tools
Jeden exposes typed tools through one capability registry. Every tool has a source, version, health state, policy classification, input schema, output schema, and handler identity.
Terminal
$ jeden capabilities --json --cwd .
$ jeden tools --cwd .
/tools
The registry distinguishes executable healthy capabilities from planned or unavailable descriptors. Do not infer availability from a name alone; inspect health.state and ui.executable.
| Family | Examples |
| Read | Directories, bounded text, binary files, images, documents, archives, notebooks, SQLite, URLs, and artifacts. |
| Search | Literal search, regex grep, globs, AST search, Git history, GitHub issues, and pull requests. |
| Write | Revision-guarded files, patches, anchored edits, archive entries, notebooks, SQLite rows, moves, and deletes. |
| Process | Package scripts, bounded commands, background processes, PTY sessions, Node evaluation, and Python evaluation. |
| Browser | Tabs, actions, extraction, screenshots, and browser state. |
| Agent state | Todos, memory, artifacts, conversation recall, user questions, and delegation. |
| Integrations | MCP tools/resources/prompts, language intelligence, debugging, SSH, collaboration, and custom project tools. |
Prefer narrow selectors to unbounded output. Text reads support line ranges, comma-separated ranges, raw content, and unresolved conflict views.
Selector examples
src/server.ts:80-140
src/server.ts:10-20,90-110
src/server.ts:raw
src/server.ts:conflicts
artifact://tool-output:1-120
database.sqlite:users:42
Existing text files return a digest and snapshot tag when read. A mutation must identify the state it intends to replace. If another actor changes the file first, the write fails instead of overwriting newer work.
write_file and apply_patch require the expected SHA-256 for existing files.- The unified writer uses revision guards for files, archives, notebooks, and SQLite.
- Anchored edits use a snapshot
path#TAG plus exact visible line anchors. - Mutations return native diffs and previews.
Two gates--allow-write or --allow-command makes a tool available. Approval policy still decides whether each proposed effect may execute.
State
Sessions & artifacts
A session is the durable record behind an answer: messages, tool calls, results, approvals, usage, artifacts, checkpoints, attachments, and lineage.
Storage
Session transcripts and artifacts live under ~/.jeden/sessions/. Oversized tool results are persisted as artifacts and replaced in the model loop with compact references.
Inspect and recover
Terminal
$ jeden sessions 20
$ jeden show <session>
$ jeden export <session> output.json
$ jeden artifacts <session>
$ jeden artifact <session> <name> output.bin
$ jeden resume <session> "continue"
Resuming starts a fresh session seeded with selected history; it does not append destructively to the original record.
Interactive lineage
/resume <session>/fork/branch <title>/tree/rename/drop/move <dir>
Checkpoints and rewind
Interactive
/checkpoint before-refactor
/checkpoint list
/rewind <checkpoint-event-id>
A checkpoint records the exact model-visible context. Rewind appends a new active lineage without deleting the abandoned history.
Attachments
Interactive
/attach path/to/context.txt
/attachments
/detach <id|all>
The attachment tray accepts bounded workspace-jailed text and PNG, JPEG, GIF, or WebP inputs for the next submitted turn.
State
Memory
Jeden’s durable memory is a local SQLite/FTS index with explicit retrieval and maintenance operations. It is separate from the immutable session transcript.
Storage and overrides
The default database is ~/.jeden/memory.sqlite3. Set JEDEN_MEMORY_DB to select another database. The legacy JEDEN_MEMORY_FILE remains an input-path override.
Operations
Interactive
/memory stats
/memory view
/memory enqueue
/memory queue
/memory queue run
/memory queue drain
/memory rebuild
/memory clear
| enqueue | Add a durable maintenance or ingestion item. |
| queue | Inspect queued memory work. |
| queue run | Process one bounded queue step. |
| queue drain | Process the durable queue until empty. |
| rebuild | Rebuild the SQLite FTS index from durable records. |
| clear | Destructive reset; requires confirmation. |
What memory is not
- It is not a substitute for project instructions or source-controlled context.
- It does not erase or rewrite the session ledger.
- Retrieved content remains subject to the current prompt budget and policy.
- Maintenance commands do not silently grant tool authority.
State
Roadmap registry
A repository can carry a typed, versioned roadmap that the agent and team mutate through the same atomic contract.
Canonical files
roadmap/roadmap.yaml is canonical. roadmap/schema/roadmap-v1.schema.json defines the machine contract. Human views are deterministic generated outputs.
Mutation guarantees
- Every operation uses a stable sibling lock.
expectedRevision detects concurrent updates.- Writes use a same-directory temporary file, flush, fsync, atomic rename, and parent-directory fsync.
- Dependencies must resolve and remain acyclic.
passed requires evidence; external_blocked requires an external prerequisite.
Core commands
Terminal
$ jeden roadmap list --status planned --priority P1 --json
$ jeden roadmap show JED-024 --json
$ jeden roadmap graph --json
$ jeden roadmap check --json
$ jeden roadmap render
$ jeden roadmap work JED-024 --cwd .
State transitions
backlogplannedin_progressimplementednot_runfailedexternal_blockedpasseddropped
roadmap work sets the active goal and plan, creates todos from acceptance criteria, records a start event in the current session, and pins subsequent artifacts and branches to the roadmap item.
Integrate
Model Context Protocol
Jeden maintains bounded persistent MCP connections and exposes server tools, resources, prompts, notifications, and health through native commands.
Configuration
User servers load from ~/.jeden/mcp.json. Project servers load from <cwd>/.jeden/mcp.json. Both use the standard mcpServers shape.
.jeden/mcp.json
{
"mcpServers": {
"example": {
"command": "/absolute/path/to/server",
"args": ["--stdio"]
}
}
}
Operate servers
Interactive
/mcp
/mcp list
/mcp tools
/mcp resources
/mcp prompts
/mcp notifications
/mcp test
/mcp reload
/mcp reconnect
Generic MCP tools can list and call every configured server. Eligible tools may also be projected into the native registry as mcp__<server>__<tool>. Names remain unique and capability health reflects the current server connection.
Same policyMCP does not bypass Jeden policy. A server tool is still subject to the active approval mode, hooks, capability health, and workspace contract.
Start
Installation & updates
Jeden is distributed as a signed private-preview release. Treat the binary, its trust roots, and its release evidence as one unit.
Requirements
- A supported signed artifact supplied through the Wisent preview channel.
- Access to the model and entitlement endpoints selected by your operator.
- A writable home directory for configuration, sessions, memory, plugins, and update state.
Verify an installation
Terminal
$ jeden --version
$ jeden doctor --json --cwd .
$ jeden conformance --json --cwd .
Do not infer health from a successful process launch. Diagnostics confirm storage, policy, providers, capability registration, and workspace-specific dependencies.
Update and rebuild
/update enters the signed update flow. /rebuild rebuilds the local checkout and resumes the active session. Stable promotion remains operator-controlled; canary identities include the CI run, attempt, and tested commit.
Fail closedA release without a valid signature, configured trust root, or immutable evidence must not be installed as a trusted Jeden build.
Start
Using Jeden
A reliable run has four explicit inputs: workspace, objective, authority, and verification.
Choose the workspace
--cwd establishes the project root used by context discovery and workspace-jailed tools. Start Jeden at the narrowest directory that contains the task.
State the observable outcome
Name the behavior to change, constraints that must remain true, and the command or scenario that proves completion. Put durable project rules in JEDEN.md or AGENTS.md; keep one-off instructions in the prompt.
Grant only required authority
| Read-only | Default; suitable for inspection, explanation, and planning. |
--allow-write | Expose guarded file and structured-data mutations. |
--allow-command | Expose shell, process, package, and evaluation operations. |
--auto-approve | Skip eligible prompts only inside an independently trusted isolation boundary. |
Review the evidence
Read the final answer together with the session’s tool results, artifacts, usage, and approval events. A confident statement is not a substitute for an executed verification path.
Start
Interactive terminal
Running jeden opens the native terminal interface: conversation, composer, status line, searchable management views, approvals, and streamed tool state.
Launch
Terminal
$ jeden --cwd .
$ jeden --cwd . --model <route> --allow-write
Composer
Enter submits a prompt; the attachment tray supplies bounded text or image inputs to the next turn. Slash commands act on runtime state without being sent as ordinary user prose.
Native views
Authentication, models, settings, approvals, sessions, todos, modes, tools, MCP, SSH, usage, memory, browser state, collaboration, jobs, extensions, plugins, and marketplaces expose searchable pickers. A selected row dispatches the same validated command available by direct entry.
Confirmations
Destructive views open with Cancel selected. Non-interactive standard input renders deterministic text instead of waiting for terminal controls.
Operate
One-shot runs
jeden run executes one objective without opening the long-lived interactive terminal.
Usage
Terminal
$ jeden run "summarize the API surface" --cwd .
$ jeden run "update the version" --cwd . --allow-write
$ jeden run "inspect failures" --cwd . --json
Bounds
--max-steps limits model/tool iterations and --max-tokens bounds each model response. The workspace, model, write exposure, command exposure, and approval flags have the same meaning as interactive mode.
Model-only mode
--model-only suppresses tool execution for tasks that must produce an answer solely from supplied context. It is not a substitute for filesystem isolation when sensitive data is present.
Automation contract
Use --json when another program consumes the result. Inspect the terminal status and retained session rather than treating process success as proof that a requested code change passed verification.
Operate
Run modes
Modes alter how Jeden organizes work; they do not silently grant filesystem, command, or network authority.
Plan mode
/plan on makes the active plan explicit. /plan-review opens review of the current plan. Use it for multi-step work where dependencies and acceptance criteria matter.
Goal and loop
/goal set records the outcome carried across turns. /loop on enables continuation while open work remains; /goal done or /goal drop closes it.
Fast and advisor
/fast selects the latency-oriented operating profile. /advisor selects an advisory posture. The active model route, policy, and capability registry remain independently inspectable.
Interactive
/plan status
/goal set Stabilize the import path
/loop status
/fast
/advisor
Operate
Slash commands
Slash commands control the local harness. They are parsed before ordinary prompts and are not treated as model-authored tool requests.
Accounts and models
/login/logout/refresh/settings/model/billing/subscriptions/usage
Work and state
/plan/goal/loop/todo/roadmap/jobs/memory/context
Session lifecycle
/new/branch/fork/tree/checkpoint/rewind/compact/handoff/resume/export
Runtime and extensions
/approval/tools/browser/mcp/ssh/extensions/hooks/plugins/marketplace/rebuild/update
Run /help for the current registry-derived command list. Availability and exact subcommands may depend on active capabilities and operator policy.
Operate
Hotkeys & pickers
Keyboard behavior is discoverable at runtime through /hotkeys; searchable views share a consistent control model.
Picker controls
| Type | Filter labels, details, and status text. |
| ↑ / ↓ | Move the active row. |
| Home / End | Jump to the first or last row. |
| Page Up / Page Down | Move by a viewport. |
| Ctrl-U | Clear the current filter. |
| Enter | Dispatch the selected validated action. |
| Esc | Close the view without applying an action. |
Safety behavior
Rows that mutate or delete state route through a confirmation view. Cancellation is the initial selection. Filtering a list never executes a row.
Current bindings
Use /hotkeys rather than relying on a hard-coded copy when terminal integrations or active extensions can alter available actions.
Operate
Approvals
Exposure determines what the model can propose. Approval determines which exposed effects may execute.
Modes
always-ask | Prompt before every effect classified as approval-required. |
write | Permit configured write behavior while retaining stronger command boundaries. |
yolo | Automatically approve exposed capabilities; safe only inside an external sandbox you trust. |
Inspect and change
Interactive
/approval status
/approval mode
/approval set write
/approval reset
The persistent default is tools.approvalMode. Invocation flags may select a run-specific posture without editing project configuration.
Decision order
- Capability must be healthy and exposed.
- Input must satisfy schema and workspace policy.
- Pre-tool hooks may narrow or block the call.
- Approval policy decides whether operator confirmation is required.
- The result and decision are appended to the session.
Models & policy
Authentication
Jeden does not embed provider credentials into prompts or duplicate provider login logic. Authentication is delegated to the configured entitlement owner.
Inspect status
Interactive
/settings
/login
/login <provider>
Status views report provider and entitlement state in redacted form. They do not print tokens, cookies, or stored credentials.
Lifecycle
Interactive
/login <provider>
/refresh <provider>
/logout <provider>
The entitlement router owns whether a provider supports native login, a browser handoff, a device flow, or operator-managed credentials.
Operator configuration
ENTITLEMENTS_ROUTER_BIN overrides the executable used by authentication operations. The binary boundary allows Jeden to inspect and request actions without taking ownership of secret storage.
Models & policy
Billing & usage
Weles owns subscriptions and payment policy. Jeden records model usage and selects only eligible billing targets returned by that control plane.
Payment boundary
/payment-method setup --account <id> opens a Weles-hosted HTTPS setup flow. Jeden never accepts or stores card numbers, CVC/CVV values, processor tokens, billing addresses, or payment credentials.
Purchase policy
Interactive
/billing policy get
/billing policy set … --approve
/billing policy reset
/subscriptions list
/subscriptions status
Automatic purchase and renewal remain disabled until an explicit revision-pinned policy is enabled. Financial mutations require caller idempotency and are checked against pinned policy and quote revisions.
Quota and failover
For each logical model request, Jeden freezes an eligible subscription order. Typed quota exhaustion moves a target into a durable Retry-After-bounded cooldown. Failover does not occur after output becomes visible.
Usage ledger
/usage show reports token and cost accounting; /usage reset resets the local view. The served account, subscription, quota bucket, and route decision remain attached to session audit data.
Models & policy
Environment variables
Environment values override file configuration. Supply secrets through the operator’s secret store, not through source-controlled files.
Model routing
BRAMA_URL | OpenAI-compatible Wisent model gateway. |
WISENT_APP_AGENT_ID | Application identity used for signed requests. |
WISENT_APP_AGENT_AUTH_SECRET | Signing credential; must remain outside project files. |
JEDEN_MODEL | Default model route when no invocation override is supplied. |
Control planes
ENTITLEMENTS_ROUTER_BIN | Authentication and provider lifecycle executable override. |
WELES_URL | Subscription and policy service endpoint. |
WELES_TOKEN | Weles service credential. |
Storage
JEDEN_MEMORY_DB | SQLite/FTS memory database path. |
JEDEN_MEMORY_FILE | Legacy memory input-path override. |
Inspect safely
jeden doctor --json reports whether required values are configured without printing their contents. Secret discovery protects values from secret-named environment variables before model-bound text is built.
Models & policy
Context & rules
Context is explicit project guidance loaded before the user task. It is distinct from memory, conversation history, and tool output.
Discovery
User sources are ~/.jeden/instructions.md and ~/.jeden/context.md. Project discovery walks from the project ancestor down to --cwd and reads JEDEN.md, AGENTS.md, CLAUDE.md, RULES.md, .jeden/instructions.md, and .jeden/context.md.
Imports
A line such as @./extra.md imports a file below the same context root. Absolute escapes and parent traversal outside that root are rejected. Oversized files are skipped rather than silently truncated into misleading rules.
Budgets
context.maxBytes | Default 131072 UTF-8 bytes across discovered sources. |
context.maxTokens | Default approximate budget of 32768 tokens. |
rules.alwaysApply | Typed sticky rules injected whenever the system prompt is rebuilt. |
Inspect active context
Use /context to inspect the sources selected for the current workspace. Keep build commands, architectural boundaries, and verification requirements source-controlled; keep credentials out.
Models & policy
Secrets
Secret protection reduces accidental exposure to a model. It does not turn source files, prompts, or transcripts into a secret store.
Settings
secrets.mode | redact replaces values; obfuscate preserves reversible placeholders inside the local runtime. |
secrets.minLength | Minimum discovered value length; default 8. |
secrets.discoverEnvironment | Protect values from secret-named environment variables; default true. |
Boundary
- Never commit credentials to project configuration or context files.
- Do not paste private keys, session cookies, or access tokens into prompts.
- Use the platform secret store for operator and control-plane credentials.
- Review exported sessions before sharing them outside the trusted boundary.
Limitations
Automatic discovery depends on known values and secret-like names. It cannot reliably classify every sensitive business value. Workspace and network isolation remain necessary for high-risk data.
Tools
Capability registry
The registry is the source of truth for what this process can expose and execute. UI lists and protocol surfaces are projections, not independent feature declarations.
Inspect
Terminal
$ jeden capabilities --json --cwd .
$ jeden doctor --json --cwd .
$ jeden conformance --json --cwd .
Descriptor contract
Each descriptor identifies its stable ID, kind, source, version, operations, provenance, dependencies, health, policy, UI affordance, target, schemas, handler, grants, generation, and health evidence.
Availability
A visible label is not enough. A callable capability must have a healthy state, executable UI projection, registered handler, compatible schema, and effective grant. In-flight operations pin the generation they began with.
Kinds
toolslash-commandviewservicemcp
Tools
Files & structured data
Filesystem and structured-data tools share workspace jails, bounded output, and stale-state protection.
Read families
read routes text selectors, binary files, images, archives, documents, notebooks, SQLite rows, artifacts, MCP resources, and HTTP(S) content. Narrow operations remain available as read_file, read_image, read_archive, read_document, and read_sqlite.
Discovery and search
list_dirglob_pathssearch_textsearch_filesgrep_regexast_search
Discover paths before reading unknown files. Prefer bounded selectors and native search over shell traversal.
Mutations
write, write_file, archive and SQLite writers, patches, anchored edits, moves, and deletes require write exposure. Existing state is guarded by a digest or snapshot tag so concurrent changes fail instead of being overwritten.
Addressing
Selectors
src/lib.rs:40-90
src/lib.rs:raw
archive.zip:path/in/archive
state.sqlite:jobs:42
artifact://large-output:1-120
Tools
Processes & evaluation
Process tools require command exposure and remain subject to approval, cancellation, deadlines, output limits, and session evidence.
Choose the narrowest operation
run_command | Execute a shell command when shell semantics are required. |
run_process | Execute an argv array without shell parsing. |
run_package_script | Run a declared package script after discovery. |
node_eval / python_eval | Use managed language runtimes for computed inspection. |
Long-lived and interactive work
pty_session and pty_resize manage terminal processes that need later input. Background jobs must remain addressable by a stable handle; do not orphan servers or watchers.
Output and cancellation
Large output spills to an artifact reference. Cancellation applies to the tracked process tree, not just a parent PID. Timeouts and terminal status are retained in the session.
VerificationFor behavioral changes, run the actual changed path. A successful compiler invocation proves compilation, not user-visible behavior.
Tools
Git & GitHub
Jeden separates read-only repository inspection from mutations that publish or rewrite shared state.
Local Git
git_statusgit_diffgit_loggit_showgit_worktreegit_guarded_push
Use typed history and diff tools before shelling out. Guarded push requires explicit authority and verifies the intended repository state.
github_issuegithub_prgithub_searchgithub_actions
Issue and pull-request tools operate on typed repository resources. Search locates code and discussions; Actions inspection exposes workflow state without conflating it with local process output.
Shared-state rule
Do not overwrite unexpected local changes or rewrite a branch you do not own. Read current status and references immediately before any shared-state mutation.
Tools
Code intelligence
Structured code tools reason about syntax and runtime state instead of treating source as undifferentiated text.
AST search and rewrite
ast_search finds syntax-shaped matches with metavariables. ast_rewrite applies one-language structural transformations where text replacement would confuse shadowing, formatting, or nested syntax.
Debug sessions
debug_session owns debugger lifecycle. debug_request performs breakpoints, stepping, stack inspection, scopes, variables, evaluation, and supported memory operations through the active adapter.
Choose by invariant
| Exact prose or literal | Use bounded text search. |
| Language construct | Use AST search or rewrite. |
| Exported symbol | Use the available semantic language-service capability and inspect references before rename. |
| Runtime value or control flow | Use a debugger session. |
Tools
Browser & web
Use direct fetch for static content and browser automation only when navigation, JavaScript, authentication, or interaction requires a real page.
HTTP reads
fetch_url returns the requested response. fetch_readable_url extracts bounded reader-oriented content. Network output remains subject to size limits and artifact spill.
Tabs and actions
browser_tabbrowser_actionbrowser_screenshot
Tabs have stable handles. Actions navigate, observe, select, click, type, scroll, extract, and wait against the current document state. Navigation invalidates stale element references.
Visible and headless
Interactive
/browser status
/browser headless
/browser visible
Visible mode is appropriate when an operator must observe or complete an authentication step. Screenshots verify appearance; accessibility or DOM extraction verifies structure and state.
Tools
Images, audio & documents
Media tools preserve the distinction between visual inspection, generated assets, document extraction, and audio output.
read_imageimage_inspectimage_generateimage_editbrowser_screenshot
Inspection grounds claims about an existing image. Generation creates a new asset from an explicit subject and composition. Editing requires an input image and named changes.
read_document extracts supported office, PDF, and notebook content. read_archive addresses members without unpacking an entire archive into the workspace.
tts produces speech output where enabled. Generated media is retained as a file or session artifact rather than inlining unbounded binary data into the model loop.
The terminal attachment tray accepts bounded workspace-jailed text plus PNG, JPEG, GIF, and WebP files for the next submitted turn.
Tools
Tasks & delegation
Coordination tools turn multi-step work into explicit state without transferring authority implicitly.
Todos
todo and /todo track named tasks and completion state. A todo records intent; it is not evidence that implementation or verification happened.
Operator decisions
ask_user requests input only when materially different choices require the operator. Questions and answers remain in the session lineage.
Subagents
delegate_task assigns a self-contained slice to an available agent. Use /agents to inspect the current roster and capability state. Delegated work returns evidence and artifacts to the parent session.
Authority
A delegate receives only the grants, workspace, and interfaces provided by the parent runtime. It does not inherit external credentials or approval bypass merely because the parent requested work.
Tools
SSH & remote work
Remote work is a separate authority boundary. Host identity, authentication, path scope, and command exposure must all be explicit.
ssh_readssh_searchssh_writessh_exec
Read and search operations inspect configured hosts. Writes and command execution require the corresponding local capability exposure and approval.
Connections
/ssh opens the native SSH configuration and status view. It reports available connection identities without printing private key material.
Host identity
Use pinned known-hosts data for unattended work. Do not disable host-key verification to make an automation path pass. Scope remote identities to the exact command or filesystem surface they need.
Evidence
Remote requests, terminal status, bounded output, and artifacts remain attached to the local session. A remote mutation should be followed by a remote read or service-level smoke check.
State
Session tree
Conversation history is a graph of durable lineage, not one mutable transcript.
Lineage operations
/new, /fresh | Start a new root from the current workspace. |
/branch <title> | Create named child work from the active context. |
/fork | Fork the active lineage without rewriting its parent. |
/resume <session> | Start a fresh session seeded from selected history. |
/tree | Inspect lineage and active branch. |
/rename changes a session label. /move <dir> changes its organizational location. /drop removes the active session from the normal working set through a confirmed operation.
Invariant
Branching, resume, and rewind append new lineage. They do not edit prior model messages, tool results, approvals, or usage events in place.
State
Checkpoints & rewind
Checkpoints name a recoverable context boundary inside a durable session.
Create and inspect
Interactive
/checkpoint before-refactor
/checkpoint list
The checkpoint event records the exact model-visible context, not merely a human label or source-control commit.
Rewind
Interactive
/rewind <checkpoint-event-id>
Rewind appends a new active lineage from the selected checkpoint. The abandoned continuation remains available for audit and comparison.
Source files
A session rewind does not automatically revert the workspace. Use Git or guarded file mutations when source state must also move back, and verify that the chosen source revision matches the checkpoint’s assumptions.
State
Compaction & handoff
Long sessions need bounded model context without discarding the durable event history.
Compaction
Interactive
/compact
/compact focus on the failing import path
Compaction summarizes the active model context. The original messages and tool events remain in the session ledger.
Handoff
Interactive
/handoff
/handoff focus on release verification
A handoff packages current state, decisions, unresolved work, and evidence so another continuation can resume with a bounded focus.
Choose correctly
| Continue same objective, context too large | Compact. |
| Transfer work or start a focused continuation | Handoff. |
| Explore an alternative without abandoning current work | Branch or fork. |
| Return to a precise earlier context | Checkpoint and rewind. |
State
Artifacts & attachments
Artifacts are durable session outputs. Attachments are bounded inputs consumed by a prompt.
Artifact recovery
Terminal
$ jeden artifacts <session>
$ jeden artifact <session> <name> output.bin
$ jeden export <session> output.json
Oversized tool results spill to the artifact store and are represented in model context by bounded artifact:// references.
Attachment tray
Interactive
/attach path/to/context.txt
/attachments
/detach <id|all>
Accepted inputs are bounded workspace-jailed text and supported PNG, JPEG, GIF, or WebP images.
Export and share
/export produces JSON or text session output. /dump renders diagnostic session content. /share creates the configured sharing representation. Review secrets and proprietary data before moving any export outside the trust boundary.
State
Collaboration & jobs
Collaboration synchronizes explicit session state. Jobs expose tracked work that outlives a single foreground tool call.
Collaboration lifecycle
Interactive
/collab status
/collab start
/collab share
/collab sync
/join <relay-file-url-or-path>
/leave
/collab stop
A relay reference conveys connection information, not blanket local tool authority. Joined peers remain represented as session events.
Jobs
/jobs opens the native tracked-job view. Use it to inspect ownership, state, progress, terminal outcome, and retained output instead of searching for unverified process IDs.
Failure behavior
Disconnects do not rewrite prior collaboration events. A stopped or failed job retains its outcome; restarting work creates a new attempt or explicit continuation.
Extend
Custom commands
File-based commands package repeatable prompts and local workflows without forking the Jeden runtime.
Locations
<cwd>/.jeden/commands/ | Project-owned commands. |
~/.jeden/commands/ | User-owned commands. |
.claude/commands, ~/.claude/commands | Compatibility sources controlled by native settings. |
.opencode/commands, ~/.config/opencode/commands | Compatibility sources controlled by native settings. |
Compatibility settings
commands.enableClaudeUser, commands.enableClaudeProject, commands.enableOpencodeUser, and commands.enableOpencodeProject enable their corresponding loaders. All default to true.
Discovery
Use /help to inspect active commands and /extensions to inspect extension sources. Names must not silently shadow a native command with a different authority contract.
Extend
Hooks
Hooks run at documented lifecycle boundaries and return bounded decisions to the same policy engine used by native operations.
Events
user-promptpre-toolpost-toolsession-startstop
Allowed decisions
A hook may add context, replace documented input fields, or block an operation. A hook cannot grant a capability that is absent, unhealthy, outside the workspace jail, or forbidden by operator policy.
Operate
/hooks inspects active hook sources and status. Hook output should be deterministic, bounded, non-interactive, and free of secret material.
Failure contract
A required policy hook that cannot produce a valid decision must fail closed. Post-tool failures are retained as evidence and must not erase the underlying tool result.
Extend
Custom tools
Custom modules add typed operations to the capability registry without bypassing native execution policy.
User modules load from ~/.jeden/tools/; project modules load from <cwd>/.jeden/tools/. Each module exports a default factory.
The factory receives current workspace helpers and returns one tool or a list of tools. Each tool declares a unique name, description, input contract, and executable handler.
- Names cannot collide with built-in or already active tools.
- Filesystem access remains workspace-jailed.
- Write and command classifications still require exposure and approval.
- Pre-tool and post-tool hooks apply.
- Health and handler identity appear in the capability registry.
Terminal
$ jeden tools --cwd .
$ jeden capabilities --json --cwd .
Extend
Plugins & marketplaces
Marketplaces discover packages; plugins are installed and activated extension units. Their state lives under ~/.jeden/plugins/.
Marketplace operations
Interactive
/marketplace list
/marketplace discover
/marketplace installed
/marketplace add <source>
/marketplace remove <name>
/marketplace install <name>
/marketplace uninstall <name>
/marketplace upgrade <name>
Plugin state
Interactive
/plugins list
/plugins enable <name>
/plugins disable <name>
/reload-plugins
Reload creates a new capability generation. Existing operations finish against the generation they started with.
Other extension sources
/extensions lists native project and user extensions. /agents lists available agent definitions. Installed status alone does not imply executable health; inspect the capability registry after activation.
Reference
RPC & ACP
Protocol modes adapt the same session lifecycle and capability registry used by the interactive terminal.
NDJSON RPC
RPC serves newline-delimited JSON requests and events over standard input and output. Keep diagnostic logging off the protocol stream.
Agent Client Protocol
ACP exposes the runtime through the Agent Client Protocol on standard I/O for compatible editors and hosts.
Shared invariants
- Requests use the same workspace and policy gates as local sessions.
- Capabilities come from the active registry generation.
- Tool calls, approvals, usage, artifacts, and terminal outcomes are durable session events.
- Cancellation and deadlines are operation-scoped.
Reference
Headless mTLS
Headless mode exposes Jeden to authenticated clients without weakening local capability and approval policy.
Usage
Terminal
$ jeden headless <addr> \
<server-cert.pem> <server-key.pem> \
<client-ca.pem> <identity-map.json> \
[revoked-serials.txt]
Identity
The server certificate authenticates the service. The client CA authenticates client certificates. The identity map converts a certificate identity into an explicit Jeden principal; unknown identities are rejected.
Revocation
The optional serial list denies known client certificates even when their chain remains valid. Keep it readable by the service and update it atomically.
Local policy remains authoritative
Mutual TLS authenticates transport and caller. It does not grant write, command, browser, SSH, plugin, or MCP authority by itself. Those decisions remain local and auditable.
Reference
Diagnostics
Diagnostics answer why a capability is unavailable or a run is unhealthy without printing protected credentials.
Doctor
Terminal
$ jeden doctor --cwd .
$ jeden doctor --json --cwd .
Doctor evaluates workspace storage, configuration, provider prerequisites, extension sources, and runtime dependencies.
Terminal
$ jeden conformance --json --cwd .
$ jeden capabilities --json --cwd .
Conformance checks registry invariants and public contracts. Capability output supplies descriptor-level health and evidence.
Interactive status
/status/stats/settings/jobs/changelog
Report with evidence
Include the Jeden version, operating mode, affected capability ID, health state, terminal error, and smallest reproduction. Redact endpoint credentials, tokens, cookies, private keys, and session exports before sharing.
Reference
Security model
Jeden treats model output as a proposal. Authority comes from the local runtime, its operator policy, and the exact state observed before an effect.
Defense layers
Capability exposure
Read tools are available by default. Write and command families require explicit invocation flags or configuration.
Workspace jail
Filesystem tools resolve paths beneath --cwd. Context imports remain within their context root.
Approval policy
always-ask, write, or yolo determines which allowed effects still require confirmation.
Lifecycle hooks
Pre-tool hooks can inspect, narrow, replace supported inputs, or block the call.
Revision guards
Digests and snapshot tags reject stale writes rather than overwriting concurrent changes.
Durable evidence
Requests, tool calls, decisions, results, usage, and artifacts remain attached to the session.
Approval modes
| always-ask | Prompt before any effect classified as approval-required. |
| write | Grant configured write behavior while retaining stronger boundaries for command execution. |
| yolo | Automatically approve exposed tools. Only safe inside an independently trusted sandbox. |
Model-bound secrets
Known secrets are protected before text reaches the model. secrets.mode selects redaction or obfuscation. Environment discovery protects secret-named variables at or above secrets.minLength.
Do not confuse masking with storageSecret protection reduces accidental model exposure. Credentials should still come from the operator’s secret store and must not be committed to project configuration, context files, or transcripts.
Remote runtimes
jeden headless requires a server certificate, server private key, client CA, explicit identity map, and optional revoked-serial list. Mutual TLS authenticates the transport; the local tool policy still governs effects.
Reference
Action protocol
Native provider tool calls and strict JSON actions enter the same validated local execution loop. Tool schemas are derived from each input contract and sent with the model request.
Execution loop
- The model returns a native tool call or a strict JSON action.
- Jeden resolves the action against the current capability registry.
- Input schema, path jail, exposure flags, approval mode, and hooks are evaluated.
- The handler executes and returns a typed result.
- The result is appended to the session and returned to the model.
- The loop continues until a final answer or configured step limit.
Action shapes
Actions are explicit objects; prose that resembles a command does not execute. A strict action identifies the action name and its typed arguments. Selectors and mutation guards are carried as data, not inferred from surrounding text.
Conceptual action
{
"action": "read_file",
"args": {
"path": "src/server.ts:80-140"
}
}
Selectors
| :50 | Read from line 50. |
| :50-90 | Read an inclusive range. |
| :5-16,90-110 | Read several visible ranges. |
| :raw | Return verbatim content. |
| :conflicts | Return unresolved merge-conflict blocks. |
| archive.zip:path/file | Address an archive member. |
| db.sqlite:table:key | Address one SQLite row by primary key. |
| artifact://name | Address a persisted session artifact. |
Anchored edits
An anchored edit names the snapshot tag returned by the latest read, then applies tight line or block operations only to visible anchors. Every successful mutation produces a fresh snapshot; subsequent edits must re-read or use the new tag.
- SWAP replaces an exact visible line range.
- INS.PRE / INS.POST inserts without restating unchanged lines.
- DEL deletes an exact line range.
- Block operations target a complete syntax block at its opener.
- MV / REM move or remove a file under the same guarded contract.
InvariantThe edit body is final content, not a diff. Ranges describe original lines. Stale tags and unseen anchors are rejected.
Oversized results
Large tool output is persisted under the session artifact store. The model receives a compact artifact:// reference and may issue bounded follow-up reads instead of carrying the full payload in context.